
<html>


<head>


<meta http-equiv="Content-Type" content="text/html; charset=utf-8">


<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>


</head>


<body dir="ltr">


<div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;font-family:Calibri,Arial,Helvetica,sans-serif;" dir="ltr">


<p>Hello list,</p>


<p><br>


</p>


<p>I asked about a problem with NTLM-Authentication before. (<span>BH SPNEGO request invalid prefix</span>; thats the error of the helper protocol "<span>helper-protocol=squid-2.5-ntlmssp</span>" I used with NTLM, while basic works fine)</p>


<p>A user told me I should use <span>negotiate_kerberos_auth</span> instead of <span>


ntlm_auth.</span></p>


<p><span>Now here's my new problem:</span></p>


<p><span><br>


</span></p>


<p><span></span></p>


<div>root@x-x-testproxy01:/etc/squid# /usr/lib/squid/negotiate_kerberos_auth -d -s HTTP/x-x-testproxy01.x-xxx.local@X-XXX.LOCAL<br>


negotiate_kerberos_auth.cc(487): pid=5305 :2017/06/13 13:29:41| negotiate_kerberos_auth: INFO: Starting version 3.0.4sq<br>


negotiate_kerberos_auth.cc(546): pid=5305 :2017/06/13 13:29:41| negotiate_kerberos_auth: INFO: Setting keytab to FILE:/etc/squid/HTTP.keytab<br>


negotiate_kerberos_auth.cc(570): pid=5305 :2017/06/13 13:29:41| negotiate_kerberos_auth: INFO: Changed keytab to MEMORY:negotiate_kerberos_auth_5305<br>


testuser xxxxxxx<br>


negotiate_kerberos_auth.cc(610): pid=5305 :2017/06/13 13:29:47| negotiate_kerberos_auth: DEBUG: Got 'testuser xxxxxx' from squid (length: 18).<br>


negotiate_kerberos_auth.cc(647): pid=5305 :2017/06/13 13:29:47| negotiate_kerberos_auth: ERROR: Invalid request [testuser xxxxxxx]<br>


BH Invalid request</div>


So my configuration has mistakes, but I can't find them. I don't really know where to search, or what works for sure. I tried many tutorials on krb5 and samba. Every form of testing I tried works fine except indeed using the required kerberos authentication


 of my squid-proxy.<br>


<p></p>


<p><span><br>


</span></p>


<p><span>Tests that come to my mind:</span></p>


<p><span>kinit a user</span></p>


<p><span></span>Warning: Your password will expire in 36 days on Don 20 Jul 2017 13:23:54 CEST<br>


</p>


<p></p>


<p><span><br>


</span></p>


<p><span><br>


</span></p>


<p><span>klist</span></p>


<p><span><span>Ticket cache: FILE:/tmp/krb5cc_0<br>


Default principal: testuser@X-XXX.LOCAL<br>


<br>


Valid starting       Expires              Service principal<br>


2017-06-13 13:38:37  2017-06-13 23:38:37  krbtgt/X-XXX.LOCAL@X-XXX.LOCAL<br>


    renew until 2017-06-14 13:38:34</span><br>


</span></p>


<p><span><br>


</span></p>


<p><span>klist -k on my HTTP.keytab<br>


</span></p>


<p><span></span></p>


<div>Keytab name: FILE:/etc/squid/HTTP.keytab<br>


KVNO Principal<br>


---- --------------------------------------------------------------------------<br>


   1 host/x-x-testproxy01.x-xxx.local@X-XXX.LOCAL<br>


   1 host/x-x-testproxy01.x-xxx.local@X-XXX.LOCAL<br>


   1 host/x-x-testproxy01.x-xxx.local@X-XXX.LOCAL<br>


   1 host/x-x-testproxy01.x-xxx.local@X-XXX.LOCAL<br>


   1 host/x-x-testproxy01.x-xxx.local@X-XXX.LOCAL<br>


   1 host/X-X-TESTPROXY01@X-XXX.LOCAL<br>


   1 host/X-X-TESTPROXY01@X-XXX.LOCAL<br>


   1 host/X-X-TESTPROXY01@X-XXX.LOCAL<br>


   1 host/X-X-TESTPROXY01@X-XXX.LOCAL<br>


   1 host/X-X-TESTPROXY01@X-XXX.LOCAL<br>


   1 X-X-TESTPROXY01$@X-XXX.LOCAL<br>


   1 X-X-TESTPROXY01$@X-XXX.LOCAL<br>


   1 X-X-TESTPROXY01$@X-XXX.LOCAL<br>


   1 X-X-TESTPROXY01$@X-XXX.LOCAL<br>


   1 X-X-TESTPROXY01$@X-XXX.LOCAL<br>


<span></span><br>


<span></span></div>


<p></p>


<p><span>basic-auth using ntlm</span></p>


<p><span></span></p>


<div>root@x-x-testproxy01:/etc/squid# /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic --username=testuser --password=xxxxxxxx<br>


testuser xxxxxxxxxx<br>


OK<br>


testuser@x-xxx.local xxxxxxxx<br>


OK<br>


<br>


wbinfo -u<br>


administrator<br>


testuser<br>


...<br>


wbinfo -g<br>


<span>allowed rodc password replication group</span><br>


<span>enterprise read-only domain controllers</span><br>


...<br>


<br>


<div>wbinfo --krb5auth=testuser%xxxxxxx<br>


plaintext kerberos password authentication for [testuser%xxxxxxx] succeeded (requesting cctype: FILE)<br>


<br>


wbinfo -t<br>


<span>checking the trust secret for domain X-XXX via RPC calls succeeded<br>


<br>


<div>wbinfo --authenticate=testuser%xxxxxxxx<br>


plaintext password authentication succeeded<br>


challenge/response password authentication succeeded</div>


<br>


<div>/usr/lib/squid/negotiate_kerberos_auth_test x-x-testproxy01.x-xxx.local<br>


Token: YIIFOgYGKwYBBQUCoIIFLjCCBSqgJzAlBgkqhkiG9xIBAgIGBSsFAQUCBgkqhkiC9xIBAgIGBisGAQUCBaKCBP0EggT5YIIE9QYJKoZIhvcSAQICAQBuggTkMIIE4KADAgEFoQMCAQ6iBwMFAAAAAACjggP2YYID8jCCA+6gAwIBBaENGwtYLU5FVC5MT0NBTKIuMCygAwIBA6ElMCMbBEhUVFAbG3gtbC10ZXN0cHJveHkwMS54LW5ldC5sb2NhbKOCA6YwggOioAMCARKhAwIBAaKCA5QEggOQIMtincRDtWjh44pew3twk26Gm9rTC7CbkobNrzaRq/weljVl5TSbMQTFIVRQXVe4CQBWJ/Gcg472cgLA3mjOH8Z30zxQFP8fsK46wAtTEzJhonzXLImhaPtXvCVz94xaCVG7cBlNJCUmZQHsQMxFsGJZfKCkDvztiNplXEEwRgT7S6f8HQNm62xPAyz9aK8Wqfz9suW5cSBk8wdRAQNleKP1Xe/2LqZ4jfDpodPdcy9A8vh1dKu4tmbz+EJ/bKvWA+/twuXiOhhGq4W39TlOu/3zD87pXAh65ka1QsepkCWgUMHImDw8nUr8Zvi4j4vI9WhyMyLFYBya8BvAX9kLg73zl80g82bQVIAb8QU3gS2Akhpd7r1flfUbfRDUQfuS/bsaHspZoP+2c8+Bxy38OML4Gg29y6fJvRNfDaCnqmTQdiPtyqELVUS+4x7r260mM1wQKzD2Jb5pcz4wMHUK0sdw8xmMARGxB7XdyGSbo759GD6tOaTAKkNwccno6i9wyOoLqfhVRjE/K9FLCvCnzEFI07q1/dFz1Ce/ZzroW3nOwNQe3V6qqBELwuTvHgxIdGq4HEPeLqAUkVWxneXemRNbLKiOs/BIe3qkXxizgAkFLqRO5az2pVOD7/KBevxYZKeAgIuDsbIYG/u3Ic+KtCDaaM/to2b41SB8ZOFKJau3BuMPOvZ4ipiMbv0N/Svk4Tg61BIhN3CJYKA3ep/3p3wSfJlkcYeRVkDpasQnmFnjxV2YS7Q8nvmf9LIz+KIYBIT8X9yRPuV/E2lSELZlxJ8CySLFLUKgtMj97GPMlacc+UN3lJjyoExUKHpMZtUmaKrw7ueT3wnLMWgx0BBPkiAebUAedKj9u9sEscFylmI/+PdCCraMNbkOckCsggYXfJm6LxFZJhnDvw1+Z87xsJFDs5fasF6j8REiG8aHTmKHgt2M9TmIRNo/PsYrZGvuVQhkk2fuyFxwwyfs7ysNEkOmBWlFlTEjddjT9YShHfV8Fo8+M2UYY5nYiUIQq5BBfZ679ntivs7F80lKMOqhc7SOY63VwRJOwoq35+bnsIB08b9cttySiOcFsZb6uTnYvHzUFVSUha4nxrg3zW3fL9KVu4XY+lgCRZrBZMxioy6vbAOJBmpqXOJvel2gBbGN6PEd2ReeX43l1gcn+Bd3mQykmUIEzMMuRpSHda9233aWHbwEZ9H9rOdJdhgX4U+upIHQMIHNoAMCARKigcUEgcJu7kcC1zuJdhOQk+YA0Hw2G9kyg46tpaNIgj1CEgkD/KE28kaKivCTZTnHfrNOpIOJaaiYw4RMwJsbgZdRU+fz/jUwxvXdUSGon6JrU7S2XZ9CjXRXfdpXc4HjP0QW6Cql1SE95MpkcbMRH8FQvGNryBzsqIkELnvXceTGCmwlN3n60nqkoR5/41p2PtSz4hFMOVdT6AkPlNC5VTCtCZUj7YbrYVYImPnG3aAfQxXEHRy19/v0mL2845jZFA7Xw96s1A==</div>


<br>


</span><br>


<br>


</div>


Sorry for posting so many output...<br>


I already read many documentations, but no one really tests in small steps, they just assume that it works for everyone out of the box...<br>


</div>


<p>Does anyone have a clue what could be my mistake?</p>


<p></p>


<p><span>Thanks in advance.<br>


</span></p>


<p><span><br>


</span></p>


<p><span><br>


</span></p>


</div>


</body>


</html>