<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content="text/html; charset=iso-2022-jp" http-equiv=Content-Type>
<STYLE style="DISPLAY: none" type=text/css><!-- P {margin-top:0;margin-bottom:0;} --></STYLE>
<META name=GENERATOR content="MSHTML 11.00.9600.18666"></HEAD>
<BODY dir=ltr>
<DIV dir=ltr align=left><SPAN class=725174512-13062017><FONT color=#0000ff
size=2 face=Arial>First, it very handy to know your os and samba and squid
versions used. </FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=725174512-13062017></SPAN><SPAN
class=725174512-13062017><FONT color=#0000ff size=2
face=Arial></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=725174512-13062017><FONT color=#0000ff
size=2 face=Arial>Second, </FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=725174512-13062017><FONT color=#0000ff
size=2 face=Arial>Squid/radius etc anything that uses NTLMv1 with samba stopped
working after 4.5.0 </FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=725174512-13062017><SPAN lang=N><SPAN
class=725174512-13062017><SPAN lang=N><FONT color=#0000ff size=2 face=Arial>I
think your main problem can be explained by this extract from the release notes
for 4.5.0:</FONT></SPAN></SPAN></SPAN></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=725174512-13062017><SPAN lang=N><SPAN
class=725174512-13062017><SPAN lang=N><FONT color=#0000ff size=2
face=Arial></FONT> </DIV>
<DIV dir=ltr align=left>
<P><FONT color=#0000ff size=2 face=Arial>NTLMv1 authentication disabled by
default</FONT></P>
<P><FONT color=#0000ff size=2
face=Arial>-----------------------------------------</FONT></P>
<P><FONT color=#0000ff size=2 face=Arial> </FONT></P>
<P><FONT color=#0000ff size=2 face=Arial>In order to improve security we have
changed the default value for the "ntlm auth" option from "yes" to
"no". <BR><SPAN class=725174512-13062017>T</SPAN>his may have impact on
very old clients which doesn't support NTLMv2 yet.</FONT></P>
<P><FONT color=#0000ff size=2 face=Arial> </FONT></P>
<P><FONT color=#0000ff size=2 face=Arial>The primary user of NTLMv1 is MSCHAPv2
for VPNs and 802.1x.</FONT></P>
<P><FONT color=#0000ff size=2 face=Arial> </FONT></P>
<P><FONT color=#0000ff size=2 face=Arial>By default, Samba will only allow
NTLMv2 via NTLMSSP now, <BR>as we have the following default "lanman auth = no",
"ntlm auth = no" and "raw NTLMv2 auth = no".</FONT></P>
<P><FONT color=#0000ff size=2 face=Arial><SPAN
class=725174512-13062017></SPAN></FONT><FONT color=#0000ff size=2
face=Arial><SPAN class=725174512-13062017></SPAN></FONT> </P>
<P><FONT color=#0000ff size=2 face=Arial><SPAN
class=725174512-13062017></SPAN></FONT> </P>
<P><SPAN class=725174512-13062017><FONT color=#0000ff size=2 face=Arial>Greetz,
</FONT></SPAN></P>
<P><SPAN class=725174512-13062017><FONT color=#0000ff size=2
face=Arial></FONT></SPAN> </P>
<P><SPAN class=725174512-13062017><FONT color=#0000ff size=2
face=Arial>Louis</FONT></SPAN></P>
<P><SPAN class=725174512-13062017><FONT color=#0000ff size=2
face=Arial></FONT></SPAN> </P></SPAN></SPAN>
<P><FONT color=#0000ff size=2 face=Arial></FONT> </P></SPAN></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=725174512-13062017><FONT color=#0000ff
size=2 face=Arial></FONT></SPAN> </DIV><BR>
<BLOCKQUOTE
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px"
dir=ltr>
<DIV lang=nl class=OutlookMessageHeader dir=ltr align=left>
<HR tabIndex=-1>
<FONT size=2 face=Tahoma><B>Van:</B> squid-users
[mailto:squid-users-bounces@lists.squid-cache.org] <B>Namens </B>Kevin
M???hlparzer<BR><B>Verzonden:</B> dinsdag 13 juni 2017 14:00<BR><B>Aan:</B>
squid-users@lists.squid-cache.org<BR><B>Onderwerp:</B> [squid-users] Negotiate
Kerberos Auth - BH Invalid request<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV id=divtagdefaultwrapper
style="FONT-SIZE: 12pt; FONT-FAMILY: Calibri,Arial,Helvetica,sans-serif; COLOR: #000000"
dir=ltr>
<P>Hello list,</P>
<P><BR></P>
<P>I asked about a problem with NTLM-Authentication before. (<SPAN>BH SPNEGO
request invalid prefix</SPAN>; thats the error of the helper protocol
"<SPAN>helper-protocol=squid-2.5-ntlmssp</SPAN>" I used with NTLM, while basic
works fine)</P>
<P>A user told me I should use <SPAN>negotiate_kerberos_auth</SPAN> instead of
<SPAN>ntlm_auth.</SPAN></P>
<P><SPAN>Now here's my new problem:</SPAN></P>
<P><SPAN><BR></SPAN></P>
<P><SPAN></SPAN></P>
<DIV>root@x-x-testproxy01:/etc/squid# /usr/lib/squid/negotiate_kerberos_auth
-d -s
HTTP/x-x-testproxy01.x-xxx.local@X-XXX.LOCAL<BR>negotiate_kerberos_auth.cc(487):
pid=5305 :2017/06/13 13:29:41| negotiate_kerberos_auth: INFO: Starting version
3.0.4sq<BR>negotiate_kerberos_auth.cc(546): pid=5305 :2017/06/13 13:29:41|
negotiate_kerberos_auth: INFO: Setting keytab to
FILE:/etc/squid/HTTP.keytab<BR>negotiate_kerberos_auth.cc(570): pid=5305
:2017/06/13 13:29:41| negotiate_kerberos_auth: INFO: Changed keytab to
MEMORY:negotiate_kerberos_auth_5305<BR>testuser
xxxxxxx<BR>negotiate_kerberos_auth.cc(610): pid=5305 :2017/06/13 13:29:47|
negotiate_kerberos_auth: DEBUG: Got 'testuser xxxxxx' from squid (length:
18).<BR>negotiate_kerberos_auth.cc(647): pid=5305 :2017/06/13 13:29:47|
negotiate_kerberos_auth: ERROR: Invalid request [testuser xxxxxxx]<BR>BH
Invalid request</DIV>So my configuration has mistakes, but I can't find them.
I don't really know where to search, or what works for sure. I tried many
tutorials on krb5 and samba. Every form of testing I tried works fine except
indeed using the required kerberos authentication of my squid-proxy.<BR>
<P></P>
<P><SPAN><FONT color=#0000ff size=2 face=Arial></FONT><BR></SPAN></P>
<P><SPAN>Tests that come to my mind:</SPAN></P>
<P><SPAN>kinit a user</SPAN></P>
<P><SPAN></SPAN>Warning: Your password will expire in 36 days on Don 20 Jul
2017 13:23:54 CEST<BR></P>
<P></P>
<P><SPAN><BR></SPAN></P>
<P><SPAN><BR></SPAN></P>
<P><SPAN>klist</SPAN></P>
<P><SPAN><SPAN>Ticket cache: FILE:/tmp/krb5cc_0<BR>Default principal:
testuser@X-XXX.LOCAL<BR><BR>Valid starting
Expires
Service principal<BR>2017-06-13 13:38:37 2017-06-13 23:38:37
krbtgt/X-XXX.LOCAL@X-XXX.LOCAL<BR> renew until 2017-06-14
13:38:34</SPAN><BR></SPAN></P>
<P><SPAN><FONT color=#0000ff size=2 face=Arial></FONT><BR></SPAN></P>
<P><SPAN>klist -k on my HTTP.keytab<BR></SPAN></P>
<P><SPAN></SPAN></P>
<DIV>Keytab name: FILE:/etc/squid/HTTP.keytab<BR>KVNO Principal<BR>----
--------------------------------------------------------------------------<BR>
1 host/x-x-testproxy01.x-xxx.local@X-XXX.LOCAL<BR> 1
host/x-x-testproxy01.x-xxx.local@X-XXX.LOCAL<BR> 1
host/x-x-testproxy01.x-xxx.local@X-XXX.LOCAL<BR> 1
host/x-x-testproxy01.x-xxx.local@X-XXX.LOCAL<BR> 1
host/x-x-testproxy01.x-xxx.local@X-XXX.LOCAL<BR> 1
host/X-X-TESTPROXY01@X-XXX.LOCAL<BR> 1
host/X-X-TESTPROXY01@X-XXX.LOCAL<BR> 1
host/X-X-TESTPROXY01@X-XXX.LOCAL<BR> 1
host/X-X-TESTPROXY01@X-XXX.LOCAL<BR> 1
host/X-X-TESTPROXY01@X-XXX.LOCAL<BR> 1
X-X-TESTPROXY01$@X-XXX.LOCAL<BR> 1
X-X-TESTPROXY01$@X-XXX.LOCAL<BR> 1
X-X-TESTPROXY01$@X-XXX.LOCAL<BR> 1
X-X-TESTPROXY01$@X-XXX.LOCAL<BR> 1
X-X-TESTPROXY01$@X-XXX.LOCAL<BR><SPAN></SPAN><BR><SPAN></SPAN></DIV>
<P></P>
<P><SPAN>basic-auth using ntlm</SPAN></P>
<P><SPAN></SPAN></P>
<DIV>root@x-x-testproxy01:/etc/squid# /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic --username=testuser
--password=xxxxxxxx<BR>testuser xxxxxxxxxx<BR>OK<BR>testuser@x-xxx.local
xxxxxxxx<BR>OK<BR><BR>wbinfo -u<BR>administrator<BR>testuser<BR>...<BR>wbinfo
-g<BR><SPAN>allowed rodc password replication group</SPAN><BR><SPAN>enterprise
read-only domain controllers</SPAN><BR>...<BR><BR>
<DIV>wbinfo --krb5auth=testuser%xxxxxxx<BR>plaintext kerberos password
authentication for [testuser%xxxxxxx] succeeded (requesting cctype:
FILE)<BR><BR>wbinfo -t<BR><SPAN>checking the trust secret for domain X-XXX via
RPC calls succeeded<BR><BR>
<DIV>wbinfo --authenticate=testuser%xxxxxxxx<BR>plaintext password
authentication succeeded<BR>challenge/response password authentication
succeeded</DIV><BR>
<DIV>/usr/lib/squid/negotiate_kerberos_auth_test
x-x-testproxy01.x-xxx.local<BR>Token:
YIIFOgYGKwYBBQUCoIIFLjCCBSqgJzAlBgkqhkiG9xIBAgIGBSsFAQUCBgkqhkiC9xIBAgIGBisGAQUCBaKCBP0EggT5YIIE9QYJKoZIhvcSAQICAQBuggTkMIIE4KADAgEFoQMCAQ6iBwMFAAAAAACjggP2YYID8jCCA+6gAwIBBaENGwtYLU5FVC5MT0NBTKIuMCygAwIBA6ElMCMbBEhUVFAbG3gtbC10ZXN0cHJveHkwMS54LW5ldC5sb2NhbKOCA6YwggOioAMCARKhAwIBAaKCA5QEggOQIMtincRDtWjh44pew3twk26Gm9rTC7CbkobNrzaRq/weljVl5TSbMQTFIVRQXVe4CQBWJ/Gcg472cgLA3mjOH8Z30zxQFP8fsK46wAtTEzJhonzXLImhaPtXvCVz94xaCVG7cBlNJCUmZQHsQMxFsGJZfKCkDvztiNplXEEwRgT7S6f8HQNm62xPAyz9aK8Wqfz9suW5cSBk8wdRAQNleKP1Xe/2LqZ4jfDpodPdcy9A8vh1dKu4tmbz+EJ/bKvWA+/twuXiOhhGq4W39TlOu/3zD87pXAh65ka1QsepkCWgUMHImDw8nUr8Zvi4j4vI9WhyMyLFYBya8BvAX9kLg73zl80g82bQVIAb8QU3gS2Akhpd7r1flfUbfRDUQfuS/bsaHspZoP+2c8+Bxy38OML4Gg29y6fJvRNfDaCnqmTQdiPtyqELVUS+4x7r260mM1wQKzD2Jb5pcz4wMHUK0sdw8xmMARGxB7XdyGSbo759GD6tOaTAKkNwccno6i9wyOoLqfhVRjE/K9FLCvCnzEFI07q1/dFz1Ce/ZzroW3nOwNQe3V6qqBELwuTvHgxIdGq4HEPeLqAUkVWxneXemRNbLKiOs/BIe3qkXxizgAkFLqRO5az2pVOD7/KBevxYZKeAgIuDsbIYG/u3Ic+KtCDaaM/to2b41SB8ZOFKJau3BuMPOvZ4ipiMbv0N/Svk4Tg61BIhN3CJYKA3ep/3p3wSfJlkcYeRVkDpasQnmFnjxV2YS7Q8nvmf9LIz+KIYBIT8X9yRPuV/E2lSELZlxJ8CySLFLUKgtMj97GPMlacc+UN3lJjyoExUKHpMZtUmaKrw7ueT3wnLMWgx0BBPkiAebUAedKj9u9sEscFylmI/+PdCCraMNbkOckCsggYXfJm6LxFZJhnDvw1+Z87xsJFDs5fasF6j8REiG8aHTmKHgt2M9TmIRNo/PsYrZGvuVQhkk2fuyFxwwyfs7ysNEkOmBWlFlTEjddjT9YShHfV8Fo8+M2UYY5nYiUIQq5BBfZ679ntivs7F80lKMOqhc7SOY63VwRJOwoq35+bnsIB08b9cttySiOcFsZb6uTnYvHzUFVSUha4nxrg3zW3fL9KVu4XY+lgCRZrBZMxioy6vbAOJBmpqXOJvel2gBbGN6PEd2ReeX43l1gcn+Bd3mQykmUIEzMMuRpSHda9233aWHbwEZ9H9rOdJdhgX4U+upIHQMIHNoAMCARKigcUEgcJu7kcC1zuJdhOQk+YA0Hw2G9kyg46tpaNIgj1CEgkD/KE28kaKivCTZTnHfrNOpIOJaaiYw4RMwJsbgZdRU+fz/jUwxvXdUSGon6JrU7S2XZ9CjXRXfdpXc4HjP0QW6Cql1SE95MpkcbMRH8FQvGNryBzsqIkELnvXceTGCmwlN3n60nqkoR5/41p2PtSz4hFMOVdT6AkPlNC5VTCtCZUj7YbrYVYImPnG3aAfQxXEHRy19/v0mL2845jZFA7Xw96s1A==</DIV><BR></SPAN><BR><BR></DIV>Sorry
for posting so many output...<BR>I already read many documentations, but no
one really tests in small steps, they just assume that it works for everyone
out of the box...<BR></DIV>
<P>Does anyone have a clue what could be my mistake?</P>
<P></P>
<P><SPAN>Thanks in advance.<BR></SPAN></P>
<P><SPAN><BR></SPAN></P>
<P><SPAN><BR></SPAN></P></DIV></BLOCKQUOTE></BODY></HTML>