[squid-users] Kerberos Authentication Failing for Windows 7+ with BH gss_accept_sec_context() failed

Pedro Lobo palobo at gmail.com
Thu Oct 30 15:53:36 UTC 2014 

Hi Markus,

Sorry about the delay, but I had a couple of urgent fires to put out. 
Anyway, I'm back to vanquishing this hellish beast that is Squid with 
Kerberos.

I did a little more testing and I've concluded the following:

**Windows 8.1**
Everything seems to work just fine. In debug mode, I see kerberos 
information being thrown around in cache log and I can surf sites just 
fine. Oddly enough, I don't see any traffic on port 88 with Wireshark (I 
could just be doing something stupid there).

**Windows 7**
Same as before, I simply can't surf any site that requires 
authentication. If I surf to a site that I explicitly set not to require 
auth, then all is fine. If however I try a site that requires it, it 
simply fails and goes in to a loop of requeste credentials, I enter 
them, it asks again and again until it fails. I've attached the 
wireshark capture for you to look into.

I also noticed something off in cache.log. When things fail, it seems as 
though no information is being sent over about the user. I see this is 
the log:

	negotiate_kerberos_auth.cc(315): pid=1456 :2014/10/30 12:21:47| 
negotiate_kerberos_auth: DEBUG: Got 'YR 
YIIHLw---<cut>---fmcqUg2C0CjXimVz8Lx5lNux7qfmaxGvLX4Mm4OgllOsTRB7Ng==' 
from squid (length: 2463).

	negotiate_kerberos_auth.cc(378): pid=1456 :2014/10/30 12:21:47| 
negotiate_kerberos_auth: DEBUG: Decode 
'YIIHLw---<cut>---fmcqUg2C0CjXimVz8Lx5lNux7qfmaxGvLX4Mm4OgllOsTRB7Ng==' 
(decoded length: 1843).
	negotiate_kerberos_auth.cc(200): pid=1456 :2014/10/30 12:21:47| 
negotiate_kerberos_auth: ERROR: gss_accept_sec_context() failed: 
Unspecified GSS failure.  Minor code may provide more information.
	2014/10/30 12:21:47| ERROR: Negotiate Authentication validating user. 
Error returned 'BH gss_accept_sec_context() failed: Unspecified GSS 
failure.  Minor code may provide more information. '

Notice that there is no username after decoding `=='` from squid...

In successful casses, I see something akin to:

	negotiate_kerberos_auth.cc(315): pid=1463 :2014/10/30 12:54:44| 
negotiate_kerberos_auth: DEBUG: Got 'YR 
YIIGnw---<cut>---vSSEll5Cl5H2pngowpplrKoJwLbahwnoSkFOzWqFoNq9qv1IXcyi4Ym7PbMadwDq4FpUdfDA84D6eGxospx8aPmJKZ0AuQMrtw==' 
from squid (length: 2271).
	negotiate_kerberos_auth.cc(378): pid=1463 :2014/10/30 12:54:44| 
negotiate_kerberos_auth: DEBUG: Decode 
'YIIGnw---<cut>---vSSEll5Cl5H2pngowpplrKoJwLbahwnoSkFOzWqFoNq9qv1IXcyi4Ym7PbMadwDq4FpUdfDA84D6eGxospx8aPmJKZ0AuQMrtw==' 
(decoded length: 1699).
	negotiate_kerberos_auth.cc(462): pid=1463 :2014/10/30 12:54:45| 
negotiate_kerberos_auth: DEBUG: AF 
oYGgMIGdoAMKAQChCwYJKoZIhvcSAQICooGIBIGFYIGCBgkqhkiG9xIBAgICAG9zMHGgAwIBBaEDAgEPomUwY6ADAgEXolwEWnc+iBxbOhzQ36fAORmtdcn09xrBAmdvisZ2BxTPeuj8IxMULD9BJylCXHE8DVqqgyhS1Gzy1Y+BfyPvKyugBo1NnY3r7o3wYCnmbGli2NgcdrhQekHg1fbk8w== 
echironteste

Notice the extra line with username (echironteste). I'm not sure if this 
is relevant, but it does look like it.


**Windows XP**
Just like Windows 8.1, surfing worked fine and I did see kerberos 
activity in cache.log, however I saw nothing being captured by Wireshark 
on port 88 or even widening the query, nothing for krb5rpc. What's 
happening here, anybody have an idea?

Cheers all and thanks for the help.



On 27 Oct 2014, at 20:53, Markus Moeller wrote:

> Hi Pedro,
>
> Can you capture the traffic from one Windows 7 on XP client on port 88 
> ( just after the login before access a website via squid until 
> successful or unsuccessful accessing the website) using wireshark ?   
> Send me the .cap files to check.
>
> Markus
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20141030/b7bc01c6/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: win7.pcapng.zip
Type: application/zip
Size: 36082 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20141030/b7bc01c6/attachment-0001.zip>

More information about the squid-users mailing list