[squid-users] Kerberos-Authentication to AD 2012
Rainer Backes
RBackes at bond.de
Wed Dec 2 19:12:51 UTC 2015
Hi,
I'm trying to build a Squid-Proxy that integrates with an Active
Directory - and I think I'm only one step from succeeding, but I still
get one error from negotiate_kerberos_auth.
Here is my config: (everything is hosted inside my VMware Workstation)
- Passwords here are only experimental.
Basic Installation
- Windows Server 2012R2 with default Active Directory, only one User:
me
- Windows 8.1/64 with IE and Firefox
- SLES 11 SP 4 as the Proxy
Squid Version: First I used the DBA Package available from OpenSuse
Build Service, this is 3.5.11. Then I downloaded the newest stable
source 3.5.12 and compliled it by myself (with configure options
--prefix=/usr/local/squid --with-included-ltdl ), OpenLdap and Kerberos
devel packages also installed from SLES11SP4 SDK. Error is the same on
both versions.
Preparation on Windows side:
- Created user bsquid for the proxy, added SPN.
- with ktpass -princ HTTP/bsquid.bond.local at BOND.LOCAL -pass Sq1dcache
-mapuser bsquid -pType KRB5_NT_PRINCIPAL -crypto All -out bsquid.keytab
I build a keytab file that includes ALL available Crypto algorithms
(After I found out that 2012 uses AES256.... on default). Result from
command:
Targeting domain controller: W2K12-Squid.bond.local
Using legacy password setting method
Successfully mapped HTTP/bsquid.bond.local to bsquid.
Key created.
Key created.
Key created.
Key created.
Key created.
Output keytab to bsquid.keytab:
Keytab version: 0x502
keysize 60 HTTP/bsquid.bond.local at BOND.LOCAL ptype 1
(KRB5_NT_PRINCIPAL) vno 10 etype 0x1 (DES-CBC-CRC) keylength 8 (0x0
7cbdf6d7c8f0b75)
keysize 60 HTTP/bsquid.bond.local at BOND.LOCAL ptype 1
(KRB5_NT_PRINCIPAL) vno 10 etype 0x3 (DES-CBC-MD5) keylength 8 (0x0
7cbdf6d7c8f0b75)
keysize 68 HTTP/bsquid.bond.local at BOND.LOCAL ptype 1
(KRB5_NT_PRINCIPAL) vno 10 etype 0x17 (RC4-HMAC) keylength 16 (0xdc
2fdd6643b8e3e18184d38b989b6f87)
keysize 84 HTTP/bsquid.bond.local at BOND.LOCAL ptype 1
(KRB5_NT_PRINCIPAL) vno 10 etype 0x12 (AES256-SHA1) keylength 32 (0
x3cfb4221e4f8ce0c8ce6a2a4b231872b1fe979c013ee965be8469bac4fd0e9ec)
keysize 68 HTTP/bsquid.bond.local at BOND.LOCAL ptype 1
(KRB5_NT_PRINCIPAL) vno 10 etype 0x11 (AES128-SHA1) keylength 16 (0
xc32c8f7a8a039a7921148d863a5d6f78)
with this keytab a kinit from the SLES box works without errors.
The negotiate line from squid.conf is as follows:
auth_param negotiate program
/usr/local/squid/libexec/negotiate_kerberos_auth -d -s
HTTP/bsquid.bond.local
I also tried to add the Kerberos realm - that did not make any
difference.
My krb5.conf:
[libdefaults]
ticket_lifetime = 24000
default_realm = BOND.LOCAL
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac
des-cbc-crc des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac
des-cbc-crc des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac
des-cbc-crc des-cbc-md5
; default_tkt_enctypes = rc4-hmac arcfour-hmac-md5 des-cbc-crc
des-cbc-md5
; default_tgs_enctypes = rc4-hmac arcfour-hmac-md5 des-cbc-crc
des-cbc-md5
[domain_realm]
.bond.local = BOND.LOCAL
bond.local = BOND.LOCAL
[realms]
BOND.LOCAL = {
kdc = w2k12-squid.bond.local
admin_server = w2k12-squid.bond.local
default_domain = bond.local
}
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = FILE:/var/log/krb5/krb5libs.log
; default = SYSLOG:NOTICE:DAEMON
Set the environment variable for the keytab and starting squid -N
inside a GUI-Window
bsquid:/usr/local/squid/sbin # export
KRB5_KTNAME=/usr/local/squid/etc/bsquid.keytab
bsquid:/usr/local/squid/sbin # ./squid -N
On the workstation tried to open a Website, get the following error:
negotiate_kerberos_auth.cc(487): pid=122356 :2015/12/02 20:00:41|
negotiate_kerberos_auth: INFO: Starting version 3.0.4sq
negotiate_kerberos_auth.cc(546): pid=122356 :2015/12/02 20:00:41|
negotiate_kerberos_auth: INFO: Setting keytab to
/usr/local/squid/etc/bsquid.keytab
negotiate_kerberos_auth.cc(610): pid=122356 :2015/12/02 20:00:41|
negotiate_kerberos_auth: DEBUG: Got 'YR
YIIGSgYGKwYBBQUCoIIGPjCCBjqgMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCBgQEggYAYIIF/AYJKoZIhvcSAQICAQBuggXrMIIF56ADAgEFoQMCAQ6iBwMFACAAAACjggR7YYIEdzCCBHOgAwIBBaEMGwpCT05ELkxPQ0FMoiQwIqADAgECoRswGRsESFRUUBsRYnNxdWlkLmJvbmQubG9jYWyjggQ2MIIEMqADAgESoQMCAQqiggQkBIIEIE0bBxNC8N0cj77UQ8WQ1nicU5iM1c96WZcSKt2OCO5h5PIcn680jYYbamAdtisA6nosAByGYqFZPmXRtgm8zwCuQ+JvemUowba7lQYmAx1b9AkvNAxCiWtW43xlTKAlXsiJdCDjFg9k3rR+bnHK/QidRps2U7TV4WO8ey5ZcW3/gC0lToL2lALORg607wlaFtmFx+Jc4y4BoX+debm9GiJOHBMGgqIVnAVC5rds06ppDpyaFghn0Mmq4dPNs9uA4FpfBrtux3TLi50X9iaF1UO0dDjkcxt2tf82prochtI7o0CQci9arOyzuHCxVjFTyFF4vw3AsJpbf0f8GXr9yMjT67N4DoYUUpNOtGEAjFLLQSeHUNvL0Sxzld8iOiSl5Ym6HOy3UCgXjJoSDY7rgNIXUIbMuBaXqkK8NNfNUDJ4VXConFNSxOkl8mbckT0vFFaa8dIwrzLnpoNKAOF7T8j1T2FILkDttR3MvlAfHbPj5GPODpX8xYgRefeE/RtbMgeje94bNsMVHAHal0Wj++RwHvmIdPYjc/cwr7pKQTCOcLz4wGJ1fz5d/tMdVoPiVx8uJ9tPNlfT3nRv+N1euVOwSKAxyv8Dw7sIYv+xkDr5tuC8Mh+8xGhl8ohetjAyFMzln4J1SvS/3Wo8X77uOKnxySx3BII5+rCIxbzhiLl8X6/1zCeR+DM5Ez/TMDOqMcmQgHtspqHmWkyAoFvYJ/ppP/wmk8F8zvkLutjpNnBndZNfj60JJqrOJYadGrAljK/PM3tOHC9F2BOeY9aZITL4cybswJ/AKwWefrdf/8yfFcPy0sa72eyfWeXl5aG/19r1L0cof9sZY4UoMrcJojUd9uqFbqNjForkpbJmH3mOQhujzRzsiEmdjTzLy2+1Hfa/4XUIob0cLr0gtKvJJGANMQj9WHWjZsR8vAF1w86qDQPmDMNmWqDyJTazreXN1TdX9FlhfvgHYsBxnnXu4bBkTL+ro/ekh+4Zd8tFlO8zrHaqMeLf7V7w6dHdC0Yj1xBkY3V7qyVqrSXI1i5Awz8QF48FU3yGq/A+zSs/5C2ij8v2Wlc5g+B/qNdbjKAtRGwqtR06f16JMrXFndJN4zqEEtBZpvk3BYQ6SJaQopwq6WdUFMLMLvqKAd5av79g7cWhWQuobFesoIQ3t9pwh3YFy12CSbZvw+VdWRqWFc7xESycqECbUIAap2euNDFuz/lYbeqHJ1E9WiMyNtI7pMk9DsSSYaUav5VypSNNugmSime3ik8QC8u6Xvlpriw7yIb+3Q9Z3S/OYa8tAuT+RuWg9+v3AIY1rPE81y/8AywMvbPoXhUvX3YHTvdSUT+hqxgdQlwix8DQhpvNfJjxtf/EEnj9G9AvXjZv43gdXCZ1UdY2cFw82qoFOiXQdD5D5aSCAVEwggFNoAMCARKiggFEBIIBQBo80CDpIOVCJc5+/xnXQ9Wa4eiN0cITJ9CsRYmwSiWDyN21Ifft9RFjAoTj41VsK8fDsRl5NKafFvjFQknDsoGKkVOuxD6pQT6OF7oxdfP1Omqktu5S5y6Vd56wXM+a6wzFm7zyOPU01CyEQwOMiyTf/hiA1I/1dUazliKXrp+IZ4rz9GaLEguvi/K3Df8bufbyUytvszhTStIPqwWY0KHoFGusYnq02l/RwnlqzsgMntc0tiHYONVcmicasIWdivrbO2jlAe+8pKlJs+AvIN6LNQZsEwOtIsh2mgd6tifamwzN00G1Hdw0dpk5tR+NlrSGyGzeVb0dHiPVBNz++eXWULylHrT/6YC+74urRQWdhfdcyj2bJDV6Iu9reSP/pNdjXIFOTpylgzdmjTMkf4/neJqvvIoH/phX9/HDW9Yq'
from squid (length: 2155).
negotiate_kerberos_auth.cc(663): pid=122356 :2015/12/02 20:00:41|
negotiate_kerberos_auth: DEBUG: Decode
'YIIGSgYGKwYBBQUCoIIGPjCCBjqgMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCBgQEggYAYIIF/AYJKoZIhvcSAQICAQBuggXrMIIF56ADAgEFoQMCAQ6iBwMFACAAAACjggR7YYIEdzCCBHOgAwIBBaEMGwpCT05ELkxPQ0FMoiQwIqADAgECoRswGRsESFRUUBsRYnNxdWlkLmJvbmQubG9jYWyjggQ2MIIEMqADAgESoQMCAQqiggQkBIIEIE0bBxNC8N0cj77UQ8WQ1nicU5iM1c96WZcSKt2OCO5h5PIcn680jYYbamAdtisA6nosAByGYqFZPmXRtgm8zwCuQ+JvemUowba7lQYmAx1b9AkvNAxCiWtW43xlTKAlXsiJdCDjFg9k3rR+bnHK/QidRps2U7TV4WO8ey5ZcW3/gC0lToL2lALORg607wlaFtmFx+Jc4y4BoX+debm9GiJOHBMGgqIVnAVC5rds06ppDpyaFghn0Mmq4dPNs9uA4FpfBrtux3TLi50X9iaF1UO0dDjkcxt2tf82prochtI7o0CQci9arOyzuHCxVjFTyFF4vw3AsJpbf0f8GXr9yMjT67N4DoYUUpNOtGEAjFLLQSeHUNvL0Sxzld8iOiSl5Ym6HOy3UCgXjJoSDY7rgNIXUIbMuBaXqkK8NNfNUDJ4VXConFNSxOkl8mbckT0vFFaa8dIwrzLnpoNKAOF7T8j1T2FILkDttR3MvlAfHbPj5GPODpX8xYgRefeE/RtbMgeje94bNsMVHAHal0Wj++RwHvmIdPYjc/cwr7pKQTCOcLz4wGJ1fz5d/tMdVoPiVx8uJ9tPNlfT3nRv+N1euVOwSKAxyv8Dw7sIYv+xkDr5tuC8Mh+8xGhl8ohetjAyFMzln4J1SvS/3Wo8X77uOKnxySx3BII5+rCIxbzhiLl8X6/1zCeR+DM5Ez/TMDOqMcmQgHtspqHmWkyAoFvYJ/ppP/wmk8F8zvkLutjpNnBndZNfj60JJqrOJYadGrAljK/PM3tOHC9F2BOeY9aZITL4cybswJ/AKwWefrdf/8yfFcPy0sa72eyfWeXl5aG/19r1L0cof9sZY4UoMrcJojUd9uqFbqNjForkpbJmH3mOQhujzRzsiEmdjTzLy2+1Hfa/4XUIob0cLr0gtKvJJGANMQj9WHWjZsR8vAF1w86qDQPmDMNmWqDyJTazreXN1TdX9FlhfvgHYsBxnnXu4bBkTL+ro/ekh+4Zd8tFlO8zrHaqMeLf7V7w6dHdC0Yj1xBkY3V7qyVqrSXI1i5Awz8QF48FU3yGq/A+zSs/5C2ij8v2Wlc5g+B/qNdbjKAtRGwqtR06f16JMrXFndJN4zqEEtBZpvk3BYQ6SJaQopwq6WdUFMLMLvqKAd5av79g7cWhWQuobFesoIQ3t9pwh3YFy12CSbZvw+VdWRqWFc7xESycqECbUIAap2euNDFuz/lYbeqHJ1E9WiMyNtI7pMk9DsSSYaUav5VypSNNugmSime3ik8QC8u6Xvlpriw7yIb+3Q9Z3S/OYa8tAuT+RuWg9+v3AIY1rPE81y/8AywMvbPoXhUvX3YHTvdSUT+hqxgdQlwix8DQhpvNfJjxtf/EEnj9G9AvXjZv43gdXCZ1UdY2cFw82qoFOiXQdD5D5aSCAVEwggFNoAMCARKiggFEBIIBQBo80CDpIOVCJc5+/xnXQ9Wa4eiN0cITJ9CsRYmwSiWDyN21Ifft9RFjAoTj41VsK8fDsRl5NKafFvjFQknDsoGKkVOuxD6pQT6OF7oxdfP1Omqktu5S5y6Vd56wXM+a6wzFm7zyOPU01CyEQwOMiyTf/hiA1I/1dUazliKXrp+IZ4rz9GaLEguvi/K3Df8bufbyUytvszhTStIPqwWY0KHoFGusYnq02l/RwnlqzsgMntc0tiHYONVcmicasIWdivrbO2jlAe+8pKlJs+AvIN6LNQZsEwOtIsh2mgd6tifamwzN00G1Hdw0dpk5tR+NlrSGyGzeVb0dHiPVBNz++eXWULylHrT/6YC+74urRQWdhfdcyj2bJDV6Iu9reSP/pNdjXIFOTpylgzdmjTMkf4/neJqvvIoH/phX9/HDW9Yq'
(decoded length: 1614).
negotiate_kerberos_auth.cc(180): pid=122356 :2015/12/02 20:00:41|
negotiate_kerberos_auth: ERROR: gss_acquire_cred() failed: Unspecified
GSS failure. Minor code may provide more information. Permission
denied
2015/12/02 20:00:41| ERROR: Negotiate Authentication validating user.
Result: {result=BH, notes={message: gss_acquire_cred() failed:
Unspecified GSS failure. Minor code may provide more information.
Permission denied; }}
In the same GUI window, negotiate_kerberos_auth_test works:
bsquid:/usr/local/squid/sbin #
/usr/local/squid/libexec/negotiate_kerberos_auth_test bsquid.bond.local
| awk '{sub(/Token:/,"YR"); print $0}END{print "QQ"}' |
/usr/local/squid/libexec/negotiate_kerberos_auth -d -s
HTTP/bsquid.bond.local
negotiate_kerberos_auth.cc(487): pid=122362 :2015/12/02 20:04:17|
negotiate_kerberos_auth: INFO: Starting version 3.0.4sq
negotiate_kerberos_auth.cc(546): pid=122362 :2015/12/02 20:04:17|
negotiate_kerberos_auth: INFO: Setting keytab to
/usr/local/squid/etc/bsquid.keytab
negotiate_kerberos_auth.cc(610): pid=122362 :2015/12/02 20:04:17|
negotiate_kerberos_auth: DEBUG: Got 'YR
YIIFOQYGKwYBBQUCoIIFLTCCBSmgHzAdBgkqhkiG9xIBAgIGBSsFAQUCBgkqhkiC9xIBAgKiggUEBIIFAGCCBPwGCSqGSIb3EgECAgEAboIE6zCCBOegAwIBBaEDAgEOogcDBQAAAAAAo4ID/mGCA/owggP2oAMCAQWhDBsKQk9ORC5MT0NBTKIkMCKgAwIBA6EbMBkbBEhUVFAbEWJzcXVpZC5ib25kLmxvY2Fso4IDuTCCA7WgAwIBEqEDAgEKooIDpwSCA6Mf94bC+59KaQjsnQcWkXVcQknzpZjaEaz7bbGPyUlvR+ac8Y+z7vp0807CtBysvSMTgRCU+ghgUculGmncFwXSHoIpjCAg1faW/+COorCBjnBsOGzy3/sHUstVgnT/+cbqVBk/8f2v5b7k/VmejnADQyP/8T2yphyA9xBRaPOnjQiqtVFeheVnDA3+6X8bR+IlHCC7c/KJJBFUO/nRbM7lnb2yzW/nLVHaYlzw3+o5MiKu1FYdSLGil5jFIxjhqUzOpf87Z1ax/Ojzco3gVZxSDvRNp6EJ5Nea7LVESNQGto24Cru2ae4lO0oXe7An8VFHm4tVikvZQzHprNgUQITQlVzQ0CjztGuFpIrw/xt/ie5K5XziH76YaAxpzaiVfXG02V5pdY2ntSvVN/+IqSwQ8iRxkB+ZUQdLy0gR5dPXgjW/lU2NNWcAvfJWszf8y7hzu85GCy+fQXfRMY0g6CgsUncFmQy+x6E74Ft5XD/qOnW+66+HAxA6pmzBRvos9+drul3RQvVaGwaDo5Z86bKERZFKz02tmQUXFt+fEtqAqYXfsiXKq/HmxpZF3XklrQhoolGS41JTfhDmKeN4NtQYBM/pDMCo0HYWNMKthHvKXDhhLuu+WlT41vw5fl+uDiBOEOkVMhVsxe4M+Qsdj1z/DDqBgrVpYOcSF/rTC+8wETuciuUpZKecZkhLeT3VdIYMzNnhwSBG00bktICxPTuRXZC+Qfp+E+gsGk37r7bArYxtbjHjhj3WRkRTqfk11/6j6Bq0EDZV/o1OYOSulcuXulPTKCpQ209sJJmKEqjVgdFq697HIdC1eB7m9jETJH8YzqVLx500DEDipj8VeDLyxWPcM5P4HKeLTyMxjW72nZwlSBfbpIO2ogh6j5X0+f4/nuGW43/kX7LG9K+7NoRWofmasE2fUjq2NgbL+Qg5r4nfL3byE+LR5tg5xz9tUe+WYq+FpS4HSqfcxxUhDadXW2RgKsohNR3+cqBI0jDS/IcHu8LnicRuIVIJes2Bpf3KnThA9JqlUI5GcySWKvA4S7SOvSRvqipoA412/OMiUA4JSkV98BAFZaYt5+x6TswIMAz+xngrr39oWSrnnuem7A7vOwaG2pAa4rnQlBMKWZCztO7GLjQDeJyjNFDdyhT5tM31t0gvfH1seulRlAMXR8SJrraj320For2iVZK9d9+Op2xgsfb1VfPNBoIw+LuCpAIvwdL+PgtLcXUUxdklXkhTpIHPMIHMoAMCARKigcQEgcFbbiCFd2nHRDkZiUP7oFMEf3xmoeg7/fTpZT/VUpyFeVqzKZyBt3g6WLlFa++rlZm8aRxh65oKYk6ptRZcqje02XmhQpfRkZG4+NRiu175DgGvk4pNsZfPQSKxAP1WDZ2jVRy4U5+R49NbLodhRh0KFV9R4fug30x8uxQAJVTYu952i1mrx+PD/yS6UT2KLeDpVqfFtpnlVxeYjgK7hJoLb0qgN0fJbQDEqM9vrZ396z27pNOZXI7wa06I7roQFSlZ'
from squid (length: 1791).
negotiate_kerberos_auth.cc(663): pid=122362 :2015/12/02 20:04:17|
negotiate_kerberos_auth: DEBUG: Decode
'YIIFOQYGKwYBBQUCoIIFLTCCBSmgHzAdBgkqhkiG9xIBAgIGBSsFAQUCBgkqhkiC9xIBAgKiggUEBIIFAGCCBPwGCSqGSIb3EgECAgEAboIE6zCCBOegAwIBBaEDAgEOogcDBQAAAAAAo4ID/mGCA/owggP2oAMCAQWhDBsKQk9ORC5MT0NBTKIkMCKgAwIBA6EbMBkbBEhUVFAbEWJzcXVpZC5ib25kLmxvY2Fso4IDuTCCA7WgAwIBEqEDAgEKooIDpwSCA6Mf94bC+59KaQjsnQcWkXVcQknzpZjaEaz7bbGPyUlvR+ac8Y+z7vp0807CtBysvSMTgRCU+ghgUculGmncFwXSHoIpjCAg1faW/+COorCBjnBsOGzy3/sHUstVgnT/+cbqVBk/8f2v5b7k/VmejnADQyP/8T2yphyA9xBRaPOnjQiqtVFeheVnDA3+6X8bR+IlHCC7c/KJJBFUO/nRbM7lnb2yzW/nLVHaYlzw3+o5MiKu1FYdSLGil5jFIxjhqUzOpf87Z1ax/Ojzco3gVZxSDvRNp6EJ5Nea7LVESNQGto24Cru2ae4lO0oXe7An8VFHm4tVikvZQzHprNgUQITQlVzQ0CjztGuFpIrw/xt/ie5K5XziH76YaAxpzaiVfXG02V5pdY2ntSvVN/+IqSwQ8iRxkB+ZUQdLy0gR5dPXgjW/lU2NNWcAvfJWszf8y7hzu85GCy+fQXfRMY0g6CgsUncFmQy+x6E74Ft5XD/qOnW+66+HAxA6pmzBRvos9+drul3RQvVaGwaDo5Z86bKERZFKz02tmQUXFt+fEtqAqYXfsiXKq/HmxpZF3XklrQhoolGS41JTfhDmKeN4NtQYBM/pDMCo0HYWNMKthHvKXDhhLuu+WlT41vw5fl+uDiBOEOkVMhVsxe4M+Qsdj1z/DDqBgrVpYOcSF/rTC+8wETuciuUpZKecZkhLeT3VdIYMzNnhwSBG00bktICxPTuRXZC+Qfp+E+gsGk37r7bArYxtbjHjhj3WRkRTqfk11/6j6Bq0EDZV/o1OYOSulcuXulPTKCpQ209sJJmKEqjVgdFq697HIdC1eB7m9jETJH8YzqVLx500DEDipj8VeDLyxWPcM5P4HKeLTyMxjW72nZwlSBfbpIO2ogh6j5X0+f4/nuGW43/kX7LG9K+7NoRWofmasE2fUjq2NgbL+Qg5r4nfL3byE+LR5tg5xz9tUe+WYq+FpS4HSqfcxxUhDadXW2RgKsohNR3+cqBI0jDS/IcHu8LnicRuIVIJes2Bpf3KnThA9JqlUI5GcySWKvA4S7SOvSRvqipoA412/OMiUA4JSkV98BAFZaYt5+x6TswIMAz+xngrr39oWSrnnuem7A7vOwaG2pAa4rnQlBMKWZCztO7GLjQDeJyjNFDdyhT5tM31t0gvfH1seulRlAMXR8SJrraj320For2iVZK9d9+Op2xgsfb1VfPNBoIw+LuCpAIvwdL+PgtLcXUUxdklXkhTpIHPMIHMoAMCARKigcQEgcFbbiCFd2nHRDkZiUP7oFMEf3xmoeg7/fTpZT/VUpyFeVqzKZyBt3g6WLlFa++rlZm8aRxh65oKYk6ptRZcqje02XmhQpfRkZG4+NRiu175DgGvk4pNsZfPQSKxAP1WDZ2jVRy4U5+R49NbLodhRh0KFV9R4fug30x8uxQAJVTYu952i1mrx+PD/yS6UT2KLeDpVqfFtpnlVxeYjgK7hJoLb0qgN0fJbQDEqM9vrZ396z27pNOZXI7wa06I7roQFSlZ'
(decoded length: 1341).
AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg== rbackes at BOND.LOCAL
negotiate_kerberos_auth.cc(783): pid=122362 :2015/12/02 20:04:17|
negotiate_kerberos_auth: DEBUG: AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg==
rbackes at BOND.LOCAL
negotiate_kerberos_auth.cc(610): pid=122362 :2015/12/02 20:04:17|
negotiate_kerberos_auth: DEBUG: Got 'QQ' from squid (length: 2).
BH quit command
bsquid:/usr/local/squid/sbin #
The Windows client has some kerberos tickets avail:
C:\Windows\system32>klist
Aktuelle Anmelde-ID ist 0:0x37b196
Zwischengespeicherte Tickets: (4)
#0> Client: RBackes @ BOND.LOCAL
Server: krbtgt/BOND.LOCAL @ BOND.LOCAL
KerbTicket (Verschlüsselungstyp): AES-256-CTS-HMAC-SHA1-96
Ticketkennzeichen 0x40e10000 -> forwardable renewable
initial pre_authent name_canonicalize
Startzeit: 12/2/2015 18:39:42 (lokal)
Endzeit: 12/3/2015 4:39:42 (lokal)
Erneuerungszeit: 12/9/2015 18:39:42 (lokal)
Sitzungsschlüsseltyp: AES-256-CTS-HMAC-SHA1-96
Cachekennzeichen: 0x1 -> PRIMARY
KDC aufgerufen: W2K12-SQUID
#1> Client: RBackes @ BOND.LOCAL
Server: HTTP/bsquid.bond.local @ BOND.LOCAL
KerbTicket (Verschlüsselungstyp): AES-256-CTS-HMAC-SHA1-96
Ticketkennzeichen 0x40a10000 -> forwardable renewable
pre_authent name_canonicalize
Startzeit: 12/2/2015 18:39:46 (lokal)
Endzeit: 12/3/2015 4:39:42 (lokal)
Erneuerungszeit: 12/9/2015 18:39:42 (lokal)
Sitzungsschlüsseltyp: AES-256-CTS-HMAC-SHA1-96
Cachekennzeichen: 0
KDC aufgerufen: W2K12-Squid.bond.local
#2> Client: RBackes @ BOND.LOCAL
Server: ldap/W2K12-Squid.bond.local @ BOND.LOCAL
KerbTicket (Verschlüsselungstyp): AES-256-CTS-HMAC-SHA1-96
Ticketkennzeichen 0x40a50000 -> forwardable renewable
pre_authent ok_as_delegate name_canonicalize
Startzeit: 12/2/2015 18:39:44 (lokal)
Endzeit: 12/3/2015 4:39:42 (lokal)
Erneuerungszeit: 12/9/2015 18:39:42 (lokal)
Sitzungsschlüsseltyp: AES-256-CTS-HMAC-SHA1-96
Cachekennzeichen: 0
KDC aufgerufen: W2K12-Squid.bond.local
#3> Client: RBackes @ BOND.LOCAL
Server: LDAP/W2K12-Squid.bond.local/bond.local @ BOND.LOCAL
KerbTicket (Verschlüsselungstyp): AES-256-CTS-HMAC-SHA1-96
Ticketkennzeichen 0x40a50000 -> forwardable renewable
pre_authent ok_as_delegate name_canonicalize
Startzeit: 12/2/2015 18:39:44 (lokal)
Endzeit: 12/3/2015 4:39:42 (lokal)
Erneuerungszeit: 12/9/2015 18:39:42 (lokal)
Sitzungsschlüsseltyp: AES-256-CTS-HMAC-SHA1-96
Cachekennzeichen: 0
KDC aufgerufen: W2K12-Squid.bond.local
C:\Windows\system32>
Anyone an idea ?
Thanks, Rainer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20151202/83136cdd/attachment-0001.html>
More information about the squid-users
mailing list