[squid-users] Kerberos authentication problem - squid 3.4.11
Markus Moeller
huaraz at moeller.plus.com
Sat Feb 14 13:00:13 UTC 2015
Hi Ludovit,
Yes the client determines the encryption strength and squid needs to have
all of them in the keytab (You can disallow DES or other weak encryption by
not adding these encryptions to the keytab).
Regards
Markus
"Ludovit Koren" wrote in message news:86lhk0j2xe.fsf at gmail.com...
>>>>> Markus Moeller <huaraz at moeller.plus.com> writes:
> It could be the new AD server is setup to be backward compatible
> meaning it use RC4 despite being able to use AES. I suggest you crate
> an additional keytab entry for RC4. How did you create the keytab ?
Now it seems to work:
# /usr/local/libexec/squid/negotiate_kerberos_auth_test proxy.mdpt.local |
awk '{sub(/Token:/,"YR"); print $0}END{print "QQ"}' |
/usr/local/libexec/squid/negotiate_kerberos_auth -r -s HTTP/proxy.mdpt.local
AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg== HTTP/proxy.mdpt.local
BH quit command
respectively with debug output
# /usr/local/libexec/squid/negotiate_kerberos_auth_test proxy.mdpt.local |
awk '{sub(/Token:/,"YR"); print $0}END{print "QQ"}' |
/usr/local/libexec/squid/negotiate_kerberos_auth -d -r -s
HTTP/proxy.mdpt.local
negotiate_kerberos_auth.cc(212): pid=59316 :2015/02/14 09:40:23|
negotiate_kerberos_auth: INFO: Starting version 3.0.4sq
negotiate_kerberos_auth.cc(258): pid=59316 :2015/02/14 09:40:23|
negotiate_kerberos_auth: DEBUG: Got 'YR
YIIFkgYGKwYBBQUCoIIFhjCCBYKgDTALBgkqhkiG9xIBAgKiggVvBIIFa2CCBWcGCSqGSIb3EgECAgEAboIFVjCCBVKgAwIBBaEDAgEOogcDBQAAAAAAo4IEQGGCBDwwggQ4oAMCAQWhDBsKTURQVC5MT0NBTKIjMCGgAwIBA6EaMBgbBEhUVFAbEHByb3h5Lm1kcHQubG9jYWyjggP8MIID+KADAgEXoQMCAQaiggPqBIID5sVhPZfpC5bIQPSFoRRkg/yI1a3e+rJhYMx9v8sahJtT0prtSF715Q1TAqiXKDZJ479BKKPA27BL63p/mwvu7bf4gznZNTZLFIfHYU/ImK//RrvgkDv1uFSqm/skfzEECQBth4rxozQMfqLgmADCvAdEQVBIeG3D/QlhJ6LNdk4V4f0RBPr8zsagJ7529iSJK0otclE8McAg/5ZB4uA4L9PW6db+UOE3wR1LXK1w40dJkh3YRZX7SjZTEEpT003IRCulEq+fqIfLOPbL8+bbTrECYvvShaMuZF+RAlRZTrxS8P4KPk1f7muLEvA5/EvsGKXmtyTeytd9eRdfAhw5LBuUbwjDsuoliD1ARTPXL1syTtUy4CgJUNu6a6GGgh3uBF2zdDu7cY/4wtU1do3DJRq2NFzjQxcc4TzT64/HjYR+pi2MgchXJBbD3J79AQmKAvtO2B0xI9w/qSCH2uLoPwwzGEXGvr4DsXNgBbkaandw0UtpUyyfd6Gk313mc58dc+G10J3xPhsUOz9a1EOmmETquEPLgjkfpUQY6/MTRbWk/aRl9l681664Ywb6gp9mJioNfz6cxcF7C7fIGKrvBDSyZCBEGH+HOBfBr0REYkqKOqw1xVg0LfYYX4/6pE9ZfJMk3XTHmWKDa+EIahs5ibMsfi+MBx5iEOva3SC8s+rEZyWiG3soowE3U2BCgkGihRAI1thGJVUKLMQy3AokSX7xZF/RiYA4C4MdnFbDdCUJ14vNH4gYZs3A15wbbBUe6aUz3hblSHhFM/vjc4+EyMMyhiJLLYJ9wqe+Y2+eAl0H8wErSjb4ivFv8pNUZuGgbtT4buAE4AHYahWn+f/0S0r05T9uV+273KyA56+KZ4tXnbzhMo9ybqSA6B0BYpsEeDvZDYfUfrDyo4fyT/W2Rem+UMvuJ/o5HRrZWiSP45ANGkqLQcOXwjSDPQQUQaytPeClrqUamnZxbD/XsBosKUUbOfvxnQgWOrVbaDwNN8WfQ+Tv1ZQO8tXoDt9RE1fewaKF8cJS9zsbcSuucBsmQGcMHKn035bsEni8JoiWU1g9ieXeqvRTg5nAkf6bzP3rs4awhXTa3if11liCSZojMUi1Q2d/HZ8X9ZJhu2VS6+EVNQ0dlHspnH3nV8GMz5JI0eQuwPfE2rTOcv4vFZldK2+jJVlCOHu/sMW+gojLjoTg4yrMp1RFq9P3JIlo388eoInu94nAjrbcRgX6W/t+tdUMxGs7+xEoVuCwvnl7jbny31QHzSV2B2n5bGH04z0kAzgOfZmUkJyZivOR8fFisBEX69BWAPXuhQaJFhRsA1pHPPASEYcApIH4MIH1oAMCAReige0Eger41GqgKOrnmoPBzgQ+QQQICBbu/8WBFqzn7Cn4vVSrhsU5umcgSpzTIioLSNQWktPeZQRh/ZcPb+gIWZHaP9LvUEeqXbIT0oYTyStS1bgMCl/yfI4WzGpCKhZbd43jShcQB6SOjQlua7V/0dFOpUv+q1LVD//FFl2dIGoKZHXU5NYpf1yl9dX5Cgd4oKlJUyqgXWclIRzPeGl8nJ8oPvi2af9GGPazSF31Cu7jA/fG9mM4Tses4gI3EPBQBgCAThJ7QeNASK0GEXKsoQE2gYcmaQBTOUP0mhMs43vPqCQckoOcK3/l7SsPwg0='
from squid (length: 1911).
negotiate_kerberos_auth.cc(311): pid=59316 :2015/02/14 09:40:23|
negotiate_kerberos_auth: DEBUG: Decode
'YIIFkgYGKwYBBQUCoIIFhjCCBYKgDTALBgkqhkiG9xIBAgKiggVvBIIFa2CCBWcGCSqGSIb3EgECAgEAboIFVjCCBVKgAwIBBaEDAgEOogcDBQAAAAAAo4IEQGGCBDwwggQ4oAMCAQWhDBsKTURQVC5MT0NBTKIjMCGgAwIBA6EaMBgbBEhUVFAbEHByb3h5Lm1kcHQubG9jYWyjggP8MIID+KADAgEXoQMCAQaiggPqBIID5sVhPZfpC5bIQPSFoRRkg/yI1a3e+rJhYMx9v8sahJtT0prtSF715Q1TAqiXKDZJ479BKKPA27BL63p/mwvu7bf4gznZNTZLFIfHYU/ImK//RrvgkDv1uFSqm/skfzEECQBth4rxozQMfqLgmADCvAdEQVBIeG3D/QlhJ6LNdk4V4f0RBPr8zsagJ7529iSJK0otclE8McAg/5ZB4uA4L9PW6db+UOE3wR1LXK1w40dJkh3YRZX7SjZTEEpT003IRCulEq+fqIfLOPbL8+bbTrECYvvShaMuZF+RAlRZTrxS8P4KPk1f7muLEvA5/EvsGKXmtyTeytd9eRdfAhw5LBuUbwjDsuoliD1ARTPXL1syTtUy4CgJUNu6a6GGgh3uBF2zdDu7cY/4wtU1do3DJRq2NFzjQxcc4TzT64/HjYR+pi2MgchXJBbD3J79AQmKAvtO2B0xI9w/qSCH2uLoPwwzGEXGvr4DsXNgBbkaandw0UtpUyyfd6Gk313mc58dc+G10J3xPhsUOz9a1EOmmETquEPLgjkfpUQY6/MTRbWk/aRl9l681664Ywb6gp9mJioNfz6cxcF7C7fIGKrvBDSyZCBEGH+HOBfBr0REYkqKOqw1xVg0LfYYX4/6pE9ZfJMk3XTHmWKDa+EIahs5ibMsfi+MBx5iEOva3SC8s+rEZyWiG3soowE3U2BCgkGihRAI1thGJVUKLMQy3AokSX7xZF/RiYA4C4MdnFbDdCUJ14vNH4gYZs3A15wbbBUe6aUz3hblSHhFM/vjc4+EyMMyhiJLLYJ9wqe+Y2+eAl0H8wErSjb4ivFv8pNUZuGgbtT4buAE4AHYahWn+f/0S0r05T9uV+273KyA56+KZ4tXnbzhMo9ybqSA6B0BYpsEeDvZDYfUfrDyo4fyT/W2Rem+UMvuJ/o5HRrZWiSP45ANGkqLQcOXwjSDPQQUQaytPeClrqUamnZxbD/XsBosKUUbOfvxnQgWOrVbaDwNN8WfQ+Tv1ZQO8tXoDt9RE1fewaKF8cJS9zsbcSuucBsmQGcMHKn035bsEni8JoiWU1g9ieXeqvRTg5nAkf6bzP3rs4awhXTa3if11liCSZojMUi1Q2d/HZ8X9ZJhu2VS6+EVNQ0dlHspnH3nV8GMz5JI0eQuwPfE2rTOcv4vFZldK2+jJVlCOHu/sMW+gojLjoTg4yrMp1RFq9P3JIlo388eoInu94nAjrbcRgX6W/t+tdUMxGs7+xEoVuCwvnl7jbny31QHzSV2B2n5bGH04z0kAzgOfZmUkJyZivOR8fFisBEX69BWAPXuhQaJFhRsA1pHPPASEYcApIH4MIH1oAMCAReige0Eger41GqgKOrnmoPBzgQ+QQQICBbu/8WBFqzn7Cn4vVSrhsU5umcgSpzTIioLSNQWktPeZQRh/ZcPb+gIWZHaP9LvUEeqXbIT0oYTyStS1bgMCl/yfI4WzGpCKhZbd43jShcQB6SOjQlua7V/0dFOpUv+q1LVD//FFl2dIGoKZHXU5NYpf1yl9dX5Cgd4oKlJUyqgXWclIRzPeGl8nJ8oPvi2af9GGPazSF31Cu7jA/fG9mM4Tses4gI3EPBQBgCAThJ7QeNASK0GEXKsoQE2gYcmaQBTOUP0mhMs43vPqCQckoOcK3/l7SsPwg0='
(decoded length: 1430).
negotiate_kerberos_pac.cc(368): pid=59316 :2015/02/14 09:40:23|
negotiate_kerberos_auth: INFO: Got PAC data of lengh 464
negotiate_kerberos_pac.cc(186): pid=59316 :2015/02/14 09:40:23|
negotiate_kerberos_auth: INFO: Found 2 rids
negotiate_kerberos_pac.cc(193): pid=59316 :2015/02/14 09:40:23|
negotiate_kerberos_auth: Info: Got rid: 513
negotiate_kerberos_pac.cc(193): pid=59316 :2015/02/14 09:40:23|
negotiate_kerberos_auth: Info: Got rid: 8830
negotiate_kerberos_pac.cc(255): pid=59316 :2015/02/14 09:40:23|
negotiate_kerberos_auth: INFO: Got DomainLogonId
S-1-5-21-770342266-1452753317-1341851483
negotiate_kerberos_pac.cc(277): pid=59316 :2015/02/14 09:40:23|
negotiate_kerberos_auth: INFO: Found 1 ExtraSIDs
negotiate_kerberos_pac.cc(325): pid=59316 :2015/02/14 09:40:23|
negotiate_kerberos_auth: INFO: Got ExtraSid S-1-18-1
negotiate_kerberos_pac.cc(448): pid=59316 :2015/02/14 09:40:23|
negotiate_kerberos_auth: INFO: Read 464 of 464 bytes
negotiate_kerberos_auth.cc(426): pid=59316 :2015/02/14 09:40:23|
negotiate_kerberos_auth: DEBUG: Groups
group=AQUAAAAAAAUVAAAAen3qLaVBl1ZbB/tPAQIAAA==
group=AQUAAAAAAAUVAAAAen3qLaVBl1ZbB/tPfiIAAA== group=AQEAAAAAABIBAAAA
AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg== HTTP/proxy.mdpt.local
negotiate_kerberos_auth.cc(431): pid=59316 :2015/02/14 09:40:23|
negotiate_kerberos_auth: DEBUG: AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg==
HTTP/proxy.mdpt.local
negotiate_kerberos_auth.cc(258): pid=59316 :2015/02/14 09:40:23|
negotiate_kerberos_auth: DEBUG: Got 'QQ' from squid (length: 2).
BH quit command
It looks like there should be specified all ciphers which could use
different MS clients...
Am I right?
lk
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list