[squid-users] Squit with NTLM and Kerberos auth => a error

Olivier CALVANO o.calvano at gmail.com
Fri Nov 6 07:29:18 UTC 2015 

Hi Marcus,

no i don't know if user if NegoEx, on the network they have more 25000
desktop.

I change auth, put only NTLM but same problems, a lot of users are not
allowed

GENSEC login failed: NT_STATUS_INVALID_PARAMETER
GENSEC login failed: NT_STATUS_LOGON_FAILURE
GENSEC login failed: NT_STATUS_LOGON_FAILURE
GENSEC login failed: NT_STATUS_LOGON_FAILURE
GENSEC login failed: NT_STATUS_LOGON_FAILURE
GENSEC login failed: NT_STATUS_LOGON_FAILURE
GENSEC login failed: NT_STATUS_LOGON_FAILURE
GENSEC login failed: NT_STATUS_LOGON_FAILURE
GENSEC login failed: NT_STATUS_LOGON_FAILURE

they have commercial support on squid ?

regards
olivier



2015-11-05 22:39 GMT+01:00 Markus Moeller <huaraz at moeller.plus.com>:

>
> Hi Olivier,
>
>   I think on some of your newer clients you have an issue with Negotiate
> and NTLM fallback. If I look at
>
> https://msdn.microsoft.com/en-us/library/ff468736.aspx I see this
> https://i-msdn.sec.s-msft.com/dynimg/IC426444.gif
>
> If I interpret this correctly the client will try NegoEx after failing
> with Kerberos and before trying NTLM.  If on the client NegoEx is
> successful then NTLM will not be attempted.  And I think that is the case
> here.  Do you know if NegoEx is used on the client ?
>
>
> Does anybody else know about NegoEx ?
>
> Markus
>
>
>
> *From:* Olivier CALVANO <o.calvano at gmail.com>
> *Sent:* Tuesday, November 03, 2015 9:22 AM
> *To:* Markus Moeller <huaraz at moeller.plus.com>
> *Subject:* Re: [squid-users] Squit with NTLM and Kerberos auth => a error
>
> that's said that squid can by used with Windows AD ?
>
>
>
> 2015-11-02 22:46 GMT+01:00 Markus Moeller <huaraz at moeller.plus.com>:
>
>>
>> Hi Olivier,
>>
>> If I decode a token I see
>>
>> /base64> hexdump -c base64_dec.out
>> 0000000   ` 201 236 006 006   + 006 001 005 005 002 240 201 223   0 201
>> 0000010 220 240 032   0 030 006  \n   + 006 001 004 001 202   7 002 002
>> 0000020 036 006  \n   + 006 001 004 001 202   7 002 002  \n 242   r 004
>> 0000030   p   N   E   G   O   E   X   T   S  \0  \0  \0  \0  \0  \0  \0
>> 0000040  \0   `  \0  \0  \0   p  \0  \0  \0 020 366   L   3   & 023 256
>> 0000050   O 271 216   4 305  \f 200   !  \t 034 340   # 327 322 177   _
>> 0000060 211 202   > 254   {   g 234 325 225 001 022 225  \f 323 276   A
>> 0000070 206 024   6 367   ;   .  \0   C 273  \0  \0  \0  \0  \0  \0  \0
>> 0000080  \0   `  \0  \0  \0 001  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0
>> 0000090  \0   E   r   |   2   2   E 213   H 277 331   *   k 240   ^ 244
>> 00000a0  \n
>> 00000a1
>>
>> It says NEGOEXTS  which points me to
>> https://technet.microsoft.com/en-us/library/dd560645%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396
>>
>>
>> That is not supported.
>> Markus
>>
>>
>> "Olivier CALVANO" <o.calvano at gmail.com> wrote in message
>> news:CAJajPefqOygT5zsYW7fWszwRTTxN-r1Pd-U73XDfoNax9dLHkA at mail.gmail.com.
>> ..
>> Hi
>>
>> i test a authentification AD with Kerberos/Ntlm
>>
>> ### negotiate kerberos and ntlm authentication
>> auth_param negotiate program /usr/local/bin/negotiate_wrapper --ntlm
>> /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp
>> --kerberos /usr/lib64/squid/squid_kerb_auth -d -s GSS_C_NO_NAME
>> auth_param negotiate children 160 startup=5 idle=1
>> auth_param negotiate keep_alive on
>>
>> ## Module d'authentification NTLM
>> auth_param ntlm program /usr/bin/ntlm_auth --diagnostics
>> --helper-protocol=squid-2.5-ntlmssp
>> auth_param ntlm children 160 startup=5 idle=1
>> auth_param ntlm keep_alive on
>>
>> ## Si echec du NTLM proposer la fenetre d'authentification
>> auth_param basic program /usr/bin/ntlm_auth --diagnostics
>> --helper-protocol=squid-2.5-basic
>> auth_param basic children 40 startup=5 idle=1
>> auth_param basic realm Company proxy-caching web server
>> auth_param basic credentialsttl 2 hours
>>
>>
>> i have a lot of user that works, but for other user, squid request
>> Login/pass in loop.
>>
>> In cache.log i have:
>>
>> 2015/11/02 17:37:57| squid_kerb_auth: gss_accept_sec_context() failed: An
>> unsupported mechanism was requested. Unknown error
>> 2015/11/02 17:37:57 kid1| ERROR: Negotiate Authentication validating
>> user. Error returned 'BH gss_accept_sec_context() failed: An unsupported
>> mechanism was requested. Unknown error'
>> GENSEC login failed: NT_STATUS_LOGON_FAILURE
>> 2015/11/02 17:37:58| squid_kerb_auth: Got 'YR
>> YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAAAAAAAAAABgAAAAcAAAABD2TDMmE65PuY40xQyAIQkc4CPX0n9fiYI+rHtnnNWVARKVDNO+QYYUNvc7LgBDuwAAAAAAAAAAYAAAAAEAAAAAAAAAAAAAAEVyfDIyRYtIv9kqa6BepAo='
>> from squid (length: 219).
>> 2015/11/02 17:37:58| squid_kerb_auth: Decode
>> 'YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAAAAAAAAAABgAAAAcAAAABD2TDMmE65PuY40xQyAIQkc4CPX0n9fiYI+rHtnnNWVARKVDNO+QYYUNvc7LgBDuwAAAAAAAAAAYAAAAAEAAAAAAAAAAAAAAEVyfDIyRYtIv9kqa6BepAo='
>> (decoded length: 161).
>> 2015/11/02 17:37:58| squid_kerb_auth: gss_accept_sec_context() failed: An
>> unsupported mechanism was requested. Unknown error
>> 2015/11/02 17:37:58 kid1| ERROR: Negotiate Authentication validating
>> user. Error returned 'BH gss_accept_sec_context() failed: An unsupported
>> mechanism was requested. Unknown error'
>> 2015/11/02 17:37:58| squid_kerb_auth: Got 'YR
>> YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAAAAAAAAAABgAAAAcAAAABH2TDMmE65PuY40xQyAIQlCKZmWETDY7iZgTnIeQF9VidD8h6SKLzwap1w7iI5lcwAAAAAAAAAAYAAAAAEAAAAAAAAAAAAAAEVyfDIyRYtIv9kqa6BepAo='
>> from squid (length: 219).
>> 2015/11/02 17:37:58| squid_kerb_auth: Decode
>> 'YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAAAAAAAAAABgAAAAcAAAABH2TDMmE65PuY40xQyAIQlCKZmWETDY7iZgTnIeQF9VidD8h6SKLzwap1w7iI5lcwAAAAAAAAAAYAAAAAEAAAAAAAAAAAAAAEVyfDIyRYtIv9kqa6BepAo='
>> (decoded length: 161).
>> 2015/11/02 17:37:58| squid_kerb_auth: gss_accept_sec_context() failed: An
>> unsupported mechanism was requested. Unknown error
>> 2015/11/02 17:37:58 kid1| ERROR: Negotiate Authentication validating
>> user. Error returned 'BH gss_accept_sec_context() failed: An unsupported
>> mechanism was requested. Unknown error'
>> 2015/11/02 17:37:58| squid_kerb_auth: Got 'YR
>> YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAAAAAAAAAABgAAAAcAAAABL2TDMmE65PuY40xQyAIQlOCybIQKGs/hmFlEu3FzYMQIag5ivNn4JcpRWBrJ5vMwAAAAAAAAAAYAAAAAEAAAAAAAAAAAAAAEVyfDIyRYtIv9kqa6BepAo='
>> from squid (length: 219).
>> 2015/11/02 17:37:58| squid_kerb_auth: Decode
>> 'YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAAAAAAAAAABgAAAAcAAAABL2TDMmE65PuY40xQyAIQlOCybIQKGs/hmFlEu3FzYMQIag5ivNn4JcpRWBrJ5vMwAAAAAAAAAAYAAAAAEAAAAAAAAAAAAAAEVyfDIyRYtIv9kqa6BepAo='
>> (decoded length: 161).
>> 2015/11/02 17:37:58| squid_kerb_auth: gss_accept_sec_context() failed: An
>> unsupported mechanism was requested. Unknown error
>> 2015/11/02 17:37:58 kid1| ERROR: Negotiate Authentication validating
>> user. Error returned 'BH gss_accept_sec_context() failed: An unsupported
>> mechanism was requested. Unknown error'
>> GENSEC login failed: NT_STATUS_LOGON_FAILURE
>> GENSEC login failed: NT_STATUS_LOGON_FAILURE
>>
>>
>>
>>
>> anyone know this problems ?
>>
>> regards
>> Olivier
>>
>>
>> ------------------------------
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>>
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>>
>>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20151106/2e207451/attachment.html>

More information about the squid-users mailing list