[squid-users] Kerberos authentication only working with 1 domain server

Drikus Brits drikus at geocastsp.co.za
Tue Apr 5 13:50:59 UTC 2016


 

Hi Experts, 

After much struggling it seems i've reached some point of success but
yet still not. I've checked a multitude of websites for help before
coming here, but didn't get anything valuable yet. My problem as follows
: 

I have 1x win2008R2 server that works with kerberos authentication, but
none of the other PC's in the network wants to work, the others all come
up with a login challenge/ 

My Configs : 

/etc/krb5.conf 

<snip>
 #cat /etc/krb5.conf
 [logging]

 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log [1]

 [libdefaults]
 default_realm = DOMAIN.CO.ZA
 dns_lookup_kdc = yes
 dns_lookup_realm = yes
 ticket_lifetime = 24h
 default_keytab_name = /etc/squid/PROXY.keytab

 #; for Windows 2008 with AES
 default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
 default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
 permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5

 [realms]

 DOMAIN.CO.ZA = {
 kdc = mw-ad.domain.co.za
 admin_server = mw-ad.domain.co.za
 default_domain = domain.co.za
 }

 [domain_realm]

 .domain.co.za = DOMAIN.CO.ZA
 domain.co.za = DOMAIN.CO.ZA

 [login]
 krb4_convert = true
 krb4_get_tickets = false
</snip> 

my /etc/squid/squid.conf 

 <snip>
 #auth_param negotiate program /usr/local/bin/negotiate_wrapper -d
--ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=gss-spnego
--domain=DOMAIN --kerberos /usr/lib/squid3/negotiate_kerberos_auth -d -i
###WORKING - half/half
 auth_param negotiate program /usr/lib/squid3/negotiate_wrapper_auth -d
--ntlm /usr/bin/ntlm_auth --diagnostics
--helper-protocol=squid-2.5-ntlmssp --domain=DOMAIN.CO.ZA --kerberos
/usr/lib/squid3/negotiate_kerberos_auth -d -s GSS_C_NO_NAME
 #auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth
-d -s GSS_C_NO_NAME

 auth_param ntlm program /usr/bin/ntlm_auth --diagnostics
--helper-protocol=gss-spnego --domain=DOMAIN.CO.ZA
 auth_param ntlm children 10
 auth_param ntlm keep_alive off

 auth_param basic program /usr/lib/squid3/basic_ldap_auth -b
"DC=domain,DC=co,DC=za" -f sAMAccountName=%s -D "CN=Folder
Authentication,CN=Users,DC=domain,DC=co,DC=za" -w P at 55w0rd -H
ldap://MW-AD.domain.co.za -R
 auth_param basic realm Web-Proxy
 auth_param basic credentialsttl 1 minute

 acl proxy-auth proxy_auth REQUIRED

 http_access allow proxy-auth
 </snip> 

When the Win2008R2 connectes is get the following in
/var/log/squid3/cache.log 

 <snip> 

 2016/04/05 12:26:46| negotiate_wrapper: Got 'YR
YIIHDwYGKwYBBQUCoIIHAzCCBv+gMDAuBgkqhkiC9xIBAgIGCSq<truncated>DVzSeCUH4ntF1lHc='
from squid (length: 2419).
 2016/04/05 12:26:46| negotiate_wrapper: Decode
'YIIHDwYGKwYBBQUCoIIHAzCCBv+gMDAuBg<truncated>UnIKhxWxh52aDVzSeCUH4ntF1lHc='
(decoded length: 1811).
 2016/04/05 12:26:46| negotiate_wrapper: received Kerberos token
 negotiate_kerberos_auth.cc(315): pid=8218 :2016/04/05 12:26:46|
negotiate_kerberos_auth: DEBUG: Got 'YR
YIIHDwYGKwYBBQUCoIIHAzCCBv+gMDAuB<truncated>JDp51PN7RjUnIKhxWxh52aDVzSeCUH4ntF1lHc='
from squid (length: 2419).
 negotiate_kerberos_auth.cc(378): pid=8218 :2016/04/05 12:26:46|
negotiate_kerberos_auth: DEBUG: Decode
'YIIHDwYGKwYBBQUCoIIHAzCCBv+gMDAuBgkqhkiC9xI<truncated>51PN7RjUnIKhxWxh52aDVzSeCUH4ntF1lHc='
(decoded length: 1811).
 2016/04/05 12:26:46| negotiate_wrapper: Return 'AF
oYG2MIGzoAMKAQChCwYJ<truncated>ZuxzWyWJhUSZttUH70Vw595AsuKtUWvtGjGC7vGmD5Ugufw=
Administrator at DOMAIN.CO.ZA 

 </snip> 

But when other PC's connect of which another win2008R2 or win10 or win7
i get : 

 <snip> 

 negotiate_kerberos_auth.cc(315): pid=9389 :2016/04/05 12:33:47|
negotiate_kerberos_auth: DEBUG: Got 'YR
YIIHDwYGKwYBBQUCoII<truncated>+BnGBajMprtChSPMuUX9nnZfT+cJk=' from squid
(length: 2419).
 negotiate_kerberos_auth.cc(378): pid=9389 :2016/04/05 12:33:47|
negotiate_kerberos_auth: DEBUG: Decode
'YIIHDwYGKwYBBQUCoIIHAzCCBv<truncated>MprtChSPMuUX9nnZfT+cJk=' (decoded
length: 1811).
 negotiate_kerberos_auth.cc(200): pid=9389 :2016/04/05 12:33:47|
negotiate_kerberos_auth: ERROR: gss_accept_sec_context() failed:
Unspecified GSS failure. Minor code may provide more information.
 2016/04/05 12:33:47| ERROR: Negotiate Authentication validating user.
Error returned 'BH gss_accept_sec_context() failed: Unspecified GSS
failure. Minor code may provide more information. ' 

 </snip> 

My kinit -V -kt /etc/squid3/PROXY.keytab , of which i'm sure if not
supposed to say that :). I've had others that had Successfully
authenticated to Kerberos V5 as well, but then the working win2008r2
doesn't work -- see below.. 

 <snip> 

 # kinit -V -kt /etc/squid3/PROXY.keytab
 Using default cache: /tmp/krb5cc_0
 Using principal: host/mw-sqproxy-test.domain.co.za at DOMAIN.CO.ZA
 Using keytab: /etc/squid3/PROXY.keytab
 kinit: Preauthentication failed while getting initial credentials 

 </snip> 

working with "authenticated with kerberos but no srv or pc working 

 <snip> 

 msktutil -c -b "CN=COMPUTERS" -s HTTP/mw-sqproxy-test -s
HTTP/mw-sqproxy-test.domain.co.za -h mw-sqproxy-test.domain.co.za -k
/etc/squid3/PROXY.keytab --computer-name MWSQPROXYTEST --upn
HOST/mw-sqproxy-test.domain.co.za --server mw-ad.domain.co.za --verbose
--enctypes 28 

 </snip> 

my working klist entries 

 <snip> 

 klist -ekt /etc/squid3/PROXY.keytab 

 Keytab name: FILE:/etc/squid3/PROXY.keytab
 KVNO Timestamp Principal
 ---- -------------------
------------------------------------------------------
 2 04/04/2016 11:43:43 MW-SQPROXY-TEST$@DOMAIN.CO.ZA (arcfour-hmac)
 2 04/04/2016 11:43:43 MW-SQPROXY-TEST$@DOMAIN.CO.ZA
(aes128-cts-hmac-sha1-96)
 2 04/04/2016 11:43:43 MW-SQPROXY-TEST$@DOMAIN.CO.ZA
(aes256-cts-hmac-sha1-96)
 2 05/04/2016 09:50:05 HTTP/mw-sqproxy-test at DOMAIN.CO.ZA (arcfour-hmac)
 2 05/04/2016 09:50:05 HTTP/mw-sqproxy-test at DOMAIN.CO.ZA
(aes128-cts-hmac-sha1-96)
 2 05/04/2016 09:50:05 HTTP/mw-sqproxy-test at DOMAIN.CO.ZA
(aes256-cts-hmac-sha1-96)
 2 05/04/2016 09:43:05 HOST/mw-sqproxy-test at DOMAIN.CO.ZA (arcfour-hmac)
 2 05/04/2016 09:43:05 HOST/mw-sqproxy-test at DOMAIN.CO.ZA
(aes128-cts-hmac-sha1-96)
 2 05/04/2016 09:43:05 HOST/mw-sqproxy-test at DOMAIN.CO.ZA
(aes256-cts-hmac-sha1-96)
 2 05/04/2016 09:43:06 HOST/mw-sqproxy-test.domain.co.za at DOMAIN.CO.ZA
(arcfour-hmac)
 2 05/04/2016 09:43:06 HOST/mw-sqproxy-test.domain.co.za at DOMAIN.CO.ZA
(aes128-cts-hmac-sha1-96)
 2 05/04/2016 09:43:06 HOST/mw-sqproxy-test.domain.co.za at DOMAIN.CO.ZA
(aes256-cts-hmac-sha1-96)
 2 05/04/2016 09:50:06 host/mw-sqproxy-test.domain.co.za at DOMAIN.CO.ZA
(arcfour-hmac)
 2 05/04/2016 09:50:06 host/mw-sqproxy-test.domain.co.za at DOMAIN.CO.ZA
(aes128-cts-hmac-sha1-96)
 2 05/04/2016 09:50:06 host/mw-sqproxy-test.domain.co.za at DOMAIN.CO.ZA
(aes256-cts-hmac-sha1-96)
 2 05/04/2016 09:50:05 MWSQPROXYTEST$@DOMAIN.CO.ZA (arcfour-hmac)
 2 05/04/2016 09:50:05 MWSQPROXYTEST$@DOMAIN.CO.ZA
(aes128-cts-hmac-sha1-96)
 2 05/04/2016 09:50:05 MWSQPROXYTEST$@DOMAIN.CO.ZA
(aes256-cts-hmac-sha1-96)
 3 05/04/2016 10:15:33 MWSQPROXYTEST$@DOMAIN.CO.ZA (arcfour-hmac)
 3 05/04/2016 10:15:33 MWSQPROXYTEST$@DOMAIN.CO.ZA
(aes128-cts-hmac-sha1-96)
 3 05/04/2016 10:15:33 MWSQPROXYTEST$@DOMAIN.CO.ZA
(aes256-cts-hmac-sha1-96)
 3 05/04/2016 10:15:33 host/mw-sqproxy-test.domain.co.za at DOMAIN.CO.ZA
(arcfour-hmac)
 3 05/04/2016 10:15:33 host/mw-sqproxy-test.domain.co.za at DOMAIN.CO.ZA
(aes128-cts-hmac-sha1-96)
 3 05/04/2016 10:15:33 host/mw-sqproxy-test.domain.co.za at DOMAIN.CO.ZA
(aes256-cts-hmac-sha1-96)
 4 04/04/2016 16:29:08 host/mw-sqproxy-test at DOMAIN.CO.ZA (arcfour-hmac)
 4 04/04/2016 16:29:09 host/mw-sqproxy-test at DOMAIN.CO.ZA
(aes128-cts-hmac-sha1-96)
 4 04/04/2016 16:29:09 host/mw-sqproxy-test at DOMAIN.CO.ZA
(aes256-cts-hmac-sha1-96)
 3 05/04/2016 10:15:33 HTTP/mw-sqproxy-test at DOMAIN.CO.ZA (arcfour-hmac)
 3 05/04/2016 10:15:33 HTTP/mw-sqproxy-test at DOMAIN.CO.ZA
(aes128-cts-hmac-sha1-96)
 3 05/04/2016 10:15:33 HTTP/mw-sqproxy-test at DOMAIN.CO.ZA
(aes256-cts-hmac-sha1-96)
 3 05/04/2016 10:15:33 HTTP/mw-sqproxy-test.domain.co.za at DOMAIN.CO.ZA
(arcfour-hmac)
 3 05/04/2016 10:15:33 HTTP/mw-sqproxy-test.domain.co.za at DOMAIN.CO.ZA
(aes128-cts-hmac-sha1-96)
 3 05/04/2016 10:15:33 HTTP/mw-sqproxy-test.domain.co.za at DOMAIN.CO.ZA
(aes256-cts-hmac-sha1-96)
 5 04/04/2016 19:19:28 host/mw-sqproxy-test at DOMAIN.CO.ZA (arcfour-hmac)
 5 04/04/2016 19:19:28 host/mw-sqproxy-test at DOMAIN.CO.ZA
(aes128-cts-hmac-sha1-96)
 5 04/04/2016 19:19:28 host/mw-sqproxy-test at DOMAIN.CO.ZA
(aes256-cts-hmac-sha1-96)
 6 04/04/2016 19:22:47 host/mw-sqproxy-test at DOMAIN.CO.ZA (arcfour-hmac)
 6 04/04/2016 19:22:47 host/mw-sqproxy-test at DOMAIN.CO.ZA
(aes128-cts-hmac-sha1-96)
 6 04/04/2016 19:22:47 host/mw-sqproxy-test at DOMAIN.CO.ZA
(aes256-cts-hmac-sha1-96)
 7 04/04/2016 20:40:09 host/mw-sqproxy-test at DOMAIN.CO.ZA (arcfour-hmac)
 7 04/04/2016 20:40:09 host/mw-sqproxy-test at DOMAIN.CO.ZA
(aes128-cts-hmac-sha1-96)
 7 04/04/2016 20:40:09 host/mw-sqproxy-test at DOMAIN.CO.ZA
(aes256-cts-hmac-sha1-96) 

 </snip> 

I'm using the fqdn in IE to authenticate with kerberos, if i change it
to IP it only tries NTLM, which i'm assuming is correct or not? 

I've investigated the PC's and all of them have properly joined the
domain. 

I've checked and i'm getting kvno 3 values from a working win2008r2 as
well as kvno 3 values from other pc's but yet, they have a popup asking
auth details. 
-- 

Drikus Brits 

 

Links:
------
[1] FILE:/var/log/kadmind.log
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160405/a9af4fbb/attachment.html>


More information about the squid-users mailing list