[squid-users] Negotiate Kerberos Auth - BH Invalid request
Kevin M�hlparzer
kevinmuehlparzer at hotmail.de
Tue Jun 13 11:59:33 UTC 2017
Hello list,
I asked about a problem with NTLM-Authentication before. (BH SPNEGO request invalid prefix; thats the error of the helper protocol "helper-protocol=squid-2.5-ntlmssp" I used with NTLM, while basic works fine)
A user told me I should use negotiate_kerberos_auth instead of ntlm_auth.
Now here's my new problem:
root at x-x-testproxy01:/etc/squid# /usr/lib/squid/negotiate_kerberos_auth -d -s HTTP/x-x-testproxy01.x-xxx.local at X-XXX.LOCAL
negotiate_kerberos_auth.cc(487): pid=5305 :2017/06/13 13:29:41| negotiate_kerberos_auth: INFO: Starting version 3.0.4sq
negotiate_kerberos_auth.cc(546): pid=5305 :2017/06/13 13:29:41| negotiate_kerberos_auth: INFO: Setting keytab to FILE:/etc/squid/HTTP.keytab
negotiate_kerberos_auth.cc(570): pid=5305 :2017/06/13 13:29:41| negotiate_kerberos_auth: INFO: Changed keytab to MEMORY:negotiate_kerberos_auth_5305
testuser xxxxxxx
negotiate_kerberos_auth.cc(610): pid=5305 :2017/06/13 13:29:47| negotiate_kerberos_auth: DEBUG: Got 'testuser xxxxxx' from squid (length: 18).
negotiate_kerberos_auth.cc(647): pid=5305 :2017/06/13 13:29:47| negotiate_kerberos_auth: ERROR: Invalid request [testuser xxxxxxx]
BH Invalid request
So my configuration has mistakes, but I can't find them. I don't really know where to search, or what works for sure. I tried many tutorials on krb5 and samba. Every form of testing I tried works fine except indeed using the required kerberos authentication of my squid-proxy.
Tests that come to my mind:
kinit a user
Warning: Your password will expire in 36 days on Don 20 Jul 2017 13:23:54 CEST
klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: testuser at X-XXX.LOCAL
Valid starting Expires Service principal
2017-06-13 13:38:37 2017-06-13 23:38:37 krbtgt/X-XXX.LOCAL at X-XXX.LOCAL
renew until 2017-06-14 13:38:34
klist -k on my HTTP.keytab
Keytab name: FILE:/etc/squid/HTTP.keytab
KVNO Principal
---- --------------------------------------------------------------------------
1 host/x-x-testproxy01.x-xxx.local at X-XXX.LOCAL
1 host/x-x-testproxy01.x-xxx.local at X-XXX.LOCAL
1 host/x-x-testproxy01.x-xxx.local at X-XXX.LOCAL
1 host/x-x-testproxy01.x-xxx.local at X-XXX.LOCAL
1 host/x-x-testproxy01.x-xxx.local at X-XXX.LOCAL
1 host/X-X-TESTPROXY01 at X-XXX.LOCAL
1 host/X-X-TESTPROXY01 at X-XXX.LOCAL
1 host/X-X-TESTPROXY01 at X-XXX.LOCAL
1 host/X-X-TESTPROXY01 at X-XXX.LOCAL
1 host/X-X-TESTPROXY01 at X-XXX.LOCAL
1 X-X-TESTPROXY01$@X-XXX.LOCAL
1 X-X-TESTPROXY01$@X-XXX.LOCAL
1 X-X-TESTPROXY01$@X-XXX.LOCAL
1 X-X-TESTPROXY01$@X-XXX.LOCAL
1 X-X-TESTPROXY01$@X-XXX.LOCAL
basic-auth using ntlm
root at x-x-testproxy01:/etc/squid# /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic --username=testuser --password=xxxxxxxx
testuser xxxxxxxxxx
OK
testuser at x-xxx.local xxxxxxxx
OK
wbinfo -u
administrator
testuser
...
wbinfo -g
allowed rodc password replication group
enterprise read-only domain controllers
...
wbinfo --krb5auth=testuser%xxxxxxx
plaintext kerberos password authentication for [testuser%xxxxxxx] succeeded (requesting cctype: FILE)
wbinfo -t
checking the trust secret for domain X-XXX via RPC calls succeeded
wbinfo --authenticate=testuser%xxxxxxxx
plaintext password authentication succeeded
challenge/response password authentication succeeded
/usr/lib/squid/negotiate_kerberos_auth_test x-x-testproxy01.x-xxx.local
Token: YIIFOgYGKwYBBQUCoIIFLjCCBSqgJzAlBgkqhkiG9xIBAgIGBSsFAQUCBgkqhkiC9xIBAgIGBisGAQUCBaKCBP0EggT5YIIE9QYJKoZIhvcSAQICAQBuggTkMIIE4KADAgEFoQMCAQ6iBwMFAAAAAACjggP2YYID8jCCA+6gAwIBBaENGwtYLU5FVC5MT0NBTKIuMCygAwIBA6ElMCMbBEhUVFAbG3gtbC10ZXN0cHJveHkwMS54LW5ldC5sb2NhbKOCA6YwggOioAMCARKhAwIBAaKCA5QEggOQIMtincRDtWjh44pew3twk26Gm9rTC7CbkobNrzaRq/weljVl5TSbMQTFIVRQXVe4CQBWJ/Gcg472cgLA3mjOH8Z30zxQFP8fsK46wAtTEzJhonzXLImhaPtXvCVz94xaCVG7cBlNJCUmZQHsQMxFsGJZfKCkDvztiNplXEEwRgT7S6f8HQNm62xPAyz9aK8Wqfz9suW5cSBk8wdRAQNleKP1Xe/2LqZ4jfDpodPdcy9A8vh1dKu4tmbz+EJ/bKvWA+/twuXiOhhGq4W39TlOu/3zD87pXAh65ka1QsepkCWgUMHImDw8nUr8Zvi4j4vI9WhyMyLFYBya8BvAX9kLg73zl80g82bQVIAb8QU3gS2Akhpd7r1flfUbfRDUQfuS/bsaHspZoP+2c8+Bxy38OML4Gg29y6fJvRNfDaCnqmTQdiPtyqELVUS+4x7r260mM1wQKzD2Jb5pcz4wMHUK0sdw8xmMARGxB7XdyGSbo759GD6tOaTAKkNwccno6i9wyOoLqfhVRjE/K9FLCvCnzEFI07q1/dFz1Ce/ZzroW3nOwNQe3V6qqBELwuTvHgxIdGq4HEPeLqAUkVWxneXemRNbLKiOs/BIe3qkXxizgAkFLqRO5az2pVOD7/KBevxYZKeAgIuDsbIYG/u3Ic+KtCDaaM/to2b41SB8ZOFKJau3BuMPOvZ4ipiMbv0N/Svk4Tg61BIhN3CJYKA3ep/3p3wSfJlkcYeRVkDpasQnmFnjxV2YS7Q8nvmf9LIz+KIYBIT8X9yRPuV/E2lSELZlxJ8CySLFLUKgtMj97GPMlacc+UN3lJjyoExUKHpMZtUmaKrw7ueT3wnLMWgx0BBPkiAebUAedKj9u9sEscFylmI/+PdCCraMNbkOckCsggYXfJm6LxFZJhnDvw1+Z87xsJFDs5fasF6j8REiG8aHTmKHgt2M9TmIRNo/PsYrZGvuVQhkk2fuyFxwwyfs7ysNEkOmBWlFlTEjddjT9YShHfV8Fo8+M2UYY5nYiUIQq5BBfZ679ntivs7F80lKMOqhc7SOY63VwRJOwoq35+bnsIB08b9cttySiOcFsZb6uTnYvHzUFVSUha4nxrg3zW3fL9KVu4XY+lgCRZrBZMxioy6vbAOJBmpqXOJvel2gBbGN6PEd2ReeX43l1gcn+Bd3mQykmUIEzMMuRpSHda9233aWHbwEZ9H9rOdJdhgX4U+upIHQMIHNoAMCARKigcUEgcJu7kcC1zuJdhOQk+YA0Hw2G9kyg46tpaNIgj1CEgkD/KE28kaKivCTZTnHfrNOpIOJaaiYw4RMwJsbgZdRU+fz/jUwxvXdUSGon6JrU7S2XZ9CjXRXfdpXc4HjP0QW6Cql1SE95MpkcbMRH8FQvGNryBzsqIkELnvXceTGCmwlN3n60nqkoR5/41p2PtSz4hFMOVdT6AkPlNC5VTCtCZUj7YbrYVYImPnG3aAfQxXEHRy19/v0mL2845jZFA7Xw96s1A==
Sorry for posting so many output...
I already read many documentations, but no one really tests in small steps, they just assume that it works for everyone out of the box...
Does anyone have a clue what could be my mistake?
Thanks in advance.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170613/5015e8a2/attachment.html>
More information about the squid-users
mailing list