Hi Manoj,
It looks like the client PC does not get the TGS for HTTP/proxy.domain.
Did you configure in IE the proxy with the name proxy.domain or as IP ? IE
requires the name. BTW IE 6 does not support Kerberos proxy authentication.
Can you capture the traffic on port 88 from your client with wireshark ?
You should see on a newly started PC AS REQ/REP and TGS REQ/REP and any
failure message which could give hints about the problem.
Markus
"Manoj Rajkarnikar" <manoj.rajkarnikar_at_gmail.com> wrote in message
news:AANLkTikFZcBVQ8OTzmwFbDq+LD+-bpy4vEhHnJ+FK_05_at_mail.gmail.com...
> Hi all,
>
> I've been trying to get my squid 2.7 S9 to work with kerberos
> authentication against AD 2003 server for a couple weeks now but still
> failed. I've read through lots of posts in the list and different
> tutorials following them 1 at a time but still no go. I've been
> following tuts by Klaubert
> (http://klaubert.wordpress.com/2008/01/09/squid-kerberos-authentication-and-ldap-authorization-in-active-directory/)
> and the wiki too.. I've tried using the squid_kerb_auth both from the
> squid dist and sourceforge v1.0.5. here is what i did:
>
> => configure squid with these options:
> ./configure --prefix=/usr/local/squid --with-maxfd=16384
> --enable-storeio=aufs,coss --enable-removal-policies=lru,heap
> --enable-delay-pools --disable-wccp --disable-wccpv2 --enable-arp-acl
> --enable-coss-aio-ops --disable-ident-lookups
> --enable-auth="ntlm,basic,negotiate" --enable-ntlm-auth-helpers="SMB"
> --enable-negotiate-auth-helpers="squid_kerb_auth"
> --enable-basic-auth-helpers="LDAP"
> --enable-external-acl-helpers="ldap_group" --with-large-files
>
> => created a user "proxy.domain" in AD server
>
> => created keytab in AD server:
> ktpass -princ HTTP/proxy.domain_at_MYDOMAIN.COM -mapuser proxy.domain
> -crypto rc4-hmac-nt pass <password> -ptype KRB5_NT_SRV_HST -out
> proxy.domain.keytab
>
> and transfered to squid server in /etc/proxy.domain.keytab
> chmod 400 /etc/proxy.domain.keytab
> chown nobody /etc/proxy.domain.keytab
>
> => /etc/krb5.conf
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> default_realm = MYDOMAIN.COM
> dns_lookup_realm = true
> dns_lookup_kdc = true
> ticket_lifetime = 24h
> forwardable = yes
>
> [realms]
> MYDOMAIN.COM = {
> kdc = dc1.mydomain.com:88
> kdc = dc2.mydomain.com:88
> kdc = dc3.mydomain.com:88
> admin_server = dc1.mydomain.com:749
> admin_server = dc2.mydomain.com:749
> admin_server = dc3.mydomain.com:749
> default_domain = mydomain.com
> }
>
> [domain_realm]
> .mydomain.com = MYDOMAIN.COM
> mydomain.com = MYDOMAIN.COM
>
> ;[kdc]
> ; profile = /var/kerberos/krb5kdc/kdc.conf
>
> [appdefaults]
> pam = {
> debug = false
> ticket_lifetime = 36000
> renew_lifetime = 36000
> forwardable = true
> krb4_convert = false
> }
>
> => tested the keytab file
> [root_at_proxy ~]# kinit -V -k -t /etc/proxy.domain.keytab HTTP/proxy.domain
> Authenticated to Kerberos v5
>
> => squid startup script
> #!/bin/bash
> export KRB5_KTNAME=/etc/proxy.domain.keytab
> /usr/sbin/squid -D
>
> => squid.conf file
> auth_param negotiate program /usr/local/squid/libexec/squid_kerb_auth -d
> auth_param negotiate children 10
> auth_param negotiate keep_alive on
>
> acl authenticated proxy_auth REQUIRED
> http_access allow authenticated
> http_access deny all
>
> => after starting squid, ps ax output
> 7040 ? Ss 0:00 /usr/sbin/squid -D
> 7042 ? Sl 0:00 (squid) -D
> 7043 ? S 0:00 (squid_kerb_auth) -d
> 7044 ? S 0:00 (squid_kerb_auth) -d
> 7045 ? S 0:00 (squid_kerb_auth) -d
> 7046 ? S 0:00 (squid_kerb_auth) -d
> 7047 ? S 0:00 (squid_kerb_auth) -d
> 7048 ? S 0:00 (squid_kerb_auth) -d
> 7049 ? S 0:00 (squid_kerb_auth) -d
> 7050 ? S 0:00 (squid_kerb_auth) -d
> 7051 ? S 0:00 (squid_kerb_auth) -d
> 7052 ? S 0:00 (squid_kerb_auth) -d
> 7053 ? S 0:00 (unlinkd)
>
> => proxy has A and PTR records for its fqdn in AD Server(DNS) and
> resolves find. IE7 in client machine(windows XP) is setup with fqdn in
> the proxy address. when trying to access the internet, login prompt
> comes up repeatedly and dies with denied message after 3 attempts.
>
> =>when using squid_kerb_auth v1.0.5 from sourceforge:
>
> 2010/08/29 10:59:00| Parser: retval 1: from 0->41: method 0->2; url
> 4->30; version 32->40 (1/1)
> 2010/08/29 10:59:00| The request GET http://www.squid-cache.org/ is
> DENIED, because it matched 'authenticated'
> 2010/08/29 10:59:00| The reply for GET http://www.squid-cache.org/ is
> ALLOWED, because it matched 'authenticated'
> 2010/08/29 10:59:00| Parser: retval 1: from 0->41: method 0->2; url
> 4->30; version 32->40 (1/1)
> 2010/08/29 10:59:00| squid_kerb_auth: Got 'YR
> TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' from squid
> (length: 59).
> 2010/08/29 10:59:00| squid_kerb_auth: Decode
> 'TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' (decoded
> length: 40).
> 2010/08/29 10:59:00| squid_kerb_auth: received type 1 NTLM token
> 2010/08/29 10:59:00| authenticateNegotiateHandleReply: Error
> validating user via Negotiate. Error returned 'BH received type 1 NTLM
> token'
> 2010/08/29 10:59:00| The request GET http://www.squid-cache.org/ is
> DENIED, because it matched 'authenticated'
> 2010/08/29 10:59:00| The reply for GET http://www.squid-cache.org/ is
> ALLOWED, because it matched 'authenticated'
> 2010/08/29 11:03:49| Parser: retval 1: from 0->41: method 0->2; url
> 4->30; version 32->40 (1/1)
> 2010/08/29 11:03:49| squid_kerb_auth: Got 'YR
> TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' from squid
> (length: 59).
> 2010/08/29 11:03:49| squid_kerb_auth: Decode
> 'TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' (decoded
> length: 40).
> 2010/08/29 11:03:49| squid_kerb_auth: received type 1 NTLM token
> 2010/08/29 11:03:49| authenticateNegotiateHandleReply: Error
> validating user via Negotiate. Error returned 'BH received type 1 NTLM
> token'
> 2010/08/29 11:03:49| The request GET http://www.squid-cache.org/ is
> DENIED, because it matched 'authenticated'
> 2010/08/29 11:03:49| The reply for GET http://www.squid-cache.org/ is
> ALLOWED, because it matched 'authenticated'
> 2010/08/29 11:03:50| Parser: retval 1: from 0->41: method 0->2; url
> 4->30; version 32->40 (1/1)
> 2010/08/29 11:03:50| squid_kerb_auth: Got 'YR
> TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' from squid
> (length: 59).
> 2010/08/29 11:03:50| squid_kerb_auth: Decode
> 'TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' (decoded
> length: 40).
> 2010/08/29 11:03:50| squid_kerb_auth: received type 1 NTLM token
> 2010/08/29 11:03:50| authenticateNegotiateHandleReply: Error
> validating user via Negotiate. Error returned 'BH received type 1 NTLM
> token'
> 2010/08/29 11:03:50| The request GET http://www.squid-cache.org/ is
> DENIED, because it matched 'authenticated'
> 2010/08/29 11:03:50| The reply for GET http://www.squid-cache.org/ is
> ALLOWED, because it matched 'authenticated'
> 2010/08/29 11:03:50| Parser: retval 1: from 0->41: method 0->2; url
> 4->30; version 32->40 (1/1)
> 2010/08/29 11:03:50| squid_kerb_auth: Got 'YR
> TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' from squid
> (length: 59).
> 2010/08/29 11:03:50| squid_kerb_auth: Decode
> 'TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' (decoded
> length: 40).
> 2010/08/29 11:03:50| squid_kerb_auth: received type 1 NTLM token
>
> => using squid_kerb_auth from squid2.7Stable9 distribution:
>
> 2010/08/29 11:09:14| Parser: retval 1: from 0->41: method 0->2; url
> 4->30; version 32->40 (1/1)
> 2010/08/29 11:09:14| The request GET http://www.squid-cache.org/ is
> DENIED, because it matched 'authenticated'
> 2010/08/29 11:09:14| The reply for GET http://www.squid-cache.org/ is
> ALLOWED, because it matched 'authenticated'
> 2010/08/29 11:09:15| Parser: retval 1: from 0->41: method 0->2; url
> 4->30; version 32->40 (1/1)
> 2010/08/29 11:09:15| squid_kerb_auth: Got 'YR
> TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' from squid
> (length: 59).
> 2010/08/29 11:09:15| squid_kerb_auth: parseNegTokenInit failed with rc=101
> 2010/08/29 11:09:15| squid_kerb_auth: received type 1 NTLM token
> 2010/08/29 11:09:15| authenticateNegotiateAuthenticateUser: need to
> challenge client 'received'!
> 2010/08/29 11:09:15| The request GET http://www.squid-cache.org/ is
> DENIED, because it matched 'authenticated'
> 2010/08/29 11:09:15| The reply for GET http://www.squid-cache.org/ is
> ALLOWED, because it matched 'authenticated'
> 2010/08/29 11:09:15| Parser: retval 1: from 0->41: method 0->2; url
> 4->30; version 32->40 (1/1)
> 2010/08/29 11:09:15| squid_kerb_auth: Got 'YR
> TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' from squid
> (length: 59).
> 2010/08/29 11:09:15| squid_kerb_auth: parseNegTokenInit failed with rc=101
> 2010/08/29 11:09:15| squid_kerb_auth: received type 1 NTLM token
> 2010/08/29 11:09:15| authenticateNegotiateAuthenticateUser: need to
> challenge client 'received'!
> 2010/08/29 11:09:15| The request GET http://www.squid-cache.org/ is
> DENIED, because it matched 'authenticated'
> 2010/08/29 11:09:15| The reply for GET http://www.squid-cache.org/ is
> ALLOWED, because it matched 'authenticated'
> 2010/08/29 11:09:16| Parser: retval 1: from 0->41: method 0->2; url
> 4->30; version 32->40 (1/1)
> 2010/08/29 11:09:16| squid_kerb_auth: Got 'YR
> TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' from squid
> (length: 59).
> 2010/08/29 11:09:16| squid_kerb_auth: parseNegTokenInit failed with rc=101
> 2010/08/29 11:09:16| squid_kerb_auth: received type 1 NTLM token
> 2010/08/29 11:09:16| authenticateNegotiateAuthenticateUser: need to
> challenge client 'received'!
> 2010/08/29 11:09:16| The request GET http://www.squid-cache.org/ is
> DENIED, because it matched 'authenticated'
> 2010/08/29 11:09:16| The reply for GET http://www.squid-cache.org/ is
> ALLOWED, because it matched 'authenticated'
> 2010/08/29 11:09:16| Parser: retval 1: from 0->41: method 0->2; url
> 4->30; version 32->40 (1/1)
> 2010/08/29 11:09:16| squid_kerb_auth: Got 'YR
> TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' from squid
> (length: 59).
> 2010/08/29 11:09:16| squid_kerb_auth: parseNegTokenInit failed with rc=101
> 2010/08/29 11:09:16| squid_kerb_auth: received type 1 NTLM token
> 2010/08/29 11:09:16| authenticateNegotiateAuthenticateUser: need to
> challenge client 'received'!
> 2010/08/29 11:09:16| The request GET http://www.squid-cache.org/ is
> DENIED, because it matched 'authenticated'
> 2010/08/29 11:09:16| The reply for GET http://www.squid-cache.org/ is
> ALLOWED, because it matched 'authenticated'
>
> kerbtray shows krbtgt/MYDOMAIN.COM entries listed.
>
> I'm obviously doing something wrong here.. please help pointing out
> what am I doing wrong.
>
> Thanks
> Manoj
>
Received on Sun Aug 29 2010 - 11:04:57 MDT
This archive was generated by hypermail 2.2.0 : Sun Aug 29 2010 - 12:00:07 MDT