Hi,
I've just managed to solve the authentication issue I had with a Google Talk client with Squid, hope this might help someone with the same problem.
I should say that the Google Talk client doesn't seem to work correctly with Kerberos proxy authentication, so this solution is more of a workaround. If someone can see through this and it really is not a Google Talk client problem but a Squid side Kerberos problem, please let me know. Now let me try to explain:
Squid (3.2.6) is configured to authenticate from AD using negotiate wrapper for Negotiate/NTLM and Negotiate/Kerberos, NTLM and Basic auth.
Google Talk clients (configured for proxy with auth - both options tried "Detect proxy automatically" and "Use the following proxy") produced these cache.log entries:
[2013/01/14 10:08:41.150742, 1] libsmb/ntlmssp.c:342(ntlmssp_update)
got NTLMSSP command 3, expected 1
And debugging it I could see:
2013/01/14 10:08:41| negotiate_wrapper: received type 1 NTLM token
And later on:
2013/01/14 10:08:41| negotiate_wrapper: received type 3 NTLM token
So, Google Talk client started with Kerberos and then switched to NTLM, which doesn't work.
Next, capturing the Kerberos traffic on the client I could see the following error from DC for the client's TGS-REQ:
error_code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7)
And the Server Name value: HTTP/squid-server.my.domain:8080
This is definitely wrong, because the principal should be just HTTP/squid-server.my.domain without the :8080 (which is the port my squid listen's on). I don't know why this is added to the request.
So, checked this with the spnquery.vbs (from a Windows machine, available from here: http://technet.microsoft.com/library/ee176972.aspx):
>cscript spnquery.vbs http/squid-server* my.domain
CN=squid-server-K,CN=Computers,DC=my,DC=domain
Class: computer
Computer DNS: squid-server.my.domain
-- HTTP/squid-server.my.domain
-- host/squid-server.my.domain
That is as it should be, HTTP and Host SPNs. But, the Google Talk client tries to get a ticket with another SPN.
So, to work around this, I added a new SPN (again, from Windows):
>setspn -A http/squid-server.my.domain:8080 squid-server-K
Checked the records again:
>cscript spnquery.vbs http/squid-server* my.domain
CN=squid-server-K,CN=Computers,DC=my,DC=domain
Class: computer
Computer DNS: squid-server.my.domain
-- http/squid-server.my.domain:8080
-- HTTP/squid-server.my.domain
-- host/squid-server.my.domain
And now Google Talk client authenticates correctly using Squid with Kerberos.
Regards,
Tuukka
Received on Tue Jan 15 2013 - 13:41:02 MST
This archive was generated by hypermail 2.2.0 : Tue Jan 15 2013 - 12:00:04 MST