[squid-users] Squid with Kerberos/NTLM and Google Talk client (solved - workaround)

From: Laurikainen, Tuukka <t.laurikainen_at_ibermatica.com>
Date: Tue, 15 Jan 2013 13:40:57 +0000

Hi,

I've just managed to solve the authentication issue I had with a Google Talk client with Squid, hope this might help someone with the same problem.
I should say that the Google Talk client doesn't seem to work correctly with Kerberos proxy authentication, so this solution is more of a workaround. If someone can see through this and it really is not a Google Talk client problem but a Squid side Kerberos problem, please let me know. Now let me try to explain:

Squid (3.2.6) is configured to authenticate from AD using negotiate wrapper for Negotiate/NTLM and Negotiate/Kerberos, NTLM and Basic auth.

Google Talk clients (configured for proxy with auth - both options tried "Detect proxy automatically" and "Use the following proxy") produced these cache.log entries:

[2013/01/14 10:08:41.150742, 1] libsmb/ntlmssp.c:342(ntlmssp_update)
 got NTLMSSP command 3, expected 1

And debugging it I could see:

2013/01/14 10:08:41| negotiate_wrapper: received type 1 NTLM token

And later on:

2013/01/14 10:08:41| negotiate_wrapper: received type 3 NTLM token

So, Google Talk client started with Kerberos and then switched to NTLM, which doesn't work.

Next, capturing the Kerberos traffic on the client I could see the following error from DC for the client's TGS-REQ:

error_code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7)

And the Server Name value: HTTP/squid-server.my.domain:8080

This is definitely wrong, because the principal should be just HTTP/squid-server.my.domain without the :8080 (which is the port my squid listen's on). I don't know why this is added to the request.

So, checked this with the spnquery.vbs (from a Windows machine, available from here: http://technet.microsoft.com/library/ee176972.aspx):

>cscript spnquery.vbs http/squid-server* my.domain

CN=squid-server-K,CN=Computers,DC=my,DC=domain
Class: computer
Computer DNS: squid-server.my.domain
-- HTTP/squid-server.my.domain
-- host/squid-server.my.domain

That is as it should be, HTTP and Host SPNs. But, the Google Talk client tries to get a ticket with another SPN.

So, to work around this, I added a new SPN (again, from Windows):

>setspn -A http/squid-server.my.domain:8080 squid-server-K

Checked the records again:

>cscript spnquery.vbs http/squid-server* my.domain

CN=squid-server-K,CN=Computers,DC=my,DC=domain
Class: computer
Computer DNS: squid-server.my.domain
-- http/squid-server.my.domain:8080
-- HTTP/squid-server.my.domain
-- host/squid-server.my.domain

And now Google Talk client authenticates correctly using Squid with Kerberos.

Regards,

Tuukka
Received on Tue Jan 15 2013 - 13:41:02 MST

This archive was generated by hypermail 2.2.0 : Tue Jan 15 2013 - 12:00:04 MST