[squid-users] squid_kerb_auth - Negotiate

From: miolinux <miolinux@dont-contact.us>
Date: Wed, 11 Jul 2007 16:03:26 +0200

Hi,

I'm testing new squid helper to use negotiate to authenticate users
against a mit kerberos kdc.

I already use a cross-realm trust to authenticate windows users against
the kdc, so users when logged into windows already have the TGT for
kerberos realm (authenticating users this way i cannot use NTLM auth,
that's why i need negotiate against kerberos).

I've compiled the latest squid-2.6 branch version

# sbin/squid -v
Squid Cache: Version 2.6.STABLE13-20070704
configure options: '--prefix=/usr/local/squid'
'--enable-auth=negotiate'
'--enable-negotiate-auth-helpers=squid_kerb_auth'

set up a local keytab for squid (HTTP/squid.domain@REALM.KERBEROS)
tested it
kinit -k -t squid.keytab HTTP/squid.domain@REALM.KERBEROS

setted and exported KRB5_KTNAME pointing to the local keytab

added authentication to squid conf

auth_param negotiate program /usr/libexec/squid_kerb_auth -d -s HTTP/squid.domain@REALM.KERBEROS

and started squid.

When trying to access web with firefox user get ticket for
HTTP/squid.domain service, but access is denied.

From logs i've investigated (and from wireshark dumps) seems like
client sends authentication but squid fails to verify it.

Flows seems like this:

Client send request
Squid process request, no auth, so request auth header
client send request + Proxy-Authorization: Negotiate YIICTA[...]YdpMw==
squid process proxy-authorization header: (strip "Proxy-Authorization: Negotiate" and add YR to request)
squid pass "YR YIICTA[...]YdpMw==" to squid_kerb_auth
squid_kerb_auth generate an error.

Here are revelant log part:

2007/07/05 15:47:19| squid_kerb_auth: parseNegTokenInit failed with rc=102
2007/07/05 15:47:19| squid_kerb_auth: gss_accept_sec_context() failed: A token was invalid. Mechanism is incorrect
2007/07/05 15:47:19| comm_call_handlers(): got fd=6 read_event=1 write_event=0 F->read_handler=0x8084b10 F->write_handler=(nil)
2007/07/05 15:47:19| comm_call_handlers(): Calling read handler on fd=6
2007/07/05 15:47:19| cbdataValid: 0x82239b0
2007/07/05 15:47:19| helperStatefulHandleRead: 80 bytes from negotiateauthenticator #1.
2007/07/05 15:47:19| commSetSelect: FD 6 type 1
2007/07/05 15:47:19| commSetEvents(fd=6)
2007/07/05 15:47:19| helperStatefulHandleRead: end of reply found
2007/07/05 15:47:19| cbdataValid: 0x841eb48
2007/07/05 15:47:19| authenticateNegotiateHandleReply: Helper: '0x82239b0' {NA gss_accept_sec_context() failed: A token was invalid. Mechanism is incorrect}

What is rc=102 ? Why mechanism is incorrect?
There's a way i can verify if Proxy-Authorization header is correct?

Btw if you need full log output i can attach it, but problem seems to arize here in squid_kerb_auth

Thanks,

--
Miolinux
Received on Wed Jul 11 2007 - 08:03:37 MDT

This archive was generated by hypermail pre-2.1.9 : Wed Aug 01 2007 - 12:00:03 MDT