Hi,
I'm testing new squid helper to use negotiate to authenticate users
against a mit kerberos kdc.
I already use a cross-realm trust to authenticate windows users against
the kdc, so users when logged into windows already have the TGT for
kerberos realm (authenticating users this way i cannot use NTLM auth,
that's why i need negotiate against kerberos).
I've compiled the latest squid-2.6 branch version
# sbin/squid -v
Squid Cache: Version 2.6.STABLE13-20070704
configure options: '--prefix=/usr/local/squid'
'--enable-auth=negotiate'
'--enable-negotiate-auth-helpers=squid_kerb_auth'
set up a local keytab for squid (HTTP/squid.domain@REALM.KERBEROS)
tested it
kinit -k -t squid.keytab HTTP/squid.domain@REALM.KERBEROS
setted and exported KRB5_KTNAME pointing to the local keytab
added authentication to squid conf
auth_param negotiate program /usr/libexec/squid_kerb_auth -d -s HTTP/squid.domain@REALM.KERBEROS
and started squid.
When trying to access web with firefox user get ticket for
HTTP/squid.domain service, but access is denied.
From logs i've investigated (and from wireshark dumps) seems like
client sends authentication but squid fails to verify it.
Flows seems like this:
Client send request
Squid process request, no auth, so request auth header
client send request + Proxy-Authorization: Negotiate YIICTA[...]YdpMw==
squid process proxy-authorization header: (strip "Proxy-Authorization: Negotiate" and add YR to request)
squid pass "YR YIICTA[...]YdpMw==" to squid_kerb_auth
squid_kerb_auth generate an error.
Here are revelant log part:
2007/07/05 15:47:19| squid_kerb_auth: parseNegTokenInit failed with rc=102
2007/07/05 15:47:19| squid_kerb_auth: gss_accept_sec_context() failed: A token was invalid. Mechanism is incorrect
2007/07/05 15:47:19| comm_call_handlers(): got fd=6 read_event=1 write_event=0 F->read_handler=0x8084b10 F->write_handler=(nil)
2007/07/05 15:47:19| comm_call_handlers(): Calling read handler on fd=6
2007/07/05 15:47:19| cbdataValid: 0x82239b0
2007/07/05 15:47:19| helperStatefulHandleRead: 80 bytes from negotiateauthenticator #1.
2007/07/05 15:47:19| commSetSelect: FD 6 type 1
2007/07/05 15:47:19| commSetEvents(fd=6)
2007/07/05 15:47:19| helperStatefulHandleRead: end of reply found
2007/07/05 15:47:19| cbdataValid: 0x841eb48
2007/07/05 15:47:19| authenticateNegotiateHandleReply: Helper: '0x82239b0' {NA gss_accept_sec_context() failed: A token was invalid. Mechanism is incorrect}
What is rc=102 ? Why mechanism is incorrect?
There's a way i can verify if Proxy-Authorization header is correct?
Btw if you need full log output i can attach it, but problem seems to arize here in squid_kerb_auth
Thanks,
-- MiolinuxReceived on Wed Jul 11 2007 - 08:03:37 MDT
This archive was generated by hypermail pre-2.1.9 : Wed Aug 01 2007 - 12:00:03 MDT