Hi Markus,
Thanks for your reply. Is it safe to use negotiate wrapper with squid 3.1.8?
I didnt add delegation to that system, I have just given full
permisions to admin user and that computer. Does it matter?
Regards
On 2 May 2011 17:56, Markus Moeller <huaraz_at_moeller.plus.com> wrote:
> Hi Go,
>
> There is no need to use delegation and you must not enable delegation as it
> creates a risk that your squid system can create tickets for other users
> (e.g. impersonate another user).
>
> Negotiate handles both Kerberos and NTLM authentication. If Kerberos is
> setup correctly it is the preferred option for the client, but if Kerberos
> fails for some reason the client will fall back to NTLM and replies to an
> Negotiate authentication request with a NTLM token. To deal with this
> situation I created the negotiate wrapper which sends Kerberos tokens to the
> kerberos authentication handler and NTLM token to the NTLM authentication
> handler. Unfortunately there are applications like IM clients which use
> proxies, but only support NTLM (not Negotiate). To cater for this case squid
> has to offer NTLM too. So you need:
>
> negotiate_wrapper with negotiate_kerberos_auth and ntlm_auth for Negotiate
> Kerberos/NTLM
>
> and
>
> ntlm_auth for pure NTLM
>
> Squid trunk (3.2) has still a problem with the negotiate_wrapper and NTLM. I
> haven't found the reason yet.
>
> Markus
>
>
> "Go Wow" <gowows_at_gmail.com> wrote in message
> news:BANLkTi=iKAhHuL8tuoght4Qn08cKcdzyLA_at_mail.gmail.com...
> I changed my approach a lil bit and swicthed to centos from ubuntu hehe.
>
> I installed centos and configured kerberos/squid as mentioned in
> squid-cache kerberos guide, I used msktutil to create the keytab file.
> On the windows server I checked the machine, it was listed as a
> workstation I went on to properties and selected delegation tab and
> tried to allow delagation of kerberos but it didnt work. So I right
> clicked on the computer name and clicked on properties >> security and
> given full permission to Administrator and then gave full permission
> to same computer name.
>
> Now im able to authenticate users and use squid to browse.
>
> I will be monitoring squid for next couple of days and see if it gives
> that log entries of libntlmssp.
>
> How safe is it to use negotiate_wrapper in production? What is the
> difference between using negogiate_wrapper and a 2nd auth param
> statement for ntlm in squid.conf
>
>
> Regards
>
> On 2 May 2011 09:20, Go Wow <gowows_at_gmail.com> wrote:
>>
>> I will check that and inform you. But how did you troubleshoot that
>> the entry is missing from AD?
>>
>> On 1 May 2011 14:51, Markus Moeller <huaraz_at_moeller.plus.com> wrote:
>>>
>>> It looks like you do not have an entry in AD. Can you search AD for
>>> entries
>>> with serviceprincipalname = HTTP/proxyserver.orangegroup.com ?
>>>
>>> Markus
>>>
>>>
>>> "Go Wow" <gowows_at_gmail.com> wrote in message
>>> news:BANLkTinUivd8YFNnX+Gp6aZxd0RhzTKjTQ_at_mail.gmail.com...
>>> On 1 May 2011 00:00, Markus Moeller <huaraz_at_moeller.plus.com> wrote:
>>>>
>>>> Hi Go,
>>>>
>>>> For Windows 2008 the wiki says "use --enctypes 28". Did you use it ?
>>>
>>> Yes I used --enctypes 28
>>>
>>>>
>>>> what does klist -e show and what does
>>>> kinit <user>
>>>> kvno HTTP/proxyserver.orangegroup.com
>>>>
>>>> show (<user> being your userid ) ?
>>>
>>> Here is the complete output
>>>
>>> root_at_proxyserver:/home/owner# whoami
>>> root
>>> root_at_proxyserver:/home/owner# klist
>>> klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
>>> root_at_proxyserver:/home/owner# klist -e
>>> klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
>>> root_at_proxyserver:/home/owner# kinit Administrator
>>> Password for Administrator_at_ORANGEGROUP.COM:
>>> root_at_proxyserver:/home/owner# klist -e
>>> Ticket cache: FILE:/tmp/krb5cc_0
>>> Default principal: Administrator_at_ORANGEGROUP.COM
>>>
>>> Valid starting Expires Service principal
>>> 05/01/11 09:36:33 05/01/11 19:36:38
>>> krbtgt/ORANGEGROUP.COM_at_ORANGEGROUP.COM
>>> renew until 05/02/11 09:36:33, Etype (skey, tkt): ArcFour with
>>> HMAC/md5,ArcFour with HMAC/md5
>>> root_at_proxyserver:/home/owner# kvno http/proxyserver.orangegroup.com
>>> kvno: Server not found in Kerberos database while getting credentials
>>> for http/proxyserver.orangegroup.com_at_ORANGEGROUP.COM
>>> root_at_proxyserver:/home/owner# kvno HTTP/proxyserver.orangegroup.com
>>> kvno: Server not found in Kerberos database while getting credentials
>>> for HTTP/proxyserver.orangegroup.com_at_ORANGEGROUP.COM
>>>
>>>> When you purge tickets (with kerbtray) , start wireshark with a filter
>>>> on
>>>> port 88 and access a webpage via the proxy do you see any errors in
>>>> wireshark ? Can you send me the capture ?
>>>
>>> I will email you the port 88 capture in a sec.
>>>
>>> Thanks for your help.
>>>
>>>> Markus
>>>>
>>>>
>>>> "Go Wow" <gowows_at_gmail.com> wrote in message
>>>> news:BANLkTinSki+D9qe6nxRfgLXJJkaD2GNoEw_at_mail.gmail.com...
>>>> I tried with msktutil version 0.4 but same thing is happening.
>>>>
>>>> I followed your guide, firstly with samba/winbind, I created the
>>>> keytab and configure negotiate parameters in squid.conf but when I
>>>> open browser pointing to squid3 as proxy server (with fqdn not IP) it
>>>> prompts for username/password. This system is Windows 7 64 Bit.
>>>>
>>>> Then I tried msktutil. The command I used is same as I mentioned below.
>>>>
>>>> msktutil -c -b "CN=COMPUTERS" -s HTTP/proxyserver.orangegroup.com -h
>>>> proxyserver.orangegroup.com -k /etc/krb5.keytab --computer-name
>>>> proxyserver-http --upn HTTP/proxyserver.orangegroup.com --server
>>>> ad01.orangegroup.com --verbose
>>>>
>>>> The output of the command gives me one error saying but creates the
>>>> keytab
>>>> file
>>>> -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed
>>>> (Client not found in Kerberos database)
>>>>
>>>> I have kerbtray installed on client system and I can see my domains
>>>> krtgt/domain.com listed. As a matter of fact I'm using sharepoint
>>>> server which uses the same method to authenticate and im able to login
>>>> to it without entering username/password. I tried with purging tickets
>>>> but no change.
>>>>
>>>> Regards
>>>>
>>>>
>>>> On 30 April 2011 16:17, Markus Moeller <huaraz_at_moeller.plus.com> wrote:
>>>>>
>>>>> Hi Go,
>>>>>
>>>>> Can you describe in detail what you did ( e.g. exact msktutil command).
>>>>> BTW
>>>>> I updated yesterday the wiki pointing to a newer msktutil (version 0.4)
>>>>> which you should try in the case you use an older version.
>>>>>
>>>>> It looks to me that your client is not able to get the Kerberos ticket
>>>>> from
>>>>> AD why the client falls back to NTLM and the negotiate wrapper deals
>>>>> now
>>>>> with these case.
>>>>>
>>>>> To find out why the client does not get the ticket you can run
>>>>> wireshark
>>>>> and look for traffic on port 88.
>>>>>
>>>>> Markus
>>>>>
>>>>>
>>>>> "Go Wow" <gowows_at_gmail.com> wrote in message
>>>>> news:BANLkTinqnrMS5t2tq7FRN+-NOeZsMy5GOQ_at_mail.gmail.com...
>>>>> When I run msktutil I get this line in the output.
>>>>>
>>>>> krb5_get_init_creds_keytab failed (Client not found in Kerberos
>>>>> database)
>>>>>
>>>>> I did kinit before issuing msktutil and it ran successfully. I can see
>>>>> tickets when I issue klist.
>>>>>
>>>>>
>>>>>
>>>>> On 30 April 2011 10:43, Go Wow <gowows_at_gmail.com> wrote:
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> I'm trying to configure Kerberos Authentication for squid. I'm
>>>>>> running Squid 3.1.12 and Windows 2008 R2 SP2. I have followed the
>>>>>> kerberos authentication guide on squid-cache and many other guides, I
>>>>>> always end up with these logs in my cache.log. My client browser keeps
>>>>>> prompting for username/password. Even a valid set of credentials are
>>>>>> not accepted.
>>>>>>
>>>>>> 2011/04/30 10:24:32| squid_kerb_auth: WARNING: received type 1 NTLM
>>>>>> token
>>>>>> 2011/04/30 10:24:32| authenticateNegotiateHandleReply: Error
>>>>>> validating user via Negotiate. Error returned 'BH received type 1 NTLM
>>>>>> token'
>>>>>> 2011/04/30 10:24:36| squid_kerb_auth: DEBUG: Got 'YR
>>>>>> TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' from squid
>>>>>> (length: 59).
>>>>>> 2011/04/30 10:24:36| squid_kerb_auth: DEBUG: Decode
>>>>>> 'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' (decoded
>>>>>> length: 40).
>>>>>> 2011/04/30 10:24:36| squid_kerb_auth: WARNING: received type 1 NTLM
>>>>>> token
>>>>>> 2011/04/30 10:24:36| authenticateNegotiateHandleReply: Error
>>>>>> validating user via Negotiate. Error returned 'BH received type 1 NTLM
>>>>>> token'
>>>>>> 2011/04/30 10:24:36| squid_kerb_auth: DEBUG: Got 'YR
>>>>>> TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' from squid
>>>>>> (length: 59).
>>>>>> 2011/04/30 10:24:36| squid_kerb_auth: DEBUG: Decode
>>>>>> 'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' (decoded
>>>>>> length: 40).
>>>>>> 2011/04/30 10:24:36| squid_kerb_auth: WARNING: received type 1 NTLM
>>>>>> token
>>>>>> 2011/04/30 10:24:36| authenticateNegotiateHandleReply: Error
>>>>>> validating user via Negotiate. Error returned 'BH received type 1 NTLM
>>>>>> token'
>>>>>>
>>>>>>
>>>>>> I want to check and make sure my keytab entries are good. How do I do
>>>>>> that? My client System can list the tickets for client principal.
>>>>>>
>>>>>> Please have a look at my krb5.conf & keytab file here
>>>>>> http://pastebin.com/vTBr3r5D
>>>>>>
>>>>>> I'm using this command to create the keytab file.
>>>>>> msktutil -c -b "CN=COMPUTERS" -s HTTP/proxyserver.orangegroup.com -h
>>>>>> proxyserver.orangegroup.com -k /etc/krb5.keytab --computer-name
>>>>>> proxyserver-http --upn HTTP/proxyserver.orangegroup.com --server
>>>>>> ad01.orangegroup.com --verbose
>>>>>>
>>>>>> All the domains are resolving properly to IPs.
>>>>>>
>>>>>> Thanks for your help.
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>
>
>
>
Received on Mon May 02 2011 - 14:48:18 MDT
This archive was generated by hypermail 2.2.0 : Tue May 03 2011 - 12:00:02 MDT