Re: [squid-users] Re: Re: Squid 3.2 kerberos authentication from Ludovit Koren on 2013-02-04 (squid-users)

From: Ludovit Koren <ludovit.koren_at_gmail.com>
Date: Mon, 04 Feb 2013 21:37:39 +0100 (CET)

>>>>> On Sun, 3 Feb 2013 13:18:04 -0000
>>>>> huaraz_at_moeller.plus.com("Markus Moeller") said:
>
>
> "Ludovit Koren" <ludovit.koren_at_gmail.com> wrote in message
> news:20130201.141430.1568838938187755043.koren_at_tempest.sk...
> >
> >>>>>> On Wed, 30 Jan 2013 23:16:46 -0000
> >>>>>> huaraz_at_moeller.plus.com("Markus Moeller") said:
> >>
> >> Hi Ludovit,
> >>
> >> As background information the Negotiate protocol is a protocol which
> >> can handle Kerberos and NTLM tokens and the client decides based on
> >> its configuration (and actice Directory) if Kerberos or NTLM will be
> >> used. Usually if Kerberos is not correctly setup the client will use
> >> NTLM. What you are seeing is that the client uses NTLM and
> >> squid/samba/ntlm_auth seems to not allow it. Is your NTLM setup
> >> working ?
> >>
> >
> > It used to, but 10 days ago I got the following error to the log and
> > it stopped to work:
> >
>
> It being Kerberos authenticaion ?

No. It was NTLM authentication.

>
> > 2013/01/22 11:04:20| authenticateNTLMHandleReply: Error validating
> > user via NTLM. Error returned 'BH NT_STATUS_ACCESS_DENIED'
> > Login for user [<domain>]\[<loginname>]@[<machinename>] failed due
> > to [Access denied]
> > NTLMSSP BH: NT_STATUS_ACCESS_DENIED
> >
>
> One reason could be that when using Kerberos and NTLM with samba on
> the same AD account the samba daemon changes the account password and
> the Kerberos keytab get out of sync with the AD account. If you use
> NTLM with samba and Kerberos do not use the same AD account.
>
> > I must change it to LDAP authentication.
> >
> > Afterwards, I started configuring kerberos authentication. (Do you
> > know about some security patches from MS that could change the behavior?)
> >
> Not that I am waware off
>
> >> To check why the client uses NTLM look at a Network trace on port
> >> 88. You should see a Kerberos AS request/AS reply followed by a TGS
> >> request/TGS reply. Have a look at the TGS reply details. I assume in
> >> your case it contains an error message.
> >>
> >
> > Could you, please, specify the MS client configuration. (I have a hard
> > time with windows people to get it working...)
> >
>
> The MS client hsa no specific configuration it is all handled by AD.
>
> >
> > lk
> >
> >> Markus
> >>
> >> "Ludovit Koren" <ludovit.koren_at_gmail.com> wrote in message
> >> news:20130129.134941.1568838937885763075.koren_at_tempest.sk...
> >> >
> >> > Hi,
> >> >
> >> > I am using FreeBSD 8.1, samba 3.6.9 and squid 3.2.6.
> >> >
> >> > The /etc/krb5.conf file:
> >> >
> >> > [logging]
> >> > default = FILE:/var/log/krb.log
> >> > kdc = FILE:/var/log/krb.log
> >> > admin_server = FILE:/var/log/krb.log
> >> > default_keytab_name = /usr/local/etc/squid/HTTP.keytab
> >> >
> >> > [libdefaults]
> >> > default_realm = MDPT.LOCAL
> >> > dns_lookup_realm = no
> >> > dns_lookup_kdc = no
> >> > ticket_lifetime = 24h
> >> > forwardable = yes
> >> > default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
> >> > des-cbc-md5
> >> > default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
> >> > des-cbc-md5
> >> > permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
> >> > des-cbc-md5
> >> >
> >> > [realms]
> >> > EXAMPLE.LOCAL = {
> >> > kdc = ads01.example.local:88
> >> > admin_server = ads01.example.local:464
> >> > default_domain = EXAMPLE.LOCAL
> >> > }
> >> >
> >> > [domain_realm]
> >> > .domain.local = EXAMPLE.LOCAL
> >> > domain.local = EXAMPLE.LOCAL
> >> >
> >> > [appdefaults]
> >> > pam = {
> >> > ticket_lifetime = 1d
> >> > renew_lifetime = 1d
> >> > forwardable = true
> >> > proxiable = false
> >> > retain_after_close = false
> >> > minimum_uid = 1
> >> > }
> >> >
> >> >
> >> >
> >> > # klist
> >> > Credentials cache: FILE:/tmp/krb5cc_0
> >> > Principal: xkoren_at_EXAMPLE.LOCAL
> >> >
> >> > Issued Expires Principal
> >> > Jan 29 13:26:54 Jan 29 23:26:54 HTTP/squid2_at_EXAMPLE.LOCAL
> >> >
> >> >
> >> > and I get the following error:
> >> >
> >> > 2013/01/29 13:36:30 kid1| Starting new negotiateauthenticator >
> >> helpers...
> >> > 2013/01/29 13:36:30 kid1| helperOpenServers: Starting 1/32
> >> > negotiate_wrapper_auth' processes
> >> > 2013/01/29 13:36:30 kid1| WARNING: no_suid: setuid(0): (1) Operation
> >> > not permitted
> >> > 2013/01/29 13:36:30| negotiate_wrapper: Starting version 1.0.1
> >> > 2013/01/29 13:36:30| negotiate_wrapper: NTLM command:
> >> > /usr/local/bin/ntlm_auth --diagnostics
> >> > --helper-protocol=squid-2.5-ntlmssp
> >> > 2013/01/29 13:36:30| negotiate_wrapper: Kerberos command:
> >> > /usr/local/libexec/squid/negotiate_kerberos_auth -d -s GSS_C_NO_NAME
> >> > 2013/01/29 13:36:30| negotiate_wrapper: Got 'YR
> >> > TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==' from squid
> >> > (length: 59).
> >> > 2013/01/29 13:36:30| negotiate_wrapper: Decode
> >> > TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==' (decoded
> >> > length: 40).
> >> > 2013/01/29 13:36:30| negotiate_wrapper: received type 1 NTLM token
> >> > negotiate_kerberos_auth.cc(271): pid=93059 :2013/01/29 13:36:30|
> >> > negotiate_kerberos_auth: INFO: Starting version 3.0.4sq
> >> > 2013/01/29 13:36:30| negotiate_wrapper: Return 'TT
> >> > TlRMTVNTUAACAAAACAAIADgAAAAVgoniY4vxELxfaaEAAAAAAAAAAG4AbgBAAAAABgEAAAAAAA9NAEQAUABUAAIACABNAEQAUABUAAEADABTAFEAVQBJAEQAMgAEABwAdABlAGwAZQBjAG8AbQAuAGcAbwB2AC4AcwBrAAMAKgBzAHEAdQBpAGQAMgAuAHQAZQBsAGUAYwBvAG0ALgBnAG8AdgAuAHMAawAAAAAA
> >> > '
> >> > 2013/01/29 13:36:30| negotiate_wrapper: Got 'KK
> >> > TlRMTVNTUAADAAAAGAAYAHwAAAAGAQYBlAAAAAgACABYAAAAEAAQAGAAAAAMAAwAcAAAABAAEACaAQAAFYKI4gYBsR0AAAAPgUvYFXzvBnilZfvLSfLzUE0ARABQAFQAdQB6AGkAdgBhAHQAZQBsAE8AUABJAFMATgBCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOVyvgVb93T48t/OT6r29XQBAQAAAAAAAF/s0kMd/s0BRgY0Vi13cR0AAAAAAgAIAE0ARABQAFQAAQAMAFMAUQBVAEkARAAyAAQAHAB0AGUAbABlAGMAbwBtAC4AZwBvAHYALgBzAGsAAwAqAHMAcQB1AGkAZAAyAC4AdABlAGwAZQBjAG8AbQAuAGcAbwB2AC4AcwBrAAgAMAAwAAAAAAAAAAEAAAAAEAAAlgAoFHA9U+vb8UFwVQMvpx50bpEtKKqtZSzHIFFAsDkKABAAAAAAAAAAAAAAAAAAAAAAAAkAHABIAFQAVABQAC8AMQAwAC4AMQAuADgALgAzADEAAAAAAAAAAAD9G0LzjgxFX4gXbxAPqzuD'
> >> > from squid (length: 571).
> >> > 2013/01/29 13:36:30| negotiate_wrapper: Decode
> >> > TlRMTVNTUAADAAAAGAAYAHwAAAAGAQYBlAAAAAgACABYAAAAEAAQAGAAAAAMAAwAcAAAABAAEACaAQAAFYKI4gYBsR0AAAAPgUvYFXzvBnilZfvLSfLzUE0ARABQAFQAdQB6AGkAdgBhAHQAZQBsAE8AUABJAFMATgBCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOVyvgVb93T48t/OT6r29XQBAQAAAAAAAF/s0kMd/s0BRgY0Vi13cR0AAAAAAgAIAE0ARABQAFQAAQAMAFMAUQBVAEkARAAyAAQAHAB0AGUAbABlAGMAbwBtAC4AZwBvAHYALgBzAGsAAwAqAHMAcQB1AGkAZAAyAC4AdABlAGwAZQBjAG8AbQAuAGcAbwB2AC4AcwBrAAgAMAAwAAAAAAAAAAEAAAAAEAAAlgAoFHA9U+vb8UFwVQMvpx50bpEtKKqtZSzHIFFAsDkKABAAAAAAAAAAAAAAAAAAAAAAAAkAHABIAFQAVABQAC8AMQAwAC4AMQAuADgALgAzADEAAAAAAAAAAAD9G0LzjgxFX4gXbxAPqzuD'
> >> > (decoded length: 426).
> >> > 2013/01/29 13:36:30| negotiate_wrapper: received type 3 NTLM token
> >> > 2013/01/29 13:36:30| negotiate_wrapper: Return 'NA =
> >> > NT_STATUS_UNSUCCESSFUL
> >> >
> >> > I tried google, but I cannot resolve the problem. Please could you be
> >> > so kind as far as to point me in the right direction?
> >> >
> >> > Thank you very much in advance.
> >> >
> >> > regards,
> >> >
> >> > lk
> >> >
> >>
> >>
> >
>
>
Received on Mon Feb 04 2013 - 20:37:53 MST

This archive was generated by hypermail 2.2.0 : Tue Feb 05 2013 - 12:00:03 MST