Re: [squid-users] Re: Re: Re: Help me configure Kerberos Authentication

From: Go Wow <gowows_at_gmail.com>
Date: Mon, 2 May 2011 09:20:50 +0400

I will check that and inform you. But how did you troubleshoot that
the entry is missing from AD?

On 1 May 2011 14:51, Markus Moeller <huaraz_at_moeller.plus.com> wrote:
> It looks like you do not have an entry in AD.  Can you search AD for entries
> with serviceprincipalname = HTTP/proxyserver.orangegroup.com ?
>
> Markus
>
>
> "Go Wow" <gowows_at_gmail.com> wrote in message
> news:BANLkTinUivd8YFNnX+Gp6aZxd0RhzTKjTQ_at_mail.gmail.com...
> On 1 May 2011 00:00, Markus Moeller <huaraz_at_moeller.plus.com> wrote:
>>
>> Hi Go,
>>
>> For Windows 2008 the wiki says "use --enctypes 28". Did you use it ?
>
> Yes I used --enctypes 28
>
>>
>> what does klist -e show and what does
>> kinit <user>
>> kvno HTTP/proxyserver.orangegroup.com
>>
>> show (<user> being your userid ) ?
>
> Here is the complete output
>
> root_at_proxyserver:/home/owner# whoami
> root
> root_at_proxyserver:/home/owner# klist
> klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
> root_at_proxyserver:/home/owner# klist -e
> klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
> root_at_proxyserver:/home/owner# kinit Administrator
> Password for Administrator_at_ORANGEGROUP.COM:
> root_at_proxyserver:/home/owner# klist -e
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: Administrator_at_ORANGEGROUP.COM
>
> Valid starting     Expires            Service principal
> 05/01/11 09:36:33  05/01/11 19:36:38  krbtgt/ORANGEGROUP.COM_at_ORANGEGROUP.COM
>       renew until 05/02/11 09:36:33, Etype (skey, tkt): ArcFour with
> HMAC/md5,ArcFour with HMAC/md5
> root_at_proxyserver:/home/owner# kvno http/proxyserver.orangegroup.com
> kvno: Server not found in Kerberos database while getting credentials
> for http/proxyserver.orangegroup.com_at_ORANGEGROUP.COM
> root_at_proxyserver:/home/owner# kvno HTTP/proxyserver.orangegroup.com
> kvno: Server not found in Kerberos database while getting credentials
> for HTTP/proxyserver.orangegroup.com_at_ORANGEGROUP.COM
>
>> When you purge tickets (with kerbtray) , start wireshark with a filter on
>> port 88 and access a webpage via the proxy do you see any errors in
>> wireshark ? Can you send me the capture ?
>
> I will email you the port 88 capture in a sec.
>
> Thanks for your help.
>
>> Markus
>>
>>
>> "Go Wow" <gowows_at_gmail.com> wrote in message
>> news:BANLkTinSki+D9qe6nxRfgLXJJkaD2GNoEw_at_mail.gmail.com...
>> I tried with msktutil version 0.4 but same thing is happening.
>>
>> I followed your guide, firstly with samba/winbind, I created the
>> keytab and configure negotiate parameters in squid.conf but when I
>> open browser pointing to squid3 as proxy server (with fqdn not IP) it
>> prompts for username/password. This system is Windows 7 64 Bit.
>>
>> Then I tried msktutil. The command I used is same as I mentioned below.
>>
>> msktutil -c -b "CN=COMPUTERS" -s HTTP/proxyserver.orangegroup.com -h
>> proxyserver.orangegroup.com -k /etc/krb5.keytab --computer-name
>> proxyserver-http --upn HTTP/proxyserver.orangegroup.com --server
>> ad01.orangegroup.com --verbose
>>
>> The output of the command gives me one error saying but creates the keytab
>> file
>> -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed
>> (Client not found in Kerberos database)
>>
>> I have kerbtray installed on client system and I can see my domains
>> krtgt/domain.com listed. As a matter of fact I'm using sharepoint
>> server which uses the same method to authenticate and im able to login
>> to it without entering username/password. I tried with purging tickets
>> but no change.
>>
>> Regards
>>
>>
>> On 30 April 2011 16:17, Markus Moeller <huaraz_at_moeller.plus.com> wrote:
>>>
>>> Hi Go,
>>>
>>> Can you describe in detail what you did ( e.g. exact msktutil command).
>>> BTW
>>> I updated yesterday the wiki pointing to a newer msktutil (version 0.4)
>>> which you should try in the case you use an older version.
>>>
>>> It looks to me that your client is not able to get the Kerberos ticket
>>> from
>>> AD why the client falls back to NTLM and the negotiate wrapper deals now
>>> with these case.
>>>
>>> To find out why the client does not get the ticket you can run wireshark
>>> and look for traffic on port 88.
>>>
>>> Markus
>>>
>>>
>>> "Go Wow" <gowows_at_gmail.com> wrote in message
>>> news:BANLkTinqnrMS5t2tq7FRN+-NOeZsMy5GOQ_at_mail.gmail.com...
>>> When I run msktutil I get this line in the output.
>>>
>>> krb5_get_init_creds_keytab failed (Client not found in Kerberos database)
>>>
>>> I did kinit before issuing msktutil and it ran successfully. I can see
>>> tickets when I issue klist.
>>>
>>>
>>>
>>> On 30 April 2011 10:43, Go Wow <gowows_at_gmail.com> wrote:
>>>>
>>>> Hi,
>>>>
>>>> I'm trying to configure Kerberos Authentication for squid. I'm
>>>> running Squid 3.1.12 and Windows 2008 R2 SP2. I have followed the
>>>> kerberos authentication guide on squid-cache and many other guides, I
>>>> always end up with these logs in my cache.log. My client browser keeps
>>>> prompting for username/password. Even a valid set of credentials are
>>>> not accepted.
>>>>
>>>> 2011/04/30 10:24:32| squid_kerb_auth: WARNING: received type 1 NTLM
>>>> token
>>>> 2011/04/30 10:24:32| authenticateNegotiateHandleReply: Error
>>>> validating user via Negotiate. Error returned 'BH received type 1 NTLM
>>>> token'
>>>> 2011/04/30 10:24:36| squid_kerb_auth: DEBUG: Got 'YR
>>>> TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' from squid
>>>> (length: 59).
>>>> 2011/04/30 10:24:36| squid_kerb_auth: DEBUG: Decode
>>>> 'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' (decoded
>>>> length: 40).
>>>> 2011/04/30 10:24:36| squid_kerb_auth: WARNING: received type 1 NTLM
>>>> token
>>>> 2011/04/30 10:24:36| authenticateNegotiateHandleReply: Error
>>>> validating user via Negotiate. Error returned 'BH received type 1 NTLM
>>>> token'
>>>> 2011/04/30 10:24:36| squid_kerb_auth: DEBUG: Got 'YR
>>>> TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' from squid
>>>> (length: 59).
>>>> 2011/04/30 10:24:36| squid_kerb_auth: DEBUG: Decode
>>>> 'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' (decoded
>>>> length: 40).
>>>> 2011/04/30 10:24:36| squid_kerb_auth: WARNING: received type 1 NTLM
>>>> token
>>>> 2011/04/30 10:24:36| authenticateNegotiateHandleReply: Error
>>>> validating user via Negotiate. Error returned 'BH received type 1 NTLM
>>>> token'
>>>>
>>>>
>>>> I want to check and make sure my keytab entries are good. How do I do
>>>> that? My client System can list the tickets for client principal.
>>>>
>>>> Please have a look at my krb5.conf & keytab file here
>>>> http://pastebin.com/vTBr3r5D
>>>>
>>>> I'm using this command to create the keytab file.
>>>> msktutil -c -b "CN=COMPUTERS" -s HTTP/proxyserver.orangegroup.com -h
>>>> proxyserver.orangegroup.com -k /etc/krb5.keytab --computer-name
>>>> proxyserver-http --upn HTTP/proxyserver.orangegroup.com --server
>>>> ad01.orangegroup.com --verbose
>>>>
>>>> All the domains are resolving properly to IPs.
>>>>
>>>> Thanks for your help.
>>>>
>>>
>>>
>>>
>>
>>
>>
>
>
>
Received on Mon May 02 2011 - 05:21:00 MDT

This archive was generated by hypermail 2.2.0 : Mon May 02 2011 - 12:00:02 MDT