Hi Go,
There is no need to use delegation and you must not enable delegation as
it creates a risk that your squid system can create tickets for other users
(e.g. impersonate another user).
Negotiate handles both Kerberos and NTLM authentication. If Kerberos is
setup correctly it is the preferred option for the client, but if Kerberos
fails for some reason the client will fall back to NTLM and replies to an
Negotiate authentication request with a NTLM token. To deal with this
situation I created the negotiate wrapper which sends Kerberos tokens to the
kerberos authentication handler and NTLM token to the NTLM authentication
handler. Unfortunately there are applications like IM clients which use
proxies, but only support NTLM (not Negotiate). To cater for this case squid
has to offer NTLM too. So you need:
negotiate_wrapper with negotiate_kerberos_auth and ntlm_auth for Negotiate
Kerberos/NTLM
and
ntlm_auth for pure NTLM
Squid trunk (3.2) has still a problem with the negotiate_wrapper and NTLM. I
haven't found the reason yet.
Markus
"Go Wow" <gowows_at_gmail.com> wrote in message
news:BANLkTi=iKAhHuL8tuoght4Qn08cKcdzyLA_at_mail.gmail.com...
I changed my approach a lil bit and swicthed to centos from ubuntu hehe.
I installed centos and configured kerberos/squid as mentioned in
squid-cache kerberos guide, I used msktutil to create the keytab file.
On the windows server I checked the machine, it was listed as a
workstation I went on to properties and selected delegation tab and
tried to allow delagation of kerberos but it didnt work. So I right
clicked on the computer name and clicked on properties >> security and
given full permission to Administrator and then gave full permission
to same computer name.
Now im able to authenticate users and use squid to browse.
I will be monitoring squid for next couple of days and see if it gives
that log entries of libntlmssp.
How safe is it to use negotiate_wrapper in production? What is the
difference between using negogiate_wrapper and a 2nd auth param
statement for ntlm in squid.conf
Regards
On 2 May 2011 09:20, Go Wow <gowows_at_gmail.com> wrote:
> I will check that and inform you. But how did you troubleshoot that
> the entry is missing from AD?
>
> On 1 May 2011 14:51, Markus Moeller <huaraz_at_moeller.plus.com> wrote:
>> It looks like you do not have an entry in AD. Can you search AD for
>> entries
>> with serviceprincipalname = HTTP/proxyserver.orangegroup.com ?
>>
>> Markus
>>
>>
>> "Go Wow" <gowows_at_gmail.com> wrote in message
>> news:BANLkTinUivd8YFNnX+Gp6aZxd0RhzTKjTQ_at_mail.gmail.com...
>> On 1 May 2011 00:00, Markus Moeller <huaraz_at_moeller.plus.com> wrote:
>>>
>>> Hi Go,
>>>
>>> For Windows 2008 the wiki says "use --enctypes 28". Did you use it ?
>>
>> Yes I used --enctypes 28
>>
>>>
>>> what does klist -e show and what does
>>> kinit <user>
>>> kvno HTTP/proxyserver.orangegroup.com
>>>
>>> show (<user> being your userid ) ?
>>
>> Here is the complete output
>>
>> root_at_proxyserver:/home/owner# whoami
>> root
>> root_at_proxyserver:/home/owner# klist
>> klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
>> root_at_proxyserver:/home/owner# klist -e
>> klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
>> root_at_proxyserver:/home/owner# kinit Administrator
>> Password for Administrator_at_ORANGEGROUP.COM:
>> root_at_proxyserver:/home/owner# klist -e
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: Administrator_at_ORANGEGROUP.COM
>>
>> Valid starting Expires Service principal
>> 05/01/11 09:36:33 05/01/11 19:36:38
>> krbtgt/ORANGEGROUP.COM_at_ORANGEGROUP.COM
>> renew until 05/02/11 09:36:33, Etype (skey, tkt): ArcFour with
>> HMAC/md5,ArcFour with HMAC/md5
>> root_at_proxyserver:/home/owner# kvno http/proxyserver.orangegroup.com
>> kvno: Server not found in Kerberos database while getting credentials
>> for http/proxyserver.orangegroup.com_at_ORANGEGROUP.COM
>> root_at_proxyserver:/home/owner# kvno HTTP/proxyserver.orangegroup.com
>> kvno: Server not found in Kerberos database while getting credentials
>> for HTTP/proxyserver.orangegroup.com_at_ORANGEGROUP.COM
>>
>>> When you purge tickets (with kerbtray) , start wireshark with a filter
>>> on
>>> port 88 and access a webpage via the proxy do you see any errors in
>>> wireshark ? Can you send me the capture ?
>>
>> I will email you the port 88 capture in a sec.
>>
>> Thanks for your help.
>>
>>> Markus
>>>
>>>
>>> "Go Wow" <gowows_at_gmail.com> wrote in message
>>> news:BANLkTinSki+D9qe6nxRfgLXJJkaD2GNoEw_at_mail.gmail.com...
>>> I tried with msktutil version 0.4 but same thing is happening.
>>>
>>> I followed your guide, firstly with samba/winbind, I created the
>>> keytab and configure negotiate parameters in squid.conf but when I
>>> open browser pointing to squid3 as proxy server (with fqdn not IP) it
>>> prompts for username/password. This system is Windows 7 64 Bit.
>>>
>>> Then I tried msktutil. The command I used is same as I mentioned below.
>>>
>>> msktutil -c -b "CN=COMPUTERS" -s HTTP/proxyserver.orangegroup.com -h
>>> proxyserver.orangegroup.com -k /etc/krb5.keytab --computer-name
>>> proxyserver-http --upn HTTP/proxyserver.orangegroup.com --server
>>> ad01.orangegroup.com --verbose
>>>
>>> The output of the command gives me one error saying but creates the
>>> keytab
>>> file
>>> -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed
>>> (Client not found in Kerberos database)
>>>
>>> I have kerbtray installed on client system and I can see my domains
>>> krtgt/domain.com listed. As a matter of fact I'm using sharepoint
>>> server which uses the same method to authenticate and im able to login
>>> to it without entering username/password. I tried with purging tickets
>>> but no change.
>>>
>>> Regards
>>>
>>>
>>> On 30 April 2011 16:17, Markus Moeller <huaraz_at_moeller.plus.com> wrote:
>>>>
>>>> Hi Go,
>>>>
>>>> Can you describe in detail what you did ( e.g. exact msktutil command).
>>>> BTW
>>>> I updated yesterday the wiki pointing to a newer msktutil (version 0.4)
>>>> which you should try in the case you use an older version.
>>>>
>>>> It looks to me that your client is not able to get the Kerberos ticket
>>>> from
>>>> AD why the client falls back to NTLM and the negotiate wrapper deals
>>>> now
>>>> with these case.
>>>>
>>>> To find out why the client does not get the ticket you can run
>>>> wireshark
>>>> and look for traffic on port 88.
>>>>
>>>> Markus
>>>>
>>>>
>>>> "Go Wow" <gowows_at_gmail.com> wrote in message
>>>> news:BANLkTinqnrMS5t2tq7FRN+-NOeZsMy5GOQ_at_mail.gmail.com...
>>>> When I run msktutil I get this line in the output.
>>>>
>>>> krb5_get_init_creds_keytab failed (Client not found in Kerberos
>>>> database)
>>>>
>>>> I did kinit before issuing msktutil and it ran successfully. I can see
>>>> tickets when I issue klist.
>>>>
>>>>
>>>>
>>>> On 30 April 2011 10:43, Go Wow <gowows_at_gmail.com> wrote:
>>>>>
>>>>> Hi,
>>>>>
>>>>> I'm trying to configure Kerberos Authentication for squid. I'm
>>>>> running Squid 3.1.12 and Windows 2008 R2 SP2. I have followed the
>>>>> kerberos authentication guide on squid-cache and many other guides, I
>>>>> always end up with these logs in my cache.log. My client browser keeps
>>>>> prompting for username/password. Even a valid set of credentials are
>>>>> not accepted.
>>>>>
>>>>> 2011/04/30 10:24:32| squid_kerb_auth: WARNING: received type 1 NTLM
>>>>> token
>>>>> 2011/04/30 10:24:32| authenticateNegotiateHandleReply: Error
>>>>> validating user via Negotiate. Error returned 'BH received type 1 NTLM
>>>>> token'
>>>>> 2011/04/30 10:24:36| squid_kerb_auth: DEBUG: Got 'YR
>>>>> TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' from squid
>>>>> (length: 59).
>>>>> 2011/04/30 10:24:36| squid_kerb_auth: DEBUG: Decode
>>>>> 'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' (decoded
>>>>> length: 40).
>>>>> 2011/04/30 10:24:36| squid_kerb_auth: WARNING: received type 1 NTLM
>>>>> token
>>>>> 2011/04/30 10:24:36| authenticateNegotiateHandleReply: Error
>>>>> validating user via Negotiate. Error returned 'BH received type 1 NTLM
>>>>> token'
>>>>> 2011/04/30 10:24:36| squid_kerb_auth: DEBUG: Got 'YR
>>>>> TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' from squid
>>>>> (length: 59).
>>>>> 2011/04/30 10:24:36| squid_kerb_auth: DEBUG: Decode
>>>>> 'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' (decoded
>>>>> length: 40).
>>>>> 2011/04/30 10:24:36| squid_kerb_auth: WARNING: received type 1 NTLM
>>>>> token
>>>>> 2011/04/30 10:24:36| authenticateNegotiateHandleReply: Error
>>>>> validating user via Negotiate. Error returned 'BH received type 1 NTLM
>>>>> token'
>>>>>
>>>>>
>>>>> I want to check and make sure my keytab entries are good. How do I do
>>>>> that? My client System can list the tickets for client principal.
>>>>>
>>>>> Please have a look at my krb5.conf & keytab file here
>>>>> http://pastebin.com/vTBr3r5D
>>>>>
>>>>> I'm using this command to create the keytab file.
>>>>> msktutil -c -b "CN=COMPUTERS" -s HTTP/proxyserver.orangegroup.com -h
>>>>> proxyserver.orangegroup.com -k /etc/krb5.keytab --computer-name
>>>>> proxyserver-http --upn HTTP/proxyserver.orangegroup.com --server
>>>>> ad01.orangegroup.com --verbose
>>>>>
>>>>> All the domains are resolving properly to IPs.
>>>>>
>>>>> Thanks for your help.
>>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>
>>
>>
>
Received on Mon May 02 2011 - 13:57:26 MDT
This archive was generated by hypermail 2.2.0 : Mon May 02 2011 - 12:00:02 MDT