[squid-users] Re: Problems setting up Kerberos authentication

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Thu, 4 Mar 2010 21:49:30 -0000

Some more comments below:

"Fabian Hugelshofer" <fh_at_open.ch> wrote in message
news:4B8FDB2E.5000407_at_open.ch...
> Markus Moeller wrote:
>> Continuation needed means that the GSSAPI exchange has not finished and
>> the server needs more data from the client. Can you see in wireshark if
>> the token length is the one squid_kerb_auth says it is
>> > squid_kerb_auth: Got 'YRYI...' from squid (length: 3607)
>
> I could confirm that the data that the client sends in the HTTP request is
> the same that is received by squid_kerb_auth. "YR " is added by squid (the
> space in the log of my last post got lost).
>
> Further, I discovered that authentication is working for users from
> certain domains, but not for those at whose location the proxy is standing
> at. I describe the AD domain setup in more details:
>
> The computer account that is associated with the service principal in the
> keytab file is from domain A.EXAMPLE.COM. Users, for who access is not
> working, are from domain B1.B.EXAMPLE.COM. Access is working for users
> from C.EXAMPLE.COM and a few others. The users from these "other" domains
> have been tested by starting IE as a user from that domain on a computer
> in domain C.EXAMPLE.COM. I forgot to mention that all the clients are
> Windows XP with IE7.
>

Can you download kerbtray from microsoft and list the tickets you have on XP
on a working and failing machine. Can you alos capture with wireshark the
traffic on port 88 ?

> The FQDN of the proxy is not in the Windows domain hierarchy. It is
> proxy.d1.d.example.com.
>
> I compiled squid_kerb_auth_test from Squid 3.1. On the proxy:
>
> ## With a user from non-working domain B1.B.EXAMPLE.COM
> # kinit user1_at_B1.B.EXAMPLE.COM
> user1_at_B1.B.EXAMPLE.COM's Password:
> # squid_kerb_auth_test proxy.d1.d.example.com
> 2010/03/04 15:26:51| squid_kerb_auth_test: gss_init_sec_context() failed:
> An unsupported mechanism was requested. unknown mech-code 0 for mech
> unknown
> Token: NULL
> # kinit -S HTTP/proxy.d1.d.example.com_at_A.EXAMPLE.COM
> user1_at_B1.B.EXAMPLE.COM's Password:
> kinit: krb5_get_init_creds: Server
> (HTTP/proxy.d1.d.example.com_at_B1.B.EXAMPLE.COM) unknown
>

This is correct it should not work as there is no
HTTP/proxy.d1.d.example.com_at_B1.B.EXAMPLE.COM principal. You need to use
another call to get a TGT for HTTP/proxy.d1.d.example.com like:

kinit user1_at_B1.B.EXAMPLE.COM
kgetcred HTTP/proxy.d1.d.example.com_at_A.EXAMPLE.COM
klist

> ## With a user from the domain of the proxy (A.EXAMPLE.COM)
> # kinit user2_at_A.EXAMPLE.COM
> user2_at_A.EXAMPLE.COM's Password:
> # squid_kerb_auth_test proxy.d1.d.example.com
> Token: YIIF...
> # kinit -S HTTP/proxy.d1.d.example.com_at_A.EXAMPLE.COM
> user2_at_A.EXAMPLE.COM's Password:
>
> Tomorrow I will try with a user from another domain that is working and
> that is outside A.EXAMPLE.COM. The content of my krb5.conf is:
>
> [libdefaults]
> default_realm = A.EXAMPLE.COM
>
> [realms]
> A.EXAMPLE.COM = {
> kdc = 10.0.0.1
> kdc = 10.0.0.2
> }
> B1.b.EXAMPLE.COM = {
> kdc = 10.1.0.1
> kdc = 10.1.0.2
> }

>
> [domain_realm]
> .example.com = A.EXAMPLE.COM
> example.com = A.EXAMPLE.COM
> .d1.d.example.com = A.EXAMPLE.COM
> d1.d.example.com = A.EXAMPLE.COM
>
>
>
> Fabian
>
Received on Fri Mar 05 2010 - 01:45:36 MST

This archive was generated by hypermail 2.2.0 : Mon Mar 08 2010 - 12:00:03 MST