Can you add the option -d -i to squid_kerb_auth and squid_kerb_ldap to
create more debut output and send the cache.log extract
Regards
Markus
"GIGO ." <gigoz_at_msn.com> wrote in message
news:SNT134-w34626D5C8EC65F9D8495B1B9CB0_at_phx.gbl...
Hi Henrik/Markus/All
Every setting(keeping in view your recommendation) was correct i many a
times confirmed that.Even i tried re-creating the SPN but in vain. However i
just realized that most of the users were required to logoff and login to
get authenticated through squid. I wonder why a user even with a valid TGT
was require to do that as he should be able to get the TGS for every new
kerberized service???
Anyways of the few users i tried only one was able to access it without
re-login. Bottom line is that its working.
Now the authorization portion is not seems like behaving properly can you
please check the syntax for correctness before i probe further. I have
appended at the bottom my squid.conf portion relevant to this.
e.g. After the authorization few of the clients were showing this wheter in
the group or not:
--------------------------------------------------------------
Internet explorer cannot display the webpage
what you can try:
Diagnose connection problems
More Info
--------------------------------------------------------------
Further i think IE7(and latest) and FireFox 3.6.x above are supportive for
kerberos. Am i right? is there any special configuration required on the
client side(other than the proxy settings).??
#After allowing IP based clients and the access controls related to them.
http_access allow ipbc
# Part 2 Authentication/Authorization
auth_param negotiate program
/usr/libexec/squid/squid_kerb_auth/squid_kerb_auth
auth_param negotiate children 10
auth_param negotiate keep_alive on
# basic auth ACL controls to make use of it are.(if and only if
squid_kerb_ldap(authorization) is not used)
#acl auth proxy_auth REQUIRED
#http_access deny !auth
#http_access allow auth
#Groups fom Mailserver Domain:
external_acl_type squid_kerb_ldap_ms_group1 ttl=3600 negative_ttl=3600
%LOGIN /usr/libexec/squid/squid_kerb_ldap -g
INETGRLHR1_at_MAILSERVER.V.LOCAL
external_acl_type squid_kerb_ldap_ms_group2 ttl=3600 negative_ttl=3600
%LOGIN /usr/libexec/squid/squid_kerb_ldap -g
INETGRLHR2_at_MAILSERVER.V.LOCAL
external_acl_type squid_kerb_ldap_ms_group3 ttl=3600 negative_ttl=3600
%LOGIN /usr/libexec/squid/squid_kerb_ldap -g
INETGRLHR3_at_MAILSERVER.V.LOCAL
acl ms_group1 external squid_kerb_ldap_ms_group1
acl ms_group2 external squid_kerb_ldap_ms_group2
acl ms_group3 external squid_kerb_ldap_ms_group3
http_access deny ms_group2 msnd
http_access deny ms_group3 msnd
http_access deny ms_group2 msn
http_access deny ms_group3 msn
http_access deny ms_group2 msn1
http_access deny ms_group3 msn1
http_access deny ms_group2 numeric_IPs
http_access deny ms_group3 numeric_IPs
http_access deny ms_group2 Skype_UA
http_access deny ms_group3 Skype_UA
http_access deny ms_group2 ym
http_access deny ms_group3 ym
http_access deny ms_group2 ymregex
http_access deny ms_group3 ymregex
###----Most Restricted settings Exclusive for Normal users......###
http_access deny ms_group3 Movies
http_access deny ms_group3 MP3s
http_access deny ms_group3 FTP
http_access deny ms_group3 MP3url
http_reply_access deny ms_group3 deny_rep_mime_flashvideo
http_access deny ms_group3 youtube_domains
http_access deny ms_group3 facebook_sites
http_access deny ms_group3 BIP
http_access deny ms_group3 downloads
http_access deny ms_group3 torrentSeeds
http_access deny ms_group3 dlSites
##----- Time based ACLs--------------------
http_access deny ms_group2 youtube_domains wh
http_access deny ms_group2 BIP wh
http_access deny ms_group2 facebook_sites wh
http_access allow ms_group1
http_access allow ms_group2
http_access allow ms_group3
http_access deny all
Squid version: squid 2.7 stable 9 on CENTOS 5.4 64 bit.
> To: squid-users_at_squid-cache.org
> From: huaraz_at_moeller.plus.com
> Date: Mon, 28 Jun 2010 23:56:51 +0100
> Subject: [squid-users] Re: squid_kerb_auth (parseNegTokenInit failed with
> rc=102)
>
> Make sure the squid servers hostname matches squidhr1.v.local. If not
> use -s
> HTTP/squidhr1.v.local as an option to squid_kerb_auth.
>
> Regards
> Markus
>
> "GIGO ." <gigoz_at_msn.com> wrote in message
> news:SNT134-w64257C53609757CD3CF006B9CA0_at_phx.gbl...
>
> Hi all,
>
> I am unable to do kerberos authentication in my live enviroment as appose
> to
> the test enviroment where it was successful. My environment is Active
> Direcory Single Forest Multidomain with each domain having multiple domain
> controllers.
>
> SPN was created through:
>
> msktutil -c -b "OU=UNIXOU" -s HTTP/squidlhr1.v.local -h
> squidlhr1.v.local -k
> /etc/squid/HTTP.keytab --computer-name squid-http --upn
> HTTP/squidlhr1.v.local --server ldc-ms-dc2.v.local --verbose
>
>
> Through ADSIEDIT & setspn tools SPN is confirmed in the Active Directory.
>
> My kerb5.conf Settings:
> [libdefaults]
> default_realm = MAILSERVER.V.LOCAL
> dns_lookup_realm = false
> dns_lookup_kdc = false
> default_keytab_name = /etc/krb5.keytab
> ; for windows 2003 encryption type configuration.
> default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
> default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
> permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
> [realms]
> V.LOCAL = {
> kdc = ldc-v-dc2.v.local
> admin_server = ldc-v-dc2.v.local
> }
> MAILSERVER.V.LOCAL = {
> kdc = ldc-ms-dc2.mailserver.v.local
> admin_server = ldc-ms-dc2.mailserver.v.local
> }
> # BT.V.LOCAL = {
> # kdc = dc.bt.v.local
> # admin_server = dc.bt.v.local
> #}
> [domain_realm]
> .linux.home = MAILSERVER.V.LOCAL
> .v.local = V.LOCAL
> v.local = V.LOCAL
> .mailserver.v.local = MAILSERVER.V.LOCAL
> mailserver.v.local = MAILSERVER.V.LOCAL
> #.bt.v.local= BT.V.LOCAL
> #bt.v.local = BT.V.LOCAL
> [logging]
> kdc = FILE:/var/log/kdc.log
> admin_server = FILE:/var/log/kadmin.log
> default = FILE:/var/log/kdc.log
>
>
>
>
>
>
>
> I have tried this on multiple client computers but not seem to be
> working....
> Below are the files for your reference.
>
>
> Dump through wire shark :
> -------------------------
>
> Hypertext Transfer Protocol
> GET http://www.google.com/ HTTP/1.1\r\n
> Accept: */*\r\n
> Accept-Language: en-us\r\n
> User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;
> Trident/4.0;
> .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR
> 3.5.30729; InfoPath.2; AskTB5.5)\r\n
> Accept-Encoding: gzip, deflate\r\n
> Proxy-Connection: Keep-Alive\r\n
> [truncated] Cookie:
> PREF=ID=dfcab88fe782b2f3:U=8cc1a776c84c55e1:TM=1273578259:LM=1273579194:S=ec2wG6BXReYHZvWe;
> NID=36=iQ9ZARYGAQQvkpoAjK1OHFtg7BF7IE9hh-E__mxd9S8cV8EcNVq_M_9qMHZPatpJiifFPpdWYqJMmTtBxuCdoQMknggCTHJKkJkNigy5I6kewAQTepVnZ0Pb
> [truncated] Proxy-Authorization: Negotiate
> YIIFTwYGKwYBBQUCoIIFQzCCBT+gJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBRUEggURYIIFDQYJKoZIhvcSAQICAQBuggT8MIIE+KADAgEFoQMCAQ6iBwMFACAAAACjggQVYYIEE
> TCCBA2gAwIBBaEXGxVNQUlMU0VSVkVSLk1DQi5D
> GSS-API Generic Security Service Application Program Interface
> OID: 1.3.6.1.5.5.2 (SPNEGO - Simple Protected Negotiation)
> SPNEGO
> negTokenInit
> mechTypes: 3 items
> MechType: 1.2.840.48018.1.2.2 (MS KRB5 - Microsoft Kerberos 5)
> MechType: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
> MechType: 1.3.6.1.4.1.311.2.2.10 (NTLMSSP - Microsoft NTLM Security
> Support
> Provider)
> mechToken: 6082050D06092A864886F71201020201006E8204FC308204...
> krb5_blob: 6082050D06092A864886F71201020201006E8204FC308204...
> KRB5 OID: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
> krb5_tok_id: KRB5_AP_REQ (0x0001)
> Kerberos AP-REQ
> Pvno: 5
> MSG Type: AP-REQ (14)
> Padding: 0
> APOptions: 20000000 (Mutual required)
> .0.. .... .... .... .... .... .... .... = Use Session Key: Do NOT use the
> session key to encrypt the ticket
> ..1. .... .... .... .... .... .... .... = Mutual required: MUTUAL
> authentication is REQUIRED
> Ticket
> Tkt-vno: 5
> Realm: MAILSERVER.V.LOCAL
> Server Name (Service and Instance): HTTP/squidlhr1.v.local
> Name-type: Service and Instance (2)
> Name: HTTP
> Name: squidlhr1.v.local
> enc-part rc4-hmac
> Encryption type: rc4-hmac (23)
> Kvno: 2
> enc-part: 60082AD63370B0B25657BB713A74B080C21E261079263809...
> Authenticator rc4-hmac
> Encryption type: rc4-hmac (23)
> Authenticator data: A7B9567AB0F52FD022CD130905ACD67DA268C8222AC6ED97...
> Host: www.google.com\r\n
> \r\n
>
> Hypertext Transfer Protocol
> HTTP/1.0 407 Proxy Authentication Required\r\n
> Server: squid\r\n
> Date: Fri, 25 Jun 2010 15:00:57 GMT\r\n
> Content-Type: text/html\r\n
> Content-Length: 1295\r\n
> Content length: 1295
> X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0\r\n
> Proxy-Authenticate: Negotiate\r\n
> Proxy-Authenticate: Negotiate gss_acquire_cred()\r\n
> GSS-API Generic Security Service Application Program Interface
> [Malformed Packet: GSS-API]
> Expert Info (Error/Malformed): Malformed Packet (Exception occurred)
> Message: Malformed Packet (Exception occurred)
> Severity level: Error
> Group: Malformed
> X-Cache: MISS from squidlhr1\r\n
> X-Cache-Lookup: NONE from squidlhr1:8080\r\n
> Via: 1.0 squidlhr1main:8080 (squid)\r\n
> Connection: close\r\n
> \r\n
>
> squid_kerb_auth -d output:
> ---------------------------
>
> 2010/06/28 10:03:24| squid_kerb_auth: Got 'YR
> YIIFTgYGKwYBBQUCoIIFQjCCBT6gJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBRQEggUQYIIFDAYJKoZIhvcSAQICAQBuggT7MIIE96ADAgEFoQMCAQ6iBwMFACAAAACjggQVYYIEETCCBA2gAwIBBaEXGxVNQUlMU0VSVkVSLk1DQi5DT00uUEuiMjAwoAMCAQKhKTAnGwRIVFRQGx9zcXVpZGxocjEubWFpbHNlcnZlci5tY2IuY29tLnBro4IDtzCCA7OgAwIBF6EDAgECooIDpQSCA6HbSpgWaybiErloUupurbZsJqE/Frw2OkXksREX3nh6Nx3kZyKSLkO0P0ey+SF8KSn/bHPagvN8fLo7tUMgIXY2Q6Ok1UJkryz7HO+vztztxDYvir3vkzyc67kaV2xug4cZEPlu7FJJYwVGvgmwl3b3UGMprG+TC59GN9M5AKFq97blDGfCoKv2tSO4TaeOC5hG6Qa/KJUMVOh4U8k/fb92XzcrkOWPZOpySLVDfgXHGEpaIrsnzZ4dFTL2hrfd5bswjAGXmWmcSF57LY7BW0sD2HoNyNDkge6GtprrCMtEmaiqZUrsP6PosH9lMDplZWDNlfsKJb2lFRJh1gO0g9Drin4tX/UTAQNY2meu5urFQfHh4goVVyav2rjmdFQPvo16hiwHtrLOElK7Sa/XhiL2Lon/TrDu/0OYvXmNUMWcHCmMPo2JlYBetEMRX4EWMBxwy15cILOFx1b0zFwC3OQ59rk2eZz4ZI0cECaSLK0OVAxHAELL+xIgCaOn72RoyX4Zph3sjjTKzaxMiHMkkoo3flWODARLT6xJZ/FzjOUcEWNPlJaQhbp4HRba9AwzdSyjUT1VGzNDdYQeNfQU6qnDQQdTG8rTkb9ojv4uP4rjK7sjUyQOtOZDkxbr0rFo/8ilaXwgTOJyhZHps8fpW/6s1UzDs2AwbhCGjQVj4a7dnzfbYvzttrx8MRGX0iLVUt2Ugv9GxcOY+
RT8U0PT7DvbeRkEdVQL6oy2E74CauMSxL/3ID3Bjh5B/YNB8bkOub5crSisnWQ+hB9DD4ABMTOubyAND06lDmeOewDkmwU3HYVAQhCcSpdbTGrGylXH5MBkEZPx9p0amGmPdqm5SVloE+qNFwsKiNkoUE8/24l8dGka2kYGP1e9/UaC5oMzTPRVVd2aHIDHcrv82eBZfRq6FL00jtZKKSIlZLEZ/m89p7Gfzafh3Ahh/7RZUOlx6zyXJYsRpa/Re/QouqoQ4igwxXWqtDLntncNKtPN/ksZmLYEF80DJZ7HfUR5s82ZRmfZgxojOnF7iGeX31dF6wSpbQX5G+TMIfZ9vHU123zJu1coJsQlJHjOurdFfm2Bb4v+aOL+U3U8XRH5ykKiAXagfopdWOOTV5BVnsMuO5fayZB2HIUGSEgdCY7PWxvUWy1Wv90j6jrvBdKDNzEQz8FAENlqVBCGYXa1nVQAoRmbgod8o2kyBRaXtbh+ut3lPFiwyafNUMSzIklpweBb4Bp6FKSByDCBxaADAgEXooG9BIG6QYc3eYt+8W+X0Zjiedx4J7FxcY+qZexmLowJf8JWFaXNS8vcDhCNnZU5oNYau2E8H78yzgPzPLJV3+ci/apcksEqrgbwPi9vmywxKyGhTW9CXXWIJmyftYSb5bIXnOHx0bfINJAqNFjoaaIQfwIJgUE4ZxWiUdfNNHcuYZoB3OdDg8LU8WheWZpyj64WCBUeaLz2JsVpefG3i3pDYgX6PpAaGRKwTqgDbrHDln8uLhSvwlHSheRSLmHQ'
> from squid (length: 1819).
> 2010/06/28 10:03:24| squid_kerb_auth: parseNegTokenInit failed with rc=102
> 2010/06/28 10:03:24| squid_kerb_auth: gss_acquire_cred() failed:
> Unspecified
> GSS failure. Minor code may provide more information. No principal in
> keytab
> matches desired name
>
> Please your help will be required
>
> regards,
>
> Bilal
>
>
>
> _________________________________________________________________
> Hotmail: Trusted email with powerful SPAM protection.
> https://signup.live.com/signup.aspx?id=60969
>
>
_________________________________________________________________
Hotmail: Trusted email with Microsoft’s powerful SPAM protection.
https://signup.live.com/signup.aspx?id=60969
Received on Tue Jun 29 2010 - 22:39:08 MDT
This archive was generated by hypermail 2.2.0 : Wed Jun 30 2010 - 12:00:03 MDT