Hi Ming,
This indicates that now your client got the ticket from AD, but it does
not match the entry in your keytab. Did you set the environment variable
KRB5_KTNAME correctly ? Can you do a klist -ekt <squid.keytab> and compare
the entries with the wireshark information of the encoded HTTP Negotiate
request ?
Does the name, encryption type and , key version number (kvno) match ?
Markus
"Ming Fu" <Ming.Fu_at_watchguard.com> wrote in message
news:09177155B3E82945AD8AF1F744B326458A7E58B8_at_es05co...
Hi Markus,
I tried the same test on a Windows 2003 domain with XP clients. I was able
to get pass the SGT from DC to the XP. Now my problem is the following squid
error: Any suggestion how to debug further?
2011/07/28 13:13:46| squid_kerb_auth: DEBUG: Got 'YR
YIIEzQYGKwYBBQUCoIIEwTCCBL2gJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBJMEggSPYIIEiwYJKoZIhvcSAQICAQBuggR6MIIEdqADAgEFoQMCAQ6iBwMFACAAAACjggOeYYIDmjCCA5agAwIBBaEWGxRTSVQyNy5CT1JERVJXQVJFLkNPTaItMCugAwIBAqEkMCIbBEhUVFAbGnNxdWlkLnNpdDI3LmJvcmRlcndhcmUuY29to4IDRjCCA0KgAwIBA6EDAgEEooIDNASCAzDb2BHDS95lmejMm5kGJNuwxcAV6OAOcH1hnOdb8sTR1nHSGGlvlbSKSg/G9l+akRgv9t9BNrsECoZYlZBsojRnFCVHSKjRCKYn+K3ExFIT8E5Szu+XuyIQvib9RMNPG5poBHC4haBO9gxrkZ+yoPOhIP3lY4o9RltyumIAEPiO+36kqNSnTHu6ycuzImPA7+jlkU8VFyXHiwgrHNX7/1N5hpQWuIxl+UkvSJzZb/Tdoro4nM53id0ZrSdxs+Dn1WESc3EgZRwjItGNPHzPKeB03v8IIFZkSCQSGp+GxUeOzxRpMzXN2r3T6PLFLlMHJQeJzFnCOnmJs4stiyW6rY7zF3L868OHYhcx9kUZQzUivnwI+lrfRYMlu87CbAnPZBbPc099b0Amp5gF2YlSOOpx2fLdIN2hs5GJCnzBK1Z7sGPiIIi2hWfbhAJMvAE8sLnahlD8ffraI3ZrxKfpVnNIxbJMvkq4pA8/Ka2w2DA1jeEcPkOg1oggA6+ygmvHZpQrU9twBTtjfHxi0050gdv/DbEbsHofFFDlLNCkQQYB50aDCOubu3NfqfNGre/EAJyrfmeRfjTNRtcOfauoUlZmVhqJXM0nkuvlDtvCXcUmjvcVwtG6CE13lqAsD081xJPaLnPAKmmqGVZUZNykFUeFzarIlu2r3ELJnkyxfQNbeoKLhSH94UWGnE6jCT7yjVvpmzQV4n0DbKyFWn/wgEy
tE/lq28DpK8WmeCZodtOaQ2TU25HDK/egQMaw2cGiYmOatTUUGBcE736EPKcpXHxX7Cb7WlcEC0Ijingr50LHBM1spE+ZAvgynkNTUS7Dd8qYdE6Zc1lBRvqTaK5OKiaVMNztydy9pqufk9lyQbDGsmNyFLgEgz2TDSxJkaTFQm8KlZLY2nlxQQvx4QyY4DI6vmkeHHjCxP5/vUGFlFyq3t7j8qfBrDyg1mq/95cHLyLfTXSwVZE9ODXnP70GsamYLk4xmnp5FEO+3Kmdn+gzhUFLQA5bowGtXyyauKUNbiYftsy5VKsj4Sr1iGMJyxRiG1C00gk22RYtuVaMoTnkXZM6Nc2FZ8fMHtnxB8se7QOkgb4wgbugAwIBA6KBswSBsMOpCOW2cOM4FDYnUbyhrDFzo5gRJryTHFUGDYvEKJ0gooC+sg0ejhbcIrFvlp51m+BvvuvTqPVdjCj+goPhPz6Ogv+7kgAhyKEW4Qr2QzYGD/Fy6fUPEXLGqD7d3ih0/JlbpMtT7fxgZV/FEnRdlMpLd68FTT3dffkPjxPOgAlk/rY2KVM6tLyE0zk0SzuIN/ZAgaBoIBrwnnLpsoU7tFTIzVwSGUkv1+JsdsRad56U'
from squid (length: 1647).
2011/07/28 13:13:46| squid_kerb_auth: DEBUG: Decode
'YIIEzQYGKwYBBQUCoIIEwTCCBL2gJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBJMEggSPYIIEiwYJKoZIhvcSAQICAQBuggR6MIIEdqADAgEFoQMCAQ6iBwMFACAAAACjggOeYYIDmjCCA5agAwIBBaEWGxRTSVQyNy5CT1JERVJXQVJFLkNPTaItMCugAwIBAqEkMCIbBEhUVFAbGnNxdWlkLnNpdDI3LmJvcmRlcndhcmUuY29to4IDRjCCA0KgAwIBA6EDAgEEooIDNASCAzDb2BHDS95lmejMm5kGJNuwxcAV6OAOcH1hnOdb8sTR1nHSGGlvlbSKSg/G9l+akRgv9t9BNrsECoZYlZBsojRnFCVHSKjRCKYn+K3ExFIT8E5Szu+XuyIQvib9RMNPG5poBHC4haBO9gxrkZ+yoPOhIP3lY4o9RltyumIAEPiO+36kqNSnTHu6ycuzImPA7+jlkU8VFyXHiwgrHNX7/1N5hpQWuIxl+UkvSJzZb/Tdoro4nM53id0ZrSdxs+Dn1WESc3EgZRwjItGNPHzPKeB03v8IIFZkSCQSGp+GxUeOzxRpMzXN2r3T6PLFLlMHJQeJzFnCOnmJs4stiyW6rY7zF3L868OHYhcx9kUZQzUivnwI+lrfRYMlu87CbAnPZBbPc099b0Amp5gF2YlSOOpx2fLdIN2hs5GJCnzBK1Z7sGPiIIi2hWfbhAJMvAE8sLnahlD8ffraI3ZrxKfpVnNIxbJMvkq4pA8/Ka2w2DA1jeEcPkOg1oggA6+ygmvHZpQrU9twBTtjfHxi0050gdv/DbEbsHofFFDlLNCkQQYB50aDCOubu3NfqfNGre/EAJyrfmeRfjTNRtcOfauoUlZmVhqJXM0nkuvlDtvCXcUmjvcVwtG6CE13lqAsD081xJPaLnPAKmmqGVZUZNykFUeFzarIlu2r3ELJnkyxfQNbeoKLhSH94UWGnE6jCT7yjVvpmzQV4n0DbKyFWn/wgE
ytE/lq28DpK8WmeCZodtOaQ2TU25HDK/egQMaw2cGiYmOatTUUGBcE736EPKcpXHxX7Cb7WlcEC0Ijingr50LHBM1spE+ZAvgynkNTUS7Dd8qYdE6Zc1lBRvqTaK5OKiaVMNztydy9pqufk9lyQbDGsmNyFLgEgz2TDSxJkaTFQm8KlZLY2nlxQQvx4QyY4DI6vmkeHHjCxP5/vUGFlFyq3t7j8qfBrDyg1mq/95cHLyLfTXSwVZE9ODXnP70GsamYLk4xmnp5FEO+3Kmdn+gzhUFLQA5bowGtXyyauKUNbiYftsy5VKsj4Sr1iGMJyxRiG1C00gk22RYtuVaMoTnkXZM6Nc2FZ8fMHtnxB8se7QOkgb4wgbugAwIBA6KBswSBsMOpCOW2cOM4FDYnUbyhrDFzo5gRJryTHFUGDYvEKJ0gooC+sg0ejhbcIrFvlp51m+BvvuvTqPVdjCj+goPhPz6Ogv+7kgAhyKEW4Qr2QzYGD/Fy6fUPEXLGqD7d3ih0/JlbpMtT7fxgZV/FEnRdlMpLd68FTT3dffkPjxPOgAlk/rY2KVM6tLyE0zk0SzuIN/ZAgaBoIBrwnnLpsoU7tFTIzVwSGUkv1+JsdsRad56U'
(decoded length: 1233).
2011/07/28 13:13:47| squid_kerb_auth: ERROR: gss_acquire_cred() failed:
Unspecified GSS failure. Minor code may provide more information. Key table
entry not found
2011/07/28 13:13:47| authenticateNegotiateHandleReply: Error validating user
via Negotiate. Error returned 'BH gss_acquire_cred() failed: Unspecified GSS
failure. Minor code may provide more information. Key table entry not
found'
Thanks
Ming
> -----Original Message-----
> From: Ming Fu [mailto:Ming.Fu_at_watchguard.com]
> Sent: Wednesday, July 27, 2011 4:21 PM
> To: Markus Moeller; squid-users_at_squid-cache.org
> Subject: RE: [squid-users] Re: squid 3.1.14 kerberos single sign on
>
> Hi Markus,
>
> From the windows domain controller:
> =======================================================
> Microsoft Windows [Version 6.0.6002]
> Copyright (c) 2006 Microsoft Corporation. All rights reserved.
>
> C:\Users\Administrator>setspn -L squid
> Registered ServicePrincipalNames for
> CN=squid,CN=Users,DC=sit26,DC=borderware,DC
> =com:
> HTTP/squid.sit26.borderware.com
>
> C:\Users\Administrator>
> =========================================================
>
> From the wireshark:
> ==============================================================
> The Kerberos response error is
> Error code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7)
> Realm: SIT26.BORDERWARE.COM
> Server Name (Service and Instance): HTTP/squid.sit26.borderware.com
> Name-type: service and instance (2)
> Name: HTTP
> Name: squid.sit26.borderware.com
> ===============================================================
>
> I can attach the whole tcpdump if necessary.
>
> Regards,
> Ming
>
>
>
> > -----Original Message-----
> > From: Markus Moeller [mailto:huaraz_at_moeller.plus.com]
> > Sent: Monday, July 25, 2011 4:27 PM
> > To: squid-users_at_squid-cache.org
> > Subject: [squid-users] Re: squid 3.1.14 kerberos single sign on
> >
> > This looks like the client does not get a Kerberos token, which can
> have
> > several reasons.
> >
> > 1) Is the proxy name used in the browser the fqdn used in the
> > serviceprincipaname in AD e.g. HTTP/<fqdn> ?
> > 2) Is the right encryption type used (Win7 / 2008 do not support DES
> > out
> > of the box)
> >
> > Can you capture with wireshark the communication between your Win7
> > client
> > and AD on port 88 ( Kerberos port ) and send me the capture file ?
> >
> > Regards
> > Markus
> >
> >
> > "Ming Fu" <Ming.Fu_at_watchguard.com> wrote in message
> > news:09177155B3E82945AD8AF1F744B326458A7E1581_at_es05co...
> > Hi,
> >
> > I am trying to setup squid 3.1.14 on linux with Kerberos SSO against
> > windows
> > 2008 server and win7 client.
> > But both firefox 5.0.1 and IE 8 generate same log from squid.
> >
> > Is this a problem with squid or the browsers?
> >
> > ---- squid logs ----
> > 2011/07/25 10:54:29| Accepting HTTP connections at [::]:3128, FD 31.
> > 2011/07/25 10:54:29| HTCP Disabled.
> > 2011/07/25 10:54:29| squid_kerb_auth: INFO: Starting version 1.0.5
> > 2011/07/25 10:54:29| squid_kerb_auth: INFO: Starting version 1.0.5
> > 2011/07/25 10:54:29| Loaded Icons.
> > 2011/07/25 10:54:29| Ready to serve requests.
> > 2011/07/25 10:55:40| squid_kerb_auth: DEBUG: Got 'YR
> > TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' from squid
> > (length: 59).
> > 2011/07/25 10:55:40| squid_kerb_auth: DEBUG: Decode
> > 'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' (decoded
> > length:
> > 40).
> > 2011/07/25 10:55:40| squid_kerb_auth: WARNING: received type 1 NTLM
> > token
> > 2011/07/25 10:55:40| authenticateNegotiateHandleReply: Error
> validating
> > user
> > via Negotiate. Error returned 'BH received type 1 NTLM token'
> >
> >
> > --- HTTP exchange Firefox to squid -----
> > GET http://www.google.ca/ HTTP/1.1
> > Host: www.google.ca
> > User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0.1) Gecko/20100101
> > Firefox/5.0.1
> > Accept:
> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> > Accept-Language: en-us,en;q=0.5
> > Accept-Encoding: gzip, deflate
> > Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> > Proxy-Connection: keep-alive
> > Referer: http://www.google.ca/
> > Cookie:
> >
> PREF=ID=c7a9ded9c38f7fe3:U=5104260d840ffece:FF=0:TM=1311350545:LM=131135
> > 0546:S=CwtXJNRFT1U2j2O8;
> >
> NID=49=W5u6mljBsItvKL3sO3IeIPlhRWCzhZ29I_vbIPqWOlIGJkraxqtEfFdfCz2Hqs4HP
> > rqf-O4eBSR6BUpyEfmw6CXbxQEnMDRnD8PRRVWLQbuJYgKsCwaUGJIf8sJWDGu7
> >
> > HTTP/1.0 407 Proxy Authentication Required
> > Server: squid/3.1.14
> > Mime-Version: 1.0
> > Date: Mon, 25 Jul 2011 15:38:05 GMT
> > Content-Type: text/html
> > Content-Length: 3945
> > X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
> > Vary: Accept-Language
> > Content-Language: en-us
> > Proxy-Authenticate: Negotiate
> > X-Cache: MISS from squid.sit26.borderware.com
> > Via: 1.0 squid.sit26.borderware.com (squid/3.1.14)
> > Connection: keep-alive
> >
> > GET http://www.google.ca/ HTTP/1.1
> > Host: www.google.ca
> > User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0.1) Gecko/20100101
> > Firefox/5.0.1
> > Accept:
> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> > Accept-Language: en-us,en;q=0.5
> > Accept-Encoding: gzip, deflate
> > Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> > Proxy-Connection: keep-alive
> > Referer: http://www.google.ca/
> > Cookie:
> >
> PREF=ID=c7a9ded9c38f7fe3:U=5104260d840ffece:FF=0:TM=1311350545:LM=131135
> > 0546:S=CwtXJNRFT1U2j2O8;
> >
> NID=49=W5u6mljBsItvKL3sO3IeIPlhRWCzhZ29I_vbIPqWOlIGJkraxqtEfFdfCz2Hqs4HP
> > rqf-O4eBSR6BUpyEfmw6CXbxQEnMDRnD8PRRVWLQbuJYgKsCwaUGJIf8sJWDGu7
> > Proxy-Authorization: Negotiate
> > TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==
> >
> >
> > Regards,
> > Ming
> >
Received on Thu Jul 28 2011 - 19:10:10 MDT
This archive was generated by hypermail 2.2.0 : Sat Jul 30 2011 - 12:00:02 MDT