[squid-users] Re: Re: squid 3.1.14 kerberos single sign on

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Thu, 28 Jul 2011 20:09:16 +0100

Hi Ming,

  This indicates that now your client got the ticket from AD, but it does
not match the entry in your keytab. Did you set the environment variable
KRB5_KTNAME correctly ? Can you do a klist -ekt <squid.keytab> and compare
the entries with the wireshark information of the encoded HTTP Negotiate
request ?

 Does the name, encryption type and , key version number (kvno) match ?

Markus

"Ming Fu" <Ming.Fu_at_watchguard.com> wrote in message
news:09177155B3E82945AD8AF1F744B326458A7E58B8_at_es05co...
Hi Markus,

I tried the same test on a Windows 2003 domain with XP clients. I was able
to get pass the SGT from DC to the XP. Now my problem is the following squid
error: Any suggestion how to debug further?

2011/07/28 13:13:46| squid_kerb_auth: DEBUG: Got 'YR
YIIEzQYGKwYBBQUCoIIEwTCCBL2gJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBJMEggSPYIIEiwYJKoZIhvcSAQICAQBuggR6MIIEdqADAgEFoQMCAQ6iBwMFACAAAACjggOeYYIDmjCCA5agAwIBBaEWGxRTSVQyNy5CT1JERVJXQVJFLkNPTaItMCugAwIBAqEkMCIbBEhUVFAbGnNxdWlkLnNpdDI3LmJvcmRlcndhcmUuY29to4IDRjCCA0KgAwIBA6EDAgEEooIDNASCAzDb2BHDS95lmejMm5kGJNuwxcAV6OAOcH1hnOdb8sTR1nHSGGlvlbSKSg/G9l+akRgv9t9BNrsECoZYlZBsojRnFCVHSKjRCKYn+K3ExFIT8E5Szu+XuyIQvib9RMNPG5poBHC4haBO9gxrkZ+yoPOhIP3lY4o9RltyumIAEPiO+36kqNSnTHu6ycuzImPA7+jlkU8VFyXHiwgrHNX7/1N5hpQWuIxl+UkvSJzZb/Tdoro4nM53id0ZrSdxs+Dn1WESc3EgZRwjItGNPHzPKeB03v8IIFZkSCQSGp+GxUeOzxRpMzXN2r3T6PLFLlMHJQeJzFnCOnmJs4stiyW6rY7zF3L868OHYhcx9kUZQzUivnwI+lrfRYMlu87CbAnPZBbPc099b0Amp5gF2YlSOOpx2fLdIN2hs5GJCnzBK1Z7sGPiIIi2hWfbhAJMvAE8sLnahlD8ffraI3ZrxKfpVnNIxbJMvkq4pA8/Ka2w2DA1jeEcPkOg1oggA6+ygmvHZpQrU9twBTtjfHxi0050gdv/DbEbsHofFFDlLNCkQQYB50aDCOubu3NfqfNGre/EAJyrfmeRfjTNRtcOfauoUlZmVhqJXM0nkuvlDtvCXcUmjvcVwtG6CE13lqAsD081xJPaLnPAKmmqGVZUZNykFUeFzarIlu2r3ELJnkyxfQNbeoKLhSH94UWGnE6jCT7yjVvpmzQV4n0DbKyFWn/wgEy
tE/lq28DpK8WmeCZodtOaQ2TU25HDK/egQMaw2cGiYmOatTUUGBcE736EPKcpXHxX7Cb7WlcEC0Ijingr50LHBM1spE+ZAvgynkNTUS7Dd8qYdE6Zc1lBRvqTaK5OKiaVMNztydy9pqufk9lyQbDGsmNyFLgEgz2TDSxJkaTFQm8KlZLY2nlxQQvx4QyY4DI6vmkeHHjCxP5/vUGFlFyq3t7j8qfBrDyg1mq/95cHLyLfTXSwVZE9ODXnP70GsamYLk4xmnp5FEO+3Kmdn+gzhUFLQA5bowGtXyyauKUNbiYftsy5VKsj4Sr1iGMJyxRiG1C00gk22RYtuVaMoTnkXZM6Nc2FZ8fMHtnxB8se7QOkgb4wgbugAwIBA6KBswSBsMOpCOW2cOM4FDYnUbyhrDFzo5gRJryTHFUGDYvEKJ0gooC+sg0ejhbcIrFvlp51m+BvvuvTqPVdjCj+goPhPz6Ogv+7kgAhyKEW4Qr2QzYGD/Fy6fUPEXLGqD7d3ih0/JlbpMtT7fxgZV/FEnRdlMpLd68FTT3dffkPjxPOgAlk/rY2KVM6tLyE0zk0SzuIN/ZAgaBoIBrwnnLpsoU7tFTIzVwSGUkv1+JsdsRad56U'
from squid (length: 1647).
2011/07/28 13:13:46| squid_kerb_auth: DEBUG: Decode
'YIIEzQYGKwYBBQUCoIIEwTCCBL2gJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBJMEggSPYIIEiwYJKoZIhvcSAQICAQBuggR6MIIEdqADAgEFoQMCAQ6iBwMFACAAAACjggOeYYIDmjCCA5agAwIBBaEWGxRTSVQyNy5CT1JERVJXQVJFLkNPTaItMCugAwIBAqEkMCIbBEhUVFAbGnNxdWlkLnNpdDI3LmJvcmRlcndhcmUuY29to4IDRjCCA0KgAwIBA6EDAgEEooIDNASCAzDb2BHDS95lmejMm5kGJNuwxcAV6OAOcH1hnOdb8sTR1nHSGGlvlbSKSg/G9l+akRgv9t9BNrsECoZYlZBsojRnFCVHSKjRCKYn+K3ExFIT8E5Szu+XuyIQvib9RMNPG5poBHC4haBO9gxrkZ+yoPOhIP3lY4o9RltyumIAEPiO+36kqNSnTHu6ycuzImPA7+jlkU8VFyXHiwgrHNX7/1N5hpQWuIxl+UkvSJzZb/Tdoro4nM53id0ZrSdxs+Dn1WESc3EgZRwjItGNPHzPKeB03v8IIFZkSCQSGp+GxUeOzxRpMzXN2r3T6PLFLlMHJQeJzFnCOnmJs4stiyW6rY7zF3L868OHYhcx9kUZQzUivnwI+lrfRYMlu87CbAnPZBbPc099b0Amp5gF2YlSOOpx2fLdIN2hs5GJCnzBK1Z7sGPiIIi2hWfbhAJMvAE8sLnahlD8ffraI3ZrxKfpVnNIxbJMvkq4pA8/Ka2w2DA1jeEcPkOg1oggA6+ygmvHZpQrU9twBTtjfHxi0050gdv/DbEbsHofFFDlLNCkQQYB50aDCOubu3NfqfNGre/EAJyrfmeRfjTNRtcOfauoUlZmVhqJXM0nkuvlDtvCXcUmjvcVwtG6CE13lqAsD081xJPaLnPAKmmqGVZUZNykFUeFzarIlu2r3ELJnkyxfQNbeoKLhSH94UWGnE6jCT7yjVvpmzQV4n0DbKyFWn/wgE
ytE/lq28DpK8WmeCZodtOaQ2TU25HDK/egQMaw2cGiYmOatTUUGBcE736EPKcpXHxX7Cb7WlcEC0Ijingr50LHBM1spE+ZAvgynkNTUS7Dd8qYdE6Zc1lBRvqTaK5OKiaVMNztydy9pqufk9lyQbDGsmNyFLgEgz2TDSxJkaTFQm8KlZLY2nlxQQvx4QyY4DI6vmkeHHjCxP5/vUGFlFyq3t7j8qfBrDyg1mq/95cHLyLfTXSwVZE9ODXnP70GsamYLk4xmnp5FEO+3Kmdn+gzhUFLQA5bowGtXyyauKUNbiYftsy5VKsj4Sr1iGMJyxRiG1C00gk22RYtuVaMoTnkXZM6Nc2FZ8fMHtnxB8se7QOkgb4wgbugAwIBA6KBswSBsMOpCOW2cOM4FDYnUbyhrDFzo5gRJryTHFUGDYvEKJ0gooC+sg0ejhbcIrFvlp51m+BvvuvTqPVdjCj+goPhPz6Ogv+7kgAhyKEW4Qr2QzYGD/Fy6fUPEXLGqD7d3ih0/JlbpMtT7fxgZV/FEnRdlMpLd68FTT3dffkPjxPOgAlk/rY2KVM6tLyE0zk0SzuIN/ZAgaBoIBrwnnLpsoU7tFTIzVwSGUkv1+JsdsRad56U'
(decoded length: 1233).
2011/07/28 13:13:47| squid_kerb_auth: ERROR: gss_acquire_cred() failed:
Unspecified GSS failure. Minor code may provide more information. Key table
entry not found
2011/07/28 13:13:47| authenticateNegotiateHandleReply: Error validating user
via Negotiate. Error returned 'BH gss_acquire_cred() failed: Unspecified GSS
failure. Minor code may provide more information. Key table entry not
found'

Thanks
Ming

> -----Original Message-----
> From: Ming Fu [mailto:Ming.Fu_at_watchguard.com]
> Sent: Wednesday, July 27, 2011 4:21 PM
> To: Markus Moeller; squid-users_at_squid-cache.org
> Subject: RE: [squid-users] Re: squid 3.1.14 kerberos single sign on
>
> Hi Markus,
>
> From the windows domain controller:
> =======================================================
> Microsoft Windows [Version 6.0.6002]
> Copyright (c) 2006 Microsoft Corporation. All rights reserved.
>
> C:\Users\Administrator>setspn -L squid
> Registered ServicePrincipalNames for
> CN=squid,CN=Users,DC=sit26,DC=borderware,DC
> =com:
> HTTP/squid.sit26.borderware.com
>
> C:\Users\Administrator>
> =========================================================
>
> From the wireshark:
> ==============================================================
> The Kerberos response error is
> Error code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7)
> Realm: SIT26.BORDERWARE.COM
> Server Name (Service and Instance): HTTP/squid.sit26.borderware.com
> Name-type: service and instance (2)
> Name: HTTP
> Name: squid.sit26.borderware.com
> ===============================================================
>
> I can attach the whole tcpdump if necessary.
>
> Regards,
> Ming
>
>
>
> > -----Original Message-----
> > From: Markus Moeller [mailto:huaraz_at_moeller.plus.com]
> > Sent: Monday, July 25, 2011 4:27 PM
> > To: squid-users_at_squid-cache.org
> > Subject: [squid-users] Re: squid 3.1.14 kerberos single sign on
> >
> > This looks like the client does not get a Kerberos token, which can
> have
> > several reasons.
> >
> > 1) Is the proxy name used in the browser the fqdn used in the
> > serviceprincipaname in AD e.g. HTTP/<fqdn> ?
> > 2) Is the right encryption type used (Win7 / 2008 do not support DES
> > out
> > of the box)
> >
> > Can you capture with wireshark the communication between your Win7
> > client
> > and AD on port 88 ( Kerberos port ) and send me the capture file ?
> >
> > Regards
> > Markus
> >
> >
> > "Ming Fu" <Ming.Fu_at_watchguard.com> wrote in message
> > news:09177155B3E82945AD8AF1F744B326458A7E1581_at_es05co...
> > Hi,
> >
> > I am trying to setup squid 3.1.14 on linux with Kerberos SSO against
> > windows
> > 2008 server and win7 client.
> > But both firefox 5.0.1 and IE 8 generate same log from squid.
> >
> > Is this a problem with squid or the browsers?
> >
> > ---- squid logs ----
> > 2011/07/25 10:54:29| Accepting HTTP connections at [::]:3128, FD 31.
> > 2011/07/25 10:54:29| HTCP Disabled.
> > 2011/07/25 10:54:29| squid_kerb_auth: INFO: Starting version 1.0.5
> > 2011/07/25 10:54:29| squid_kerb_auth: INFO: Starting version 1.0.5
> > 2011/07/25 10:54:29| Loaded Icons.
> > 2011/07/25 10:54:29| Ready to serve requests.
> > 2011/07/25 10:55:40| squid_kerb_auth: DEBUG: Got 'YR
> > TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' from squid
> > (length: 59).
> > 2011/07/25 10:55:40| squid_kerb_auth: DEBUG: Decode
> > 'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' (decoded
> > length:
> > 40).
> > 2011/07/25 10:55:40| squid_kerb_auth: WARNING: received type 1 NTLM
> > token
> > 2011/07/25 10:55:40| authenticateNegotiateHandleReply: Error
> validating
> > user
> > via Negotiate. Error returned 'BH received type 1 NTLM token'
> >
> >
> > --- HTTP exchange Firefox to squid -----
> > GET http://www.google.ca/ HTTP/1.1
> > Host: www.google.ca
> > User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0.1) Gecko/20100101
> > Firefox/5.0.1
> > Accept:
> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> > Accept-Language: en-us,en;q=0.5
> > Accept-Encoding: gzip, deflate
> > Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> > Proxy-Connection: keep-alive
> > Referer: http://www.google.ca/
> > Cookie:
> >
> PREF=ID=c7a9ded9c38f7fe3:U=5104260d840ffece:FF=0:TM=1311350545:LM=131135
> > 0546:S=CwtXJNRFT1U2j2O8;
> >
> NID=49=W5u6mljBsItvKL3sO3IeIPlhRWCzhZ29I_vbIPqWOlIGJkraxqtEfFdfCz2Hqs4HP
> > rqf-O4eBSR6BUpyEfmw6CXbxQEnMDRnD8PRRVWLQbuJYgKsCwaUGJIf8sJWDGu7
> >
> > HTTP/1.0 407 Proxy Authentication Required
> > Server: squid/3.1.14
> > Mime-Version: 1.0
> > Date: Mon, 25 Jul 2011 15:38:05 GMT
> > Content-Type: text/html
> > Content-Length: 3945
> > X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
> > Vary: Accept-Language
> > Content-Language: en-us
> > Proxy-Authenticate: Negotiate
> > X-Cache: MISS from squid.sit26.borderware.com
> > Via: 1.0 squid.sit26.borderware.com (squid/3.1.14)
> > Connection: keep-alive
> >
> > GET http://www.google.ca/ HTTP/1.1
> > Host: www.google.ca
> > User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0.1) Gecko/20100101
> > Firefox/5.0.1
> > Accept:
> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> > Accept-Language: en-us,en;q=0.5
> > Accept-Encoding: gzip, deflate
> > Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> > Proxy-Connection: keep-alive
> > Referer: http://www.google.ca/
> > Cookie:
> >
> PREF=ID=c7a9ded9c38f7fe3:U=5104260d840ffece:FF=0:TM=1311350545:LM=131135
> > 0546:S=CwtXJNRFT1U2j2O8;
> >
> NID=49=W5u6mljBsItvKL3sO3IeIPlhRWCzhZ29I_vbIPqWOlIGJkraxqtEfFdfCz2Hqs4HP
> > rqf-O4eBSR6BUpyEfmw6CXbxQEnMDRnD8PRRVWLQbuJYgKsCwaUGJIf8sJWDGu7
> > Proxy-Authorization: Negotiate
> > TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==
> >
> >
> > Regards,
> > Ming
> >
Received on Thu Jul 28 2011 - 19:10:10 MDT

This archive was generated by hypermail 2.2.0 : Sat Jul 30 2011 - 12:00:02 MDT