Re: [squid-users] Eliminate PopUP authentication for web Windows Users

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sat, 23 Mar 2013 14:47:34 +1300

On 23/03/2013 9:52 a.m., Carlos Daniel Perez wrote:
> Hi,
>
> I configure Squid with Kerberos athentication, but when a client with
> windows 7 try to surf web appear:
>
> ==> /var/log/squid3/cache.log <==
> 2013/03/22 16:07:09| negotiate_wrapper: Got 'YR
> YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAAAAAAAAAABgAAAAcAAAALv3Bs/GeImNryJCPliRU4J64wGv+JW11hiPEZ3knb5360uTrKKtHBe8GVif0T00OwAAAAAAAAAAYAAAAAEAAAAAAAAAAAAAAEVyfDIyRYtIv9kqa6BepAo='
> from squid (length: 219).
> 2013/03/22 16:07:09| negotiate_wrapper: Decode
> 'YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAAAAAAAAAABgAAAAcAAAALv3Bs/GeImNryJCPliRU4J64wGv+JW11hiPEZ3knb5360uTrKKtHBe8GVif0T00OwAAAAAAAAAAYAAAAAEAAAAAAAAAAAAAAEVyfDIyRYtIv9kqa6BepAo='
> (decoded length: 161).
> 2013/03/22 16:07:09| negotiate_wrapper: received Kerberos token
> 2013/03/22 16:07:09| squid_kerb_auth: DEBUG: Got 'YR
> YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAAAAAAAAAABgAAAAcAAAALv3Bs/GeImNryJCPliRU4J64wGv+JW11hiPEZ3knb5360uTrKKtHBe8GVif0T00OwAAAAAAAAAAYAAAAAEAAAAAAAAAAAAAAEVyfDIyRYtIv9kqa6BepAo='
> from squid (length: 219).
> 2013/03/22 16:07:09| squid_kerb_auth: DEBUG: Decode
> 'YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAAAAAAAAAABgAAAAcAAAALv3Bs/GeImNryJCPliRU4J64wGv+JW11hiPEZ3knb5360uTrKKtHBe8GVif0T00OwAAAAAAAAAAYAAAAAEAAAAAAAAAAAAAAEVyfDIyRYtIv9kqa6BepAo='
> (decoded length: 161).
> 2013/03/22 16:07:09| squid_kerb_auth: ERROR: gss_accept_sec_context()
> failed: An unsupported mechanism was requested.
> 2013/03/22 16:07:09| negotiate_wrapper: Return 'BH
> gss_accept_sec_context() failed: An unsupported mechanism was
> requested.
> '
> 2013/03/22 16:07:09| authenticateNegotiateHandleReply: Error
> validating user via Negotiate. Error returned 'BH
> gss_accept_sec_context() failed: An unsupported mechanism was
> requested. '
>
> if i put the username (in format username and not in Domain\username
> format) all is fine and client can surf... but i need authentication
> without popup...
>
> If a Windows XP client try to surf this error appear:
>
> ==> /var/log/squid3/cache.log <==
> 2013/03/22 16:07:39| negotiate_wrapper: Got 'KK
> TlRMTVNTUAADAAAAGAAYAHoAAAAYABgAkgAAAAYABgBIAAAAEgASAE4AAAAaABoAYAAAAAAAAACqAAAABYKIogUBKAoAAAAPUwBWAFEAZABwAGEAbABhAGMAaQBvAHMAQwAtAEkATgBGAE8AUgBNAEEAVABJAEMAQQCnfWU6vlE1SAAAAAAAAAAAAAAAAAAAAACf6zTftZnnH1TtUXw/0u3x1D7nej1u78M='
> from squid (length: 231).
> 2013/03/22 16:07:39| negotiate_wrapper: Decode
> 'TlRMTVNTUAADAAAAGAAYAHoAAAAYABgAkgAAAAYABgBIAAAAEgASAE4AAAAaABoAYAAAAAAAAACqAAAABYKIogUBKAoAAAAPUwBWAFEAZABwAGEAbABhAGMAaQBvAHMAQwAtAEkATgBGAE8AUgBNAEEAVABJAEMAQQCnfWU6vlE1SAAAAAAAAAAAAAAAAAAAAACf6zTftZnnH1TtUXw/0u3x1D7nej1u78M='
> (decoded length: 170).
> 2013/03/22 16:07:39| negotiate_wrapper: received type 120 NTLM token
> 2013/03/22 16:07:39| negotiate_wrapper: Return 'NA = NT_STATUS_UNSUCCESSFUL

"type 120" ? Something is getting the decoding wrong in the helper.
That is a type-3 (credentials, handshake complete) token.

>
> Doesn't work if i put the username like Windows 7...
>
> The first lines of my squid.conf have:
>
>
> ### negotiate kerberos and ntlm authentication
> auth_param negotiate program /usr/local/bin/negotiate_wrapper -d
> --ntlm /usr/bin/ntlm_auth --diagnostics
> --helper-protocol=squid-2.5-ntlmssp --domain=ENT --kerberos
> /usr/lib/squid3/squid_kerb_auth -d -s HTTP/squid-proxy.enterprise.com
> auth_param negotiate children 10
> auth_param negotiate keep_alive off
>
> ### pure ntlm authentication
> auth_param ntlm program /usr/bin/ntlm_auth --diagnostics
> --helper-protocol=squid-2.5-ntlmssp --domain=ENT
> auth_param ntlm children 10
> auth_param ntlm keep_alive off
>
>
>
> auth_param basic program /usr/lib/squid3/squid_ldap_auth -R \
> -b dc=enterprise,dc=com \
> -D soporte_at_enterprise.com \
> -w 12345 \
> -f sAMAccountName=%s \
> -h svq-wsus.enterprise.com
> auth_param basic children 10
> auth_param basic realm Internet Proxy
> auth_param basic credentialsttl 1 minute
>
> external_acl_type internet_users %LOGIN
> /usr/lib/squid3/squid_ldap_group -R -K -S \
> -b dc=enterprise,dc=com \
> -D soporte_at_enterprise.com \
> -w 12345 \
> -f (&(objectclass=person)(sAMAccountName=%v)(memberof=ou=%a,ou=Vip,dc=enterprise,dc=com))
> \
> -h svq-wsus.enterprise.com
>
> I create my .keytab without problem follow this guide:
>
> http://www.howtoforge.com/debian-squeeze-squid-kerberos-ldap-authentication-active-directory-integration-and-cyfin-reporter
> and http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
>
>
> Why happend these errors? PD. My domain is ENTERPRISE.COM and the
> users use ENT\username to acces Domain and network resources...
>
> Thank you very much!
Received on Sat Mar 23 2013 - 01:47:41 MDT

This archive was generated by hypermail 2.2.0 : Sat Mar 23 2013 - 12:00:05 MDT