i believe i might have fixed it....
will advise soonest.
On 2016-04-05 16:01, Drikus Brits wrote:
> Extra info :
>
> root@mw-sqproxy-test:/home/geosupport# uname -a
> Linux mw-sqproxy-test 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24
> 21:16:20 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
>
> root@mw-sqproxy-test:/home/geosupport# squid3 -v
> Squid Cache: Version 3.3.8
> Ubuntu
> configure options: '--build=x86_64-linux-gnu' '--prefix=/usr'
> '--includedir=${prefix}/include' '--mandir=${prefix}/share/man'
> '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var'
> '--libexecdir=${prefix}/lib/squid3' '--srcdir=.' '--disable-maintainer-mode'
> '--disable-dependency-tracking' '--disable-silent-rules'
> '--datadir=/usr/share/squid3' '--sysconfdir=/etc/squid3'
> '--mandir=/usr/share/man' '--enable-inline' '--enable-async-io=8'
> '--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap'
> '--enable-delay-pools' '--enable-cache-digests' '--enable-underscores'
> '--enable-icap-client' '--enable-follow-x-forwarded-for'
> '--enable-auth-basic=DB,fake,getpwnam,LDAP,MSNT,MSNT-multi-domain,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB'
> '--enable-auth-digest=file,LDAP' '--enable-auth-negotiate=kerberos,wrapper'
> '--enable-auth-ntlm=fake,smb_lm'
> '--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,unix_group,wbinfo_group'
'--enable-url-rewrite-helpers=fake' '--enable-eui' '--enable-esi'
'--enable-icmp' '--enable-zph-qos' '--enable-ecap' '--disable-translation'
'--with-swapdir=/var/spool/squid3' '--with-logdir=/var/log/squid3'
'--with-pidfile=/var/run/squid3.pid' '--with-filedescriptors=65536'
'--with-large-files' '--with-default-user=proxy' '--enable-linux-netfilter'
'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fPIE -fstack-protector
--param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wall'
'LDFLAGS=-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now'
'CPPFLAGS=-D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fPIE -fstack-protector
--param=ssp-buffer-size=4 -Wformat -Werror=format-security'
> root@mw-sqproxy-test:/home/geosupport#
>
> Thanks,
>
> Drikus
>
> On 2016-04-05 15:50, Drikus Brits wrote:
>
>> Hi Experts,
>>
>> After much struggling it seems i've reached some point of success but yet
>> still not. I've checked a multitude of websites for help before coming here,
>> but didn't get anything valuable yet. My problem as follows :
>>
>> I have 1x win2008R2 server that works with kerberos authentication, but none
>> of the other PC's in the network wants to work, the others all come up with
>> a login challenge/
>>
>> My Configs :
>>
>> /etc/krb5.conf
>>
>> <snip>
>> #cat /etc/krb5.conf
>> [logging]
>>
>> default = FILE:/var/log/krb5libs.log
>> kdc = FILE:/var/log/krb5kdc.log
>> admin_server = FILE:/var/log/kadmind.log [1]
>>
>> [libdefaults]
>> default_realm = DOMAIN.CO.ZA
>> dns_lookup_kdc = yes
>> dns_lookup_realm = yes
>> ticket_lifetime = 24h
>> default_keytab_name = /etc/squid/PROXY.keytab
>>
>> #; for Windows 2008 with AES
>> default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
>> des-cbc-md5
>> default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
>> des-cbc-md5
>> permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
>>
>> [realms]
>>
>> DOMAIN.CO.ZA = {
>> kdc = mw-ad.domain.co.za
>> admin_server = mw-ad.domain.co.za
>> default_domain = domain.co.za
>> }
>>
>> [domain_realm]
>>
>> .domain.co.za = DOMAIN.CO.ZA
>> domain.co.za = DOMAIN.CO.ZA
>>
>> [login]
>> krb4_convert = true
>> krb4_get_tickets = false
>> </snip>
>>
>> my /etc/squid/squid.conf
>>
>> <snip>
>> #auth_param negotiate program /usr/local/bin/negotiate_wrapper -d --ntlm
>> /usr/bin/ntlm_auth --diagnostics --helper-protocol=gss-spnego
>> --domain=DOMAIN --kerberos /usr/lib/squid3/negotiate_kerberos_auth -d -i
>> ###WORKING - half/half
>> auth_param negotiate program /usr/lib/squid3/negotiate_wrapper_auth -d
>> --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp
>> --domain=DOMAIN.CO.ZA --kerberos /usr/lib/squid3/negotiate_kerberos_auth -d
>> -s GSS_C_NO_NAME
>> #auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -d -s
>> GSS_C_NO_NAME
>>
>> auth_param ntlm program /usr/bin/ntlm_auth --diagnostics
>> --helper-protocol=gss-spnego --domain=DOMAIN.CO.ZA
>> auth_param ntlm children 10
>> auth_param ntlm keep_alive off
>>
>> auth_param basic program /usr/lib/squid3/basic_ldap_auth -b
>> "DC=domain,DC=co,DC=za" -f sAMAccountName=%s -D "CN=Folder
>> Authentication,CN=Users,DC=domain,DC=co,DC=za" -w P@55w0rd -H
>> ldap://MW-AD.domain.co.za -R
>> auth_param basic realm Web-Proxy
>> auth_param basic credentialsttl 1 minute
>>
>> acl proxy-auth proxy_auth REQUIRED
>>
>> http_access allow proxy-auth
>> </snip>
>>
>> When the Win2008R2 connectes is get the following in
>> /var/log/squid3/cache.log
>>
>> <snip>
>>
>> 2016/04/05 12:26:46| negotiate_wrapper: Got 'YR
>> YIIHDwYGKwYBBQUCoIIHAzCCBv+gMDAuBgkqhkiC9xIBAgIGCSq<truncated>DVzSeCUH4ntF1lHc='
>> from squid (length: 2419).
>> 2016/04/05 12:26:46| negotiate_wrapper: Decode
>> 'YIIHDwYGKwYBBQUCoIIHAzCCBv+gMDAuBg<truncated>UnIKhxWxh52aDVzSeCUH4ntF1lHc='
>> (decoded length: 1811).
>> 2016/04/05 12:26:46| negotiate_wrapper: received Kerberos token
>> negotiate_kerberos_auth.cc(315): pid=8218 :2016/04/05 12:26:46|
>> negotiate_kerberos_auth: DEBUG: Got 'YR
>> YIIHDwYGKwYBBQUCoIIHAzCCBv+gMDAuB<truncated>JDp51PN7RjUnIKhxWxh52aDVzSeCUH4ntF1lHc='
>> from squid (length: 2419).
>> negotiate_kerberos_auth.cc(378): pid=8218 :2016/04/05 12:26:46|
>> negotiate_kerberos_auth: DEBUG: Decode
>> 'YIIHDwYGKwYBBQUCoIIHAzCCBv+gMDAuBgkqhkiC9xI<truncated>51PN7RjUnIKhxWxh52aDVzSeCUH4ntF1lHc='
>> (decoded length: 1811).
>> 2016/04/05 12:26:46| negotiate_wrapper: Return 'AF
>> oYG2MIGzoAMKAQChCwYJ<truncated>ZuxzWyWJhUSZttUH70Vw595AsuKtUWvtGjGC7vGmD5Ugufw=
>> administra...@domain.co.za
>>
>> </snip>
>>
>> But when other PC's connect of which another win2008R2 or win10 or win7 i
>> get :
>>
>> <snip>
>>
>> negotiate_kerberos_auth.cc(315): pid=9389 :2016/04/05 12:33:47|
>> negotiate_kerberos_auth: DEBUG: Got 'YR
>> YIIHDwYGKwYBBQUCoII<truncated>+BnGBajMprtChSPMuUX9nnZfT+cJk=' from squid
>> (length: 2419).
>> negotiate_kerberos_auth.cc(378): pid=9389 :2016/04/05 12:33:47|
>> negotiate_kerberos_auth: DEBUG: Decode
>> 'YIIHDwYGKwYBBQUCoIIHAzCCBv<truncated>MprtChSPMuUX9nnZfT+cJk=' (decoded
>> length: 1811).
>> negotiate_kerberos_auth.cc(200): pid=9389 :2016/04/05 12:33:47|
>> negotiate_kerberos_auth: ERROR: gss_accept_sec_context() failed: Unspecified
>> GSS failure. Minor code may provide more information.
>> 2016/04/05 12:33:47| ERROR: Negotiate Authentication validating user. Error
>> returned 'BH gss_accept_sec_context() failed: Unspecified GSS failure. Minor
>> code may provide more information. '
>>
>> </snip>
>>
>> My kinit -V -kt /etc/squid3/PROXY.keytab , of which i'm sure if not supposed
>> to say that :). I've had others that had Successfully authenticated to
>> Kerberos V5 as well, but then the working win2008r2 doesn't work -- see
>> below..
>>
>> <snip>
>>
>> # kinit -V -kt /etc/squid3/PROXY.keytab
>> Using default cache: /tmp/krb5cc_0
>> Using principal: host/mw-sqproxy-test.domain.co...@domain.co.za
>> Using keytab: /etc/squid3/PROXY.keytab
>> kinit: Preauthentication failed while getting initial credentials
>>
>> </snip>
>>
>> working with "authenticated with kerberos but no srv or pc working
>>
>> <snip>
>>
>> msktutil -c -b "CN=COMPUTERS" -s HTTP/mw-sqproxy-test -s
>> HTTP/mw-sqproxy-test.domain.co.za -h mw-sqproxy-test.domain.co.za -k
>> /etc/squid3/PROXY.keytab --computer-name MWSQPROXYTEST --upn
>> HOST/mw-sqproxy-test.domain.co.za --server mw-ad.domain.co.za --verbose
>> --enctypes 28
>>
>> </snip>
>>
>> my working klist entries
>>
>> <snip>
>>
>> klist -ekt /etc/squid3/PROXY.keytab
>>
>> Keytab name: FILE:/etc/squid3/PROXY.keytab
>> KVNO Timestamp Principal
>> ---- -------------------
>> ------------------------------------------------------
>> 2 04/04/2016 11:43:43 MW-SQPROXY-TEST$@DOMAIN.CO.ZA (arcfour-hmac)
>> 2 04/04/2016 11:43:43 MW-SQPROXY-TEST$@DOMAIN.CO.ZA (aes128-cts-hmac-sha1-96)
>> 2 04/04/2016 11:43:43 MW-SQPROXY-TEST$@DOMAIN.CO.ZA (aes256-cts-hmac-sha1-96)
>> 2 05/04/2016 09:50:05 HTTP/mw-sqproxy-t...@domain.co.za (arcfour-hmac)
>> 2 05/04/2016 09:50:05 HTTP/mw-sqproxy-t...@domain.co.za
>> (aes128-cts-hmac-sha1-96)
>> 2 05/04/2016 09:50:05 HTTP/mw-sqproxy-t...@domain.co.za
>> (aes256-cts-hmac-sha1-96)
>> 2 05/04/2016 09:43:05 HOST/mw-sqproxy-t...@domain.co.za (arcfour-hmac)
>> 2 05/04/2016 09:43:05 HOST/mw-sqproxy-t...@domain.co.za
>> (aes128-cts-hmac-sha1-96)
>> 2 05/04/2016 09:43:05 HOST/mw-sqproxy-t...@domain.co.za
>> (aes256-cts-hmac-sha1-96)
>> 2 05/04/2016 09:43:06 HOST/mw-sqproxy-test.domain.co...@domain.co.za
>> (arcfour-hmac)
>> 2 05/04/2016 09:43:06 HOST/mw-sqproxy-test.domain.co...@domain.co.za
>> (aes128-cts-hmac-sha1-96)
>> 2 05/04/2016 09:43:06 HOST/mw-sqproxy-test.domain.co...@domain.co.za
>> (aes256-cts-hmac-sha1-96)
>> 2 05/04/2016 09:50:06 host/mw-sqproxy-test.domain.co...@domain.co.za
>> (arcfour-hmac)
>> 2 05/04/2016 09:50:06 host/mw-sqproxy-test.domain.co...@domain.co.za
>> (aes128-cts-hmac-sha1-96)
>> 2 05/04/2016 09:50:06 host/mw-sqproxy-test.domain.co...@domain.co.za
>> (aes256-cts-hmac-sha1-96)
>> 2 05/04/2016 09:50:05 MWSQPROXYTEST$@DOMAIN.CO.ZA (arcfour-hmac)
>> 2 05/04/2016 09:50:05 MWSQPROXYTEST$@DOMAIN.CO.ZA (aes128-cts-hmac-sha1-96)
>> 2 05/04/2016 09:50:05 MWSQPROXYTEST$@DOMAIN.CO.ZA (aes256-cts-hmac-sha1-96)
>> 3 05/04/2016 10:15:33 MWSQPROXYTEST$@DOMAIN.CO.ZA (arcfour-hmac)
>> 3 05/04/2016 10:15:33 MWSQPROXYTEST$@DOMAIN.CO.ZA (aes128-cts-hmac-sha1-96)
>> 3 05/04/2016 10:15:33 MWSQPROXYTEST$@DOMAIN.CO.ZA (aes256-cts-hmac-sha1-96)
>> 3 05/04/2016 10:15:33 host/mw-sqproxy-test.domain.co...@domain.co.za
>> (arcfour-hmac)
>> 3 05/04/2016 10:15:33 host/mw-sqproxy-test.domain.co...@domain.co.za
>> (aes128-cts-hmac-sha1-96)
>> 3 05/04/2016 10:15:33 host/mw-sqproxy-test.domain.co...@domain.co.za
>> (aes256-cts-hmac-sha1-96)
>> 4 04/04/2016 16:29:08 host/mw-sqproxy-t...@domain.co.za (arcfour-hmac)
>> 4 04/04/2016 16:29:09 host/mw-sqproxy-t...@domain.co.za
>> (aes128-cts-hmac-sha1-96)
>> 4 04/04/2016 16:29:09 host/mw-sqproxy-t...@domain.co.za
>> (aes256-cts-hmac-sha1-96)
>> 3 05/04/2016 10:15:33 HTTP/mw-sqproxy-t...@domain.co.za (arcfour-hmac)
>> 3 05/04/2016 10:15:33 HTTP/mw-sqproxy-t...@domain.co.za
>> (aes128-cts-hmac-sha1-96)
>> 3 05/04/2016 10:15:33 HTTP/mw-sqproxy-t...@domain.co.za
>> (aes256-cts-hmac-sha1-96)
>> 3 05/04/2016 10:15:33 HTTP/mw-sqproxy-test.domain.co...@domain.co.za
>> (arcfour-hmac)
>> 3 05/04/2016 10:15:33 HTTP/mw-sqproxy-test.domain.co...@domain.co.za
>> (aes128-cts-hmac-sha1-96)
>> 3 05/04/2016 10:15:33 HTTP/mw-sqproxy-test.domain.co...@domain.co.za
>> (aes256-cts-hmac-sha1-96)
>> 5 04/04/2016 19:19:28 host/mw-sqproxy-t...@domain.co.za (arcfour-hmac)
>> 5 04/04/2016 19:19:28 host/mw-sqproxy-t...@domain.co.za
>> (aes128-cts-hmac-sha1-96)
>> 5 04/04/2016 19:19:28 host/mw-sqproxy-t...@domain.co.za
>> (aes256-cts-hmac-sha1-96)
>> 6 04/04/2016 19:22:47 host/mw-sqproxy-t...@domain.co.za (arcfour-hmac)
>> 6 04/04/2016 19:22:47 host/mw-sqproxy-t...@domain.co.za
>> (aes128-cts-hmac-sha1-96)
>> 6 04/04/2016 19:22:47 host/mw-sqproxy-t...@domain.co.za
>> (aes256-cts-hmac-sha1-96)
>> 7 04/04/2016 20:40:09 host/mw-sqproxy-t...@domain.co.za (arcfour-hmac)
>> 7 04/04/2016 20:40:09 host/mw-sqproxy-t...@domain.co.za
>> (aes128-cts-hmac-sha1-96)
>> 7 04/04/2016 20:40:09 host/mw-sqproxy-t...@domain.co.za
>> (aes256-cts-hmac-sha1-96)
>>
>> </snip>
>>
>> I'm using the fqdn in IE to authenticate with kerberos, if i change it to IP
>> it only tries NTLM, which i'm assuming is correct or not?
>>
>> I've investigated the PC's and all of them have properly joined the domain.
>>
>> I've checked and i'm getting kvno 3 values from a working win2008r2 as well
>> as kvno 3 values from other pc's but yet, they have a popup asking auth
>> details.
>> --
>>
>> Drikus Brits
>>
>> _______________________________________________
>> squid-users mailing list
>> squid-users@lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users [2]
>
> _______________________________________________
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users [2]
Links:
------
[1] FILE:/var/log/kadmind.log
[2] http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
