Hi, I am working to enable kerberos authentication for Squid proxy. My environment is as below:
DC: dc1.deeplayer.com (windows 2008 r2 domain level 2003) IP 10.1.1.91 Squid proxy: centos 6.4 IP 10.1.1.97 Client: windows xp sp3, IE8 IP 10.1.1.211 I have followed the guide at http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos I use the CLI below to create the keytab file. msktutil -c -b "CN=COMPUTERS" -s HTTP/proxy02.deeplayer.com -k /etc/squid/squid.keytab --computer-name proxy02 --upn HTTP/proxy02.deeplayer.com --server dc1.deeplayer.com --verbose --enctypes 28 everything looks good. But the authentication is failed. I did a few tests. DNS all works. [root@proxy01 ~]# klist -etk /etc/squid/squid.keytab Keytab name: FILE:/etc/squid/squid.keytab KVNO Timestamp Principal ---- ----------------- -------------------------------------------------------- 8 12/21/13 19:32:36 proxy02$@DEEPLAYER.COM (arcfour-hmac) 8 12/21/13 19:32:36 proxy02$@DEEPLAYER.COM (aes128-cts-hmac-sha1-96) 8 12/21/13 19:32:36 proxy02$@DEEPLAYER.COM (aes256-cts-hmac-sha1-96) 8 12/21/13 19:32:36 HTTP/proxy02.deeplayer....@deeplayer.com (arcfour-hmac) 8 12/21/13 19:32:36 HTTP/proxy02.deeplayer....@deeplayer.com (aes128-cts-hmac-sha1-96) 8 12/21/13 19:32:36 HTTP/proxy02.deeplayer....@deeplayer.com (aes256-cts-hmac-sha1-96) I reset the proxy02 account in AD DC. Then update the keytab as below. Looks good as well. [root@proxy01 squid]# msktutil --auto-update --verbose --computer-name proxy02 -k squid.keytab -- init_password: Wiping the computer password structure -- generate_new_password: Generating a new, random password for the computer account -- generate_new_password: Characters read from /dev/udandom = 81 -- get_dc_host: Attempting to find a Domain Controller to use (DNS SRV RR TCP) -- get_dc_host: Found DC: dc1.deeplayer.com -- get_dc_host: Canonicalizing DC through forward/reverse lookup... -- get_dc_host: Found Domain Controller: dc1.deeplayer.com -- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-5Mu62Q -- reload: Reloading Kerberos Context -- finalize_exec: SAM Account Name is: proxy02$ -- try_machine_keytab_princ: Trying to authenticate for proxy02$ from local keytab... -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Preauthentication failed) -- try_machine_keytab_princ: Authentication with keytab failed -- try_machine_keytab_princ: Trying to authenticate for host/proxy01.deeplayer.com from local keytab... -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Key table entry not found) -- try_machine_keytab_princ: Authentication with keytab failed -- try_machine_password: Trying to authenticate for proxy02$ with password. -- create_default_machine_password: Default machine password for proxy02$ is proxy02 -- try_machine_password: Error: krb5_get_init_creds_keytab failed (Preauthentication failed) -- try_machine_password: Authentication with password failed -- try_user_creds: Checking if default ticket cache has tickets... -- finalize_exec: Authenticated using method 4 -- ldap_connect: Connecting to LDAP server: dc1.deeplayer.com try_tls=YES -- ldap_connect: Connecting to LDAP server: dc1.deeplayer.com try_tls=NO SASL/GSSAPI authentication started SASL username: administra...@deeplayer.com SASL SSF: 56 SASL data security layer installed. -- ldap_connect: LDAP_OPT_X_SASL_SSF=56 -- ldap_get_base_dn: Determining default LDAP base: dc=DEEPLAYER,dc=COM -- get_default_ou: Determining default OU: CN=Computers,DC=deeplayer,DC=com -- ldap_check_account: Checking that a computer account for proxy02$ exists -- ldap_check_account: Checking computer account - found -- ldap_check_account: Found userAccountControl = 0x1000 -- ldap_check_account: Found supportedEncryptionTypes = 28 -- ldap_check_account: Found dNSHostName = proxy01.deeplayer.com -- ldap_check_account: Found Principal: HTTP/proxy02.deeplayer.com -- ldap_check_account: Found User Principal: HTTP/proxy02.deeplayer.com -- ldap_check_account_strings: Inspecting (and updating) computer account attributes -- ldap_set_supportedEncryptionTypes: No need to change msDs-supportedEncryptionTypes they are 28 -- ldap_set_userAccountControl_flag: Setting userAccountControl bit at 0x200000 to 0x0 -- ldap_set_userAccountControl_flag: userAccountControl not changed 0x1000 -- set_password: Attempting to reset computer's password -- set_password: Try change password using user's ticket cache -- ldap_get_pwdLastSet: pwdLastSet is 130320907474715458 -- set_password: Successfully set password, waiting for it to be reflected in LDAP. -- ldap_get_pwdLastSet: pwdLastSet is 130320909218174520 -- set_password: Successfully reset computer's password -- execute: Updating all entries for proxy01.deeplayer.com in the keytab WRFILE:squid.keytab -- update_keytab: Updating all entires for proxy02$ -- ldap_get_kvno: KVNO is 12 -- add_principal_keytab: Adding principal to keytab: proxy02$ -- add_principal_keytab: Removing entries with kvno < 0 -- add_principal_keytab: Using salt of DEEPLAYER.COMhostproxy02.deeplayer.com -- add_principal_keytab: Adding entry of enctype 0x17 -- add_principal_keytab: Using salt of DEEPLAYER.COMhostproxy02.deeplayer.com -- add_principal_keytab: Adding entry of enctype 0x11 -- add_principal_keytab: Using salt of DEEPLAYER.COMhostproxy02.deeplayer.com -- add_principal_keytab: Adding entry of enctype 0x12 -- add_principal_keytab: Adding principal to keytab: HTTP/proxy02.deeplayer.com -- add_principal_keytab: Removing entries with kvno < 0 -- add_principal_keytab: Using salt of DEEPLAYER.COMhostproxy02.deeplayer.com -- add_principal_keytab: Adding entry of enctype 0x17 -- add_principal_keytab: Using salt of DEEPLAYER.COMhostproxy02.deeplayer.com -- add_principal_keytab: Adding entry of enctype 0x11 -- add_principal_keytab: Using salt of DEEPLAYER.COMhostproxy02.deeplayer.com -- add_principal_keytab: Adding entry of enctype 0x12 -- ~msktutil_exec: Destroying msktutil_exec -- ldap_cleanup: Disconnecting from LDAP server -- init_password: Wiping the computer password structure -- ~KRB5Context: Destroying Kerberos Context [root@proxy01 squid]# klist -ekt squid.keytab Keytab name: FILE:squid.keytab KVNO Timestamp Principal ---- ----------------- -------------------------------------------------------- 8 12/21/13 19:32:36 proxy02$@DEEPLAYER.COM (arcfour-hmac) 8 12/21/13 19:32:36 proxy02$@DEEPLAYER.COM (aes128-cts-hmac-sha1-96) 8 12/21/13 19:32:36 proxy02$@DEEPLAYER.COM (aes256-cts-hmac-sha1-96) 8 12/21/13 19:32:36 HTTP/proxy02.deeplayer....@deeplayer.com (arcfour-hmac) 8 12/21/13 19:32:36 HTTP/proxy02.deeplayer....@deeplayer.com (aes128-cts-hmac-sha1-96) 8 12/21/13 19:32:36 HTTP/proxy02.deeplayer....@deeplayer.com (aes256-cts-hmac-sha1-96) 12 12/21/13 20:15:26 proxy02$@DEEPLAYER.COM (arcfour-hmac) 12 12/21/13 20:15:26 proxy02$@DEEPLAYER.COM (aes128-cts-hmac-sha1-96) 12 12/21/13 20:15:26 proxy02$@DEEPLAYER.COM (aes256-cts-hmac-sha1-96) 12 12/21/13 20:15:26 HTTP/proxy02.deeplayer....@deeplayer.com (arcfour-hmac) 12 12/21/13 20:15:26 HTTP/proxy02.deeplayer....@deeplayer.com (aes128-cts-hmac-sha1-96) 12 12/21/13 20:15:26 HTTP/proxy02.deeplayer....@deeplayer.com (aes256-cts-hmac-sha1-96) The squid logs: 2013/12/21 19:48:33| squid_kerb_auth: DEBUG: Got 'YR YIIFGwYGKwYBBQUCoIIFDzCCBQugJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBOEEggTdYIIE2QYJKoZIhvcSAQICAQBuggTIMIIExKADAgEFoQMCAQ6iBwMFACAAAACjggPuYYID6jCCA+agAwIBBaEPGw1ERUVQTEFZRVIuQ09NoigwJqADAgECoR8wHRsESFRUUBsVcHJveHkwMi5kZWVwbGF5ZXIuY29to4IDojCCA56gAwIBF6EDAgEIooIDkASCA4w9FJVsdtgNmVY5N4LshDVuKPnbl6cyyWea1is75rLcJ2Tvd9Qx/yVpKy+XpbxDFPWsJIzl6gk/+1q11YOrvk8gy4wpYc7uRm6KePf20kHkzZ/LL2uaeokVcXNz9Tf2p6/5GYZBY/8bWOSdVd63FbeM0CCaCoGKS9YU1VDYehEk9FndnIc0oV08A0p8ldJHjKDOtVrkwLpT994zazq49fMbM24aftpXwYZKySgsEBHI1fcpo2zYpuUfZdtVL2xQuKpTD8KvsCgMuV7PIAbDHwXqkfjBUw5IC5TEARzrqHNK0FumWVsIBOw7YWKrB9nD2oGCo+3/BbhquIlE0DrJHuGQ/Un7diSCkSxAmNPGupIX8X6zLy+mVolOgpisy4MPutZJBjftqxVxCA1yecI3xhuLd3JbppbP6Y0ttCo4VXiR/X7j/Z6EtLlh8LYsAWbr4jaLRXQs23Ww1IYBmBYyDkcinpPdKTvxwNHeyhccxX+EXjKuKQBC+2BmQdJu95LGvT7BJYm4Vq+RMJagKPOvdmLack9tOqYXzOwin6PwU3e7CI0CmtCOg4St4t0kwt7XlnL1j9HRktUXwv1jGPseK1+5kwE7ntIA/tDOANEr2jG6lHZ0gou+l5YrSaif2gAaneJ3+zoDlGSNGSptevAux56xByvOfqijHolhyaTu8ZIao3IHnE2nn59TKo8W8K5T5MU/KkKgibufPbuYS7FWkvFKnUrIm043KR0JHZxX2c+mlUEZF/zXJf5aMNxWwARwv56x13hvqrikPzHbdPU3YTjQsKp8WcrplNS2MwuHmlrlEBpDf08NHzscPX9rODxReTNLKyLMi6tPCGMPfl3o4iPUR1gt8ZtNUH2s/LI7f4HkNSWYDsh0jzFxSqByIOaqvkq9yspoByKg7aE+JHBOknODsJTeZT8NmIRcoGk/CjEEb8RgPPfkax8g3BiQtwQZlTXUicouRlzPh12ofTtVEVXzI/kh/veeLjgjruSKujDft3x9HVu0LhTcIAkGSZMYfbwwhGgUeIiwqDR3Omyy8ZTjOG4y7+L/+58mGnZLj7CiAu1D7SGBwlSzJeXZ8kThyn/lubSAC/1iuLHWjMA84oB56hgxL7cKFMjVTbb8dPTDbKpReDIdc3y5t8mxdLBcNp135CsheuIbK8qKXeAxQ27Tla+fMn4IxNIXstuQyixIELAsB0cDIX+kEhIbKaSBvDCBuaADAgEXooGxBIGuaVlqY0IcvwuuYrDmYd/WiDFdC4TVUrdJJ8feEL961R+6FqYgz2GzF1jUGT/jW6Tvt38LBTxj8+v66CqsUqqfxjNvSsUdxFvyT3kf6pgIFxP4mfOMqfTeb2BO+uJup5+ld0WRdZCFzc1rdAlodCQFfEXIyXrAc+0TfMdTt/DfYsXYn9aL5moU1cnNP6ip84Olthk7az0m4aRfSN6im+8ky2L1aG6BupU5zw0SzlLU' from squid (length: 1751). 2013/12/21 19:48:33| squid_kerb_auth: DEBUG: Decode 'YIIFGwYGKwYBBQUCoIIFDzCCBQugJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBOEEggTdYIIE2QYJKoZIhvcSAQICAQBuggTIMIIExKADAgEFoQMCAQ6iBwMFACAAAACjggPuYYID6jCCA+agAwIBBaEPGw1ERUVQTEFZRVIuQ09NoigwJqADAgECoR8wHRsESFRUUBsVcHJveHkwMi5kZWVwbGF5ZXIuY29to4IDojCCA56gAwIBF6EDAgEIooIDkASCA4w9FJVsdtgNmVY5N4LshDVuKPnbl6cyyWea1is75rLcJ2Tvd9Qx/yVpKy+XpbxDFPWsJIzl6gk/+1q11YOrvk8gy4wpYc7uRm6KePf20kHkzZ/LL2uaeokVcXNz9Tf2p6/5GYZBY/8bWOSdVd63FbeM0CCaCoGKS9YU1VDYehEk9FndnIc0oV08A0p8ldJHjKDOtVrkwLpT994zazq49fMbM24aftpXwYZKySgsEBHI1fcpo2zYpuUfZdtVL2xQuKpTD8KvsCgMuV7PIAbDHwXqkfjBUw5IC5TEARzrqHNK0FumWVsIBOw7YWKrB9nD2oGCo+3/BbhquIlE0DrJHuGQ/Un7diSCkSxAmNPGupIX8X6zLy+mVolOgpisy4MPutZJBjftqxVxCA1yecI3xhuLd3JbppbP6Y0ttCo4VXiR/X7j/Z6EtLlh8LYsAWbr4jaLRXQs23Ww1IYBmBYyDkcinpPdKTvxwNHeyhccxX+EXjKuKQBC+2BmQdJu95LGvT7BJYm4Vq+RMJagKPOvdmLack9tOqYXzOwin6PwU3e7CI0CmtCOg4St4t0kwt7XlnL1j9HRktUXwv1jGPseK1+5kwE7ntIA/tDOANEr2jG6lHZ0gou+l5YrSaif2gAaneJ3+zoDlGSNGSptevAux56xByvOfqijHolhyaTu8ZIao3IHnE2nn59TKo8W8K5T5MU/KkKgibufPbuYS7FWkvFKnUrIm043KR0JHZxX2c+mlUEZF/zXJf5aMNxWwARwv56x13hvqrikPzHbdPU3YTjQsKp8WcrplNS2MwuHmlrlEBpDf08NHzscPX9rODxReTNLKyLMi6tPCGMPfl3o4iPUR1gt8ZtNUH2s/LI7f4HkNSWYDsh0jzFxSqByIOaqvkq9yspoByKg7aE+JHBOknODsJTeZT8NmIRcoGk/CjEEb8RgPPfkax8g3BiQtwQZlTXUicouRlzPh12ofTtVEVXzI/kh/veeLjgjruSKujDft3x9HVu0LhTcIAkGSZMYfbwwhGgUeIiwqDR3Omyy8ZTjOG4y7+L/+58mGnZLj7CiAu1D7SGBwlSzJeXZ8kThyn/lubSAC/1iuLHWjMA84oB56hgxL7cKFMjVTbb8dPTDbKpReDIdc3y5t8mxdLBcNp135CsheuIbK8qKXeAxQ27Tla+fMn4IxNIXstuQyixIELAsB0cDIX+kEhIbKaSBvDCBuaADAgEXooGxBIGuaVlqY0IcvwuuYrDmYd/WiDFdC4TVUrdJJ8feEL961R+6FqYgz2GzF1jUGT/jW6Tvt38LBTxj8+v66CqsUqqfxjNvSsUdxFvyT3kf6pgIFxP4mfOMqfTeb2BO+uJup5+ld0WRdZCFzc1rdAlodCQFfEXIyXrAc+0TfMdTt/DfYsXYn9aL5moU1cnNP6ip84Olthk7az0m4aRfSN6im+8ky2L1aG6BupU5zw0SzlLU' (decoded length: 1311). 2013/12/21 19:48:33| squid_kerb_auth: ERROR: gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information. 2013/12/21 19:48:33| squid_kerb_auth: INFO: User not authenticated 2013/12/21 19:48:33| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information. ' I have performed the packet capture on the winxp client. From the packet capture. i can see <http://squid-web-proxy-cache.1019090.n4.nabble.com/file/n4663964/01.png> However, i checked the key info in the authentication reply from client to Squid proxy server. I found the KVNO version is different and encryption type is different. But I dont know what cause this? Please help!!! <http://squid-web-proxy-cache.1019090.n4.nabble.com/file/n4663964/02.png> [root@proxy01 ~]# klist -etk /etc/squid/squid.keytab Keytab name: FILE:/etc/squid/squid.keytab KVNO Timestamp Principal ---- ----------------- -------------------------------------------------------- 8 12/21/13 19:32:36 proxy02$@DEEPLAYER.COM (arcfour-hmac) 8 12/21/13 19:32:36 proxy02$@DEEPLAYER.COM (aes128-cts-hmac-sha1-96) 8 12/21/13 19:32:36 proxy02$@DEEPLAYER.COM (aes256-cts-hmac-sha1-96) 8 12/21/13 19:32:36 HTTP/proxy02.deeplayer....@deeplayer.com (arcfour-hmac) 8 12/21/13 19:32:36 HTTP/proxy02.deeplayer....@deeplayer.com (aes128-cts-hmac-sha1-96) 8 12/21/13 19:32:36 HTTP/proxy02.deeplayer....@deeplayer.com (aes256-cts-hmac-sha1-96) The content of my squid.conf file: [root@proxy01 ~]# more /etc/squid/squid.conf # # Recommended minimum configuration: # acl manager proto cache_object acl localhost src 127.0.0.1/32 ::1 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 auth_param negotiate program /usr/lib/squid/squid_kerb_auth -d -i -s HTTP/proxy02.deeplayer....@deeplayer.com auth_param negotiate children 10 auth_param negotiate keep_alive on auth_param basic credentialsttl 2 hours acl ad_auth proxy_auth REQUIRE # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing # should be allowed acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT # # Recommended minimum Access Permission configuration: # # Only allow cachemgr access from localhost http_access allow manager localhost http_access deny manager # Deny requests to certain unsafe ports http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user #http_access deny to_localhost # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # # Example rule allowing access from your local networks. # Adapt localnet in the ACL section to list your (internal) IP networks # from where browsing should be allowed #http_access allow localnet #http_access allow localhost http_access allow ad_auth # And finally deny all other access to this proxy http_access deny all # Squid normally listens to port 3128 http_port 3128 # We recommend you to use at least the following line. hierarchy_stoplist cgi-bin ? # Uncomment and adjust the following to add a disk cache directory. #cache_dir ufs /var/spool/squid 100 16 256 # Leave coredumps in the first cache dir coredump_dir /var/spool/squid # Add any of your own refresh_pattern entries above these. refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-proxy-kerberos-authentication-failure-Help-tp4663964.html Sent from the Squid - Users mailing list archive at Nabble.com.
