Hi Markus,
I have already defined Windows Server as WINS and DNS for windows client.
I check again the messages between IE8 and Windows Server and I verify
there are AS-REQ, AS-REP, TGS-REQ and TGS-REP packages (for non domain
member).
To me, seems like the API SSPI, that firefox use, first try NTLM and
second try kerberos. But firefox deny the second try.
And i don't know how to sort out this problem.
Regards
Jose
Markus Moeller wrote:
Firstly for non domain members you can not get SSO with
Negotiate/Kerberos (as far as I know). When you get the popup
asking for a username/password and you provide u...@domain with the
password the client tries to find the domain controller using some
Windows protocols. I think if unsuccessful it will try NTLM with its
hostname as domain. To help the client finding the AD domain
controller you should provide via DHCP or hardcoded a WINS server
which has the domain information.
Regards
Markus
"Jose Lopes" <jlo...@iportalmais.pt> wrote in message
news:4b56f8d7.4060...@iportalmais.pt...
Hi Markus,
Using firefox at windows machine (not domain member)
- kerbtray don't show any credentials
- I don't have traffic at port 88.
- Don't work.
Using IE8 at windows machine (not domain member)
- kerbtray don't show any credentials
- At port 88 there are a TGS-REQ and a TGS-REP
- It works
Using firefox at windows machine (domain member of windows server)
- kerbtray show me the user principal and the service principal
HTTP/squid.domain.
- At port 88 there are a TGS-REQ and a TGS-REP
- It works
Using IE8 at windows machine (domain member of windows server)
- kerbtray show me the user principal and the service principal
HTTP/squid.domain.
- At port 88 there are a TGS-REQ and a TGS-REP
- It works
Regards
Jose
Markus Moeller wrote:
Hi Jose
Can you install kerbtray from the resource kit
http://www.microsoft.com/downloads/details.aspx?FamilyID=9D467A69-57FF-4AE7-96EE-B18C4790CFFD&displaylang=en
and start it ? It should list if you have got a TGS for
HTTP/squid.domain.
Also can you capture port 88(Kerberos) traffic on the client with
wireshark ? When you login you should see an AS REQ and REP and
when firefox authenticates to the proxy you should se a TGS REQ
for HTTP/squid.domain.
If not can you send me the capture to have a look at it ?
Regards Markus
"Jose Lopes" <jlo...@iportalmais.pt> wrote in message
news:4b5596bb.8010...@iportalmais.pt...
Hi,
I have the same problem. I have already set
network.negotiate-auth.trusted-uris to proxy domain. At the
firefox (FF) log appears: 0[825140]: service = squid.domain
0[825140]: using negotiate-sspi 0[825140]: nsAuthSSPI::Init
0[825140]: InitSSPI 0[825140]: Using SPN of [HTTP/squid.domain]
0[825140]: nsHttpNegotiateAuth::GenerateCredentials()
[challenge=Negotiate] 0[825140]: entering
nsAuthSSPI::GetNextToken() 0[825140]: Sending a token of length
40 0[825140]: nsHttpNegotiateAuth::GenerateCredentials()
[challenge=Negotiate] 0[825140]: entering
nsAuthSSPI::GetNextToken() 0[825140]: Cannot restart
authentication sequence!
The http messages between squid an FF are:
FF -> SQUID GET http://www.squid-cache.org/ HTTP/1.1 [...]
SQUID -> FF HTTP/1.0 407 Proxy Authentication Required Server:
squid/3.0.STABLE14 [...] Proxy-Authenticate: Negotiate [...]
FF -> SQUID GET http://www.squid-cache.org/ HTTP/1.1 [...]
Proxy-Authorization: Negotiate
TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==
SQUID -> FF HTTP/1.0 407 Proxy Authentication Required Server:
squid/3.0.STABLE14 [...] Proxy-Authenticate: Negotiate [...]
I have already IE working, and the http seems similar.
IE -> SQUID GET http://www.squid-cache.org/ HTTP/1.1 [...]
SQUID -> IE HTTP/1.0 407 Proxy Authentication Required Server:
squid/3.0.STABLE14 [...] Proxy-Authenticate: Negotiate [...]
IE -> SQUID GET http://www.squid-cache.org/ HTTP/1.1 [...]
Proxy-Authorization: Negotiate
TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==
SQUID -> IE HTTP/1.0 407 Proxy Authentication Required Server:
squid/3.0.STABLE14 [...] Proxy-Authenticate: Negotiate [...]
IE -> SQUID GET http://www.squid-cache.org/ HTTP/1.1 [...]
Proxy-Authorization: Negotiate
YIIE+gYGKwYBBQUCoIIE7jCCBOqgJDAiBgkqhkiC9xIBAgIGC[...] [...]
SQUID -> IE HTTP/1.0 200 OK [...] Proxy-Authentication-Info:
Negotiate oYGgMIGdoAMKAQChCwYJKoZIgvcSAQICoo[...] [...]
Seems like at first IE use NTLM and at second use kerberos.
I think FF is similar, but FF don't allow the second iteration.
How can I put kerberos as first iteration?
Thanks in advance Regards Jose
Markus Moeller wrote:
The message parseNegTokenInit failed with rc=102 just means the
token is not a GSSAPI token wrapped in a SPNEGO token, but a
plain GSSAPI token. When you use firefox you have to do a kinit
first to store the AS token in the Kerberos cache for Firefox
to use and I think Firfox has to be configured with
network.negotiate-auth.trusted-uris to be set to the domains of
your proxy server.
Regards Markus
"Umesh Bodalina" <u.bodal...@gmail.com> wrote in message
news:c3b47c041001181054n7091ea3aj761a508938de7...@mail.gmail.com...
Hi Markus Sorry yes you were right, it was DNS.
In our environment we are running two DNS servers. One using MS
DNS and the other using unix BIND. The linux server was added
to the unix DNS (with name proxy1.domain.com) but not to the MS
DNS which was authority for ad.domain.com. Now that I think
about it our MS DNS has issues doing reverse lookups for IPs
that the unix DNS is authority for (which in this case was
proxy1.domain.com).
I changed linux server name to proxy1.ad.domain.com and now the
squid_kerb_auth_test works. Using your squid_kerb_auth
(version 1.0.5) I get: AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg==
u...@ad.domain.com 2010/01/18 20:25:10| squid_kerb_auth: AF
oRQwEqADCgEAoQsGCSqGSIb3EgECAg== u...@ad.domain.com When I try
the same thing with the auth from squid-2.7.STABLE7.tar.bz2 I
get 2010/01/18 20:29:07| squid_kerb_auth: parseNegTokenInit
failed with rc=102 AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg==
u...@ad.domain.com 2010/01/18 20:29:07| squid_kerb_auth: AF
oRQwEqADCgEAoQsGCSqGSIb3EgECAg== u...@ad.domain.com Is the
parseNegTokenInit failed with rc=102 ok?
I then tried running squid and used Firefox 3.5.7. I got the
following error from squid cache:
authenticateNegotiateHandleReply: Failed validating user via
Negotiate. Error returned 'type 1 NTLM token'
Any ideas? Also I don't get any authentication popups for
userid and password...
A sample of the log: 2010/01/18 20:47:58| squid_kerb_auth: Got
'YR TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw=='
from squid (length: 59). 2010/01/18 20:47:58| squid_kerb_auth:
parseNegTokenInit failed with rc=101 2010/01/18 20:47:58|
squid_kerb_auth: received type 1 NTLM token 2010/01/18
20:47:58| do_comm_select: 1 fds ready 2010/01/18 20:47:58|
cbdataValid: 0x1838d448 2010/01/18 20:47:58|
helperStatefulHandleRead: 30 bytes from negotiateauthenticator
#1. 2010/01/18 20:47:58| commSetSelect: FD 7 type 1 2010/01/18
20:47:58| helperStatefulHandleRead: end of reply found
2010/01/18 20:47:58| cbdataValid: 0x18648bb8 2010/01/18
20:47:58| cbdataValid: 0x185cad18 2010/01/18 20:47:58|
helperStatefulReleaseServer: 0x1838d448 2010/01/18 20:47:58|
helperStatefulReset: 0x1838d448 2010/01/18 20:47:58|
StatefulGetFirstAvailable: Running servers 10. 2010/01/18
20:47:58| authenticateNegotiateHandleReply: Failed validating
user via Negotiate. Error returned 'type 1 NTLM token'
2010/01/18 20:47:58| authenticateValidateUser: Validated
Auth_user request '0x18648960'. 2010/01/18 20:47:58|
cbdataValid: 0x183561a8 2010/01/18 20:47:58| aclCheck: checking
'http_access deny !password' 2010/01/18 20:47:58|
aclMatchAclList: checking !password 2010/01/18 20:47:58|
aclMatchAcl: checking 'acl password proxy_auth REQUIRED'
2010/01/18 20:47:58| authenticateValidateUser: Validated
Auth_user request '0x18648960'. 2010/01/18 20:47:58|
authenticateNegotiateAuthenticateUser: need to challenge client
'received'! 2010/01/18 20:47:58| authenticateValidateUser:
Validated Auth_user request '0x18648960'. 2010/01/18 20:47:58|
aclAuthenticated: returning 0 sending authentication challenge.
2010/01/18 20:47:58| aclCheck: match found, returning 2
2010/01/18 20:47:58| cbdataUnlock: 0x183561a8 2010/01/18
20:47:58| aclCheckCallback: answer=2 2010/01/18 20:47:58|
cbdataValid: 0x185ca298 2010/01/18 20:47:58| The request GET
http://en-gb.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GB:official
is DENIED, because it matched 'password'
My acl for this was: 'http_access deny !password'
Regards Umesh
2010/1/16 Markus Moeller <hua...@moeller.plus.com>:
Can you check your DNS you should get for
nslookup name an ip and for the reverse nslookup ip the same
name.
Which Kerberos libraries do you use ? Heimdal or MIT and
which release ?
Markus
"Umesh Bodalina" <u.bodal...@gmail.com> wrote in message
news:c3b47c041001160337k68a1313g1863689383a15...@mail.gmail.com...
Hi
When I tried ./squid_kerb_auth_test proxy1 or
./squid_kerb_auth_test proxy1.domain.com I got 2010/01/16
12:31:47| squid_kerb_auth_test: gss_init_sec_context()
failed: Unspecified GSS failure. Minor code may provide more
information. Unknown code krb5 7 Token: NULL
But I got a token if I used ./squid_kerb_auth_test domain.com
or ./squid_kerb_auth_test adserver.domain.com
Using this token and squid auth in the same directory I got
squid_kerb_auth: gss_accept_sec_context() failed: Unspecified
GSS failure. Minor code may provide more information. No
error BH gss_accept_sec_context() failed: Unspecified GSS
failure. Minor code may provide more information. No error
Using the same token on the latest compiled squid
/usr/local/squid/libexec/squid_kerb_auth -d I got
2010/01/16 12:55:58| squid_kerb_auth: parseNegTokenInit
failed with rc=102 2010/01/16 12:55:58| squid_kerb_auth:
gss_accept_sec_context() failed: Unspecified GSS failure.
Minor code may provide more information. No error NA
gss_accept_sec_context() failed: Unspecified GSS failure.
Minor code may provide more information. No error
Any ideas? Regards Umesh
2010/1/15 Markus Moeller <hua...@moeller.plus.com>:
There should be a squid_kerb_auth_test application in the
same source directory as squid_kerb_auth.
Do a kinit u...@domain and then a squid_kerb_auth_test
squid-fqdn which should give you a token like:
Token: YIICPQYGKwYBBQUCoIICMTCCAi2gHzAdBgkqhkiG......
which you can the use with squid_kerb_auth like
export KRB5_KTNAME=/path-to-squid.keytab. ./squid_kerb_auth
-d YR YIICPQYGKwYBBQUCoIICMTCCAi2gHzAdBgkqhkiG......
2010/01/15 14:40:29| squid_kerb_auth: Got 'YR
YIICPQYGKwYBBQUCoIICMTCCAi2gHzAdBgkq...' from squid
(length: 775). 2010/01/15 14:40:29| squid_kerb_auth: Decode
'YIICPQYGKwYBBQUCoIICMTCCAi2gHzAdBgkq...' (decoded length:
577). AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg== mar...@suse.home
2010/01/15 14:40:29| squid_kerb_auth: AF
oRQwEqADCgEAoQsGCSqGSIb3EgECAg== mar...@suse.home
Regards Markus
"Markus Moeller" <hua...@moeller.plus.com> wrote in message
news:hipnhp$hs...@ger.gmane.org...
When you use ktpass or msktutil you have to specify a
different AD object then your samba object and remove the
HTTP/... entries as service principal from your samba AD
object. If you want to have only one AD object you have
to use the net keytab command as described in the wiki.
Regards Markus
"Umesh Bodalina" <u.bodal...@gmail.com> wrote in message
news:c3b47c041001150053n290d6443q830770300636a...@mail.gmail.com...
Hi Ok. Did that now and I got:
kvno HTTP/proxy1.domain.com HTTP/pro...@domain.com: kvno
= 5
This number is different from the the keytab number. How
do I correct this?
Yes I did use samba (net ads join -U adminuserid). Then I
tried the msktutil. Then finally ktpass.
During the net ads join I got:
# net ads join -U userid userid's password: Using short
domain name -- DOMAIN DNS update failed! Joined 'PROXY1'
to realm 'DOMAIN.COM'
Is the DNS update a problem?
Regards Umesh
2010/1/15 Markus Moeller <hua...@moeller.plus.com>:
Sorry I forgot to say that you have to do a kinit
adu...@realm before you issue the kvno command. Did you
use the sambe netjoin command to create the as account
and the keytab ?
Markus
"Umesh Bodalina" <u.bodal...@gmail.com> wrote in
message
news:c3b47c041001140513s2af2a25fp7e103af29dfc3...@mail.gmail.com...
Hi Markus I've checked with ADSIEDIT and found a single
entry for the linux server named proxy1. Clicking on
it's properties I found the following entries for
service Principal Name:
28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HOST/PROXY1
28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HOST/proxy1.domain.com
28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HTTP/proxy1
28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HTTP/proxy1.domain.com
On the linux box:
# klist -ekt /etc/squid/HTTP.keytab Keytab name:
FILE:/etc/squid/HTTP.keytab KVNO Timestamp Principal
---- -----------------
--------------------------------------------------------
7 01/01/70 02:00:00
HTTP/proxy1.domain....@ad.domain.com (ArcFour with
HMAC/md5)
# kvno HTTP/proxy1.domain.com kvno: Ticket expired
while getting credentials for
HTTP/proxy1.domain....@ad.domain.com # kvno HTTP/proxy1
kvno: Ticket expired while getting credentials for
HTTP/pro...@ad.domain.com
Should I remove the entry on AD, rejoin the pc to AD
and create the keytab again? Which mechanism should I
use to create the keytab? Is my DNS correct if the pc
came up on AD as proxy1 should it be the fqdn
(proxy1.domain.com)?
Regards Umesh
2010/1/13 Markus Moeller <hua...@moeller.plus.com>:
On AD you can use ADSIEDIT (
http://technet.microsoft.com/en-us/library/cc773354%28WS.10%29.aspx
) to search for entries and delete,modify them. The
best instructions are
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
Let me know what you get once you deleted the old
entry. Another check is to use the kvno tool which
you should have when you use MIT Kerberos.
#kvno HTTP/f...@realm should give the same number as
klist -ekt squid.keytab e.g.
# klist -ekt /etc/squid/squid.keytab Keytab name:
FILE:/etc/squid/squid.keytab KVNO Timestamp Principal
---- -----------------
--------------------------------------------------------
3 11/25/08 20:54:17
HTTP/opensuse11.suse.h...@suse.home (ArcFour with
HMAC/md5) 3 11/25/08 20:54:17
HTTP/opensuse11.suse.h...@suse.home (Triple DES cbc
mode with HMAC/sha1) 3 11/25/08 20:54:17
HTTP/opensuse11.suse.h...@suse.home (DES cbc mode
with CRC-32)
#kvno HTTP/opensuse11.suse.home
HTTP/opensuse11.suse.h...@suse.home: kvno = 3
Regards Markus
"Umesh Bodalina" <u.bodal...@gmail.com> wrote in
message
news:c3b47c041001130210i6299c910g51bb3a2ffa5c...@mail.gmail.com...
Hi, I'm new to this. I've run the following command
on the server:
ldapsearch -L -x -D "aduser" -w "password" -h
domainfqdn -p 389 -b "OU=name,DC=domain,DC=com"
"serviceprincipalname=HTTP/f...@realm"
and get # # LDAPv3 # base <OU=name,DC=domain,DC=com>
with scope subtree # filter:
serviceprincipalname=HTTP/f...@realm # requesting:
ALL #
# search result
# numResponses: 1
Is it possible to check directly on AD if this
service principal name exits? How else can I test if
this keytab works? If I create a new keytab what is
the procedure of getting rid of the old one and
retesting (what should be done on AD and the linux
box)?
Are there any docs that will help me with this?
Sorry for being a pain and thanks again. Regards
Umesh
2010/1/13 Markus Moeller <hua...@moeller.plus.com>:
Can you check with an ldap query (e.g. with
ldapadmin from sourceforge) or search with a filter
"(serviceprincipalname=HTTP/f...@realm)" if you
have duplicate entries ?
This kinit -k -t /etc/squid/squid.keytab
HTTP/f...@realm.kerberos will only work if the
userprincipal name is HTTP/f...@realm.kerberos
which I think is not the case with ktpass.
Regards Markus
"Umesh Bodalina" <u.bodal...@gmail.com> wrote in
message
news:c3b47c041001120741n6c2edf4ftd67dbe4b5cf1e...@mail.gmail.com...
Hi,
I'm trying to get the squid helper
squid_kerb_auth to work against our Active
Directory (win 2003 sp2).
I've compiled the latest squid version
(squid-2.7.STABLE7)on CentOS 5.4 64 bit.
Squid Cache: Version 2.7.STABLE7 configure
options: '--prefix=/usr/local/squid'
'--disable-wccp' '--disable-wccpv2'
'--enable-large-cache-files' '--with-large-files'
'--enable-delay-pools'
'--enable-cachemgr-hostname' '=fqdn'
'--enable-ntlm-auth-helpers=SMB'
'--enable-auth=basic,ntlm,negotiate'
'--enable-negotiate-auth-helpers=squid_kerb_auth'
'--enable-snmp'
A keytab file was create on AD for squid
(HTTP/squid.dom...@realm.kerberos)
ktpass -princ HTTP/f...@realm -mapuser squiduser
-pass password -out HTTP.keytab
Transferred the file on the CentOS server and
placed it in /etc/squid/HTTP.keytab
kinit -k -t /etc/squid/squid.keytab
HTTP/f...@realm.kerberos
I get the error message: kinit(v5): Client not
found in Kerberos database while getting initial
credentials
I've also tried creating the keytab file using
msktutil or samba according to the following doc:
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
I get the same error.
How do I sort out this problem?
Thanks in advance. Regards Umesh
