[squid-users] Re: Re: Re: Squid + Kerberos + Active Directory

Sun, 07 Jun 2009 22:36:53 -0700
"Markus Moeller" <hua...@moeller.plus.com> wrote in message news:h0gs7v$mk...@ger.gmane.org... 
>

----- Original Message -----
From: "Truth Seeker" <truth_seeker_3...@yahoo.com>
To: "Markus Moeller" <hua...@moeller.plus.com>
Cc: "Squid maillist" <squid-users@squid-cache.org>
Sent: Sunday, June 07, 2009 10:23 AM
Subject: Re: [squid-users] Re: Re: Re: Squid + Kerberos + Active Directory



Dear Markus,
After trying all the possible way, i got atleast just for one time a error message in cache.log
2009/06/07 11:31:46| AuthConfig::CreateAuthUser: Unsupported or unconfigured/inactive proxy-auth scheme, 'NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' 



So IE or Firefox don't do negotiate.



after that i didnt got this message at all..
My Client is Win XP with IE 6 and Firefox 3.0.10. Its working really fine behind the MS ISA Server. 

But no way behind the squid???
BTW IE 6 does not support negotiate for proxy authentication if I remember right. You need IE 7 or higher.
Because squid is configured for negotiate/kerberos. Can you do the following 
in Firefox:

1) Type about:config in the URL bar
2) In the filter type nego
3) double click on network.negotiate-auth.trusted-uris
4) Enter .panasonic.com
5) Try again
If that does not work can you run the attached binary on yoru XP desktop as 
follows:

getTGT -p HTTP/linuxproxy.panasonic.com

You should get an output like:

getTGT.exe -p HTTP/w2k3r2.win2003r2.home
2009/06/07 17:50:42| getTGT[5180]: Info: Context Key Information:
2009/06/07 17:50:42| getTGT[5180]:       Signature Algorithm: (-138)
2009/06/07 17:50:42| getTGT[5180]:       Encryption Algorithm: RSADSI
RC4-HMAC(23)
2009/06/07 17:50:42| getTGT[5180]:       Key Size: 128
2009/06/07 17:50:42| getTGT[5180]: Info: Context Session Key Length: 16
2009/06/07 17:50:42| getTGT[5180]: Info: Context Client Native Name:
administra...@win2003r2.home
2009/06/07 17:50:42| getTGT[5180]: Info: Context Server Native Name:
HTTP/w2k3r2.win2003r2.h...@win2003r2.home
2009/06/07 17:50:42| getTGT[5180]: Info: Context Start Time: 2009/06/07
17:50:42
2009/06/07 17:50:42| getTGT[5180]: Info: Context End Time: 2009/06/08
03:42:29
2009/06/07 17:50:42| getTGT[5180]: Info: Credential User Principal Name:
administra...@win2003r2.home
2009/06/07 17:50:42| getTGT[5180]: Info: Credential ExpiryTime: 2009/06/08
03:42:29

and a klist tickets should give:

C:\WINNT\Profiles\Administrator.WIN2003R2.000>klist tickets

Cached Tickets: (2)

  Server: krbtgt/win2003r2.h...@win2003r2.home
     KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
     End Time: 6/8/2009 3:42:29
     Renew Time: 6/14/2009 17:42:29


  Server: HTTP/w2k3r2.win2003r2.h...@win2003r2.home
     KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
     End Time: 6/8/2009 3:42:29
     Renew Time: 6/14/2009 17:42:29


C:\WINNT\Profiles\Administrator.WIN2003R2.000>


klist is part of the resource kit tools
(http://www.microsoft.com/downloads/details.aspx?familyid=9d467a69-57ff-4ae7-96ee-b18c4790cffd&displaylang=en)

If getTGT gives an error like:
2009/06/07 17:55:10| getTGT[3640]: InitializeSecurityContext failed:
SEC_E_TARGET_UNKNOWN
it means that either the kdc does not have a principal with the name or the 
client does not have a valid user ticket which can be check ed with klist
tgt:

C:\WINNT\Profiles\Administrator.WIN2003R2.000>klist tgt

Cached TGT:

ServiceName: krbtgt
TargetName: krbtgt
FullServiceName: Administrator
DomainName: WIN2003R2.HOME
TargetDomainName: WIN2003R2.HOME
AltTargetDomainName: WIN2003R2.HOME
TicketFlags: 0x40e00000
KeyExpirationTime: 1/1/1601 1:00:00
StartTime: 6/7/2009 17:42:29
EndTime: 6/8/2009 3:42:29
RenewUntil: 6/14/2009 17:42:29
TimeSkew: 1/1/1601 1:00:00




i captured the following types of traffic;

a. My XP Client + IE 6  <---> ISA Server
b. MY XP Client + IE 6  <---> squid-3.0.STABLE13-1.el5 + CentOS 5.2
c. more auth packet level details of Client <-> ISA Server
d. more auth packet level details of Client <-> Squid


Please see the attachments;

and hoping for a way to resolve the issue.
From all this what i understood is, client is trying to do NTLM auth, but server dosent support it. Ok if this is the case, how can i tell the client not to use NTLM and just use Kerberos. Second case, how can i configure squid to handle the NTLM based authentication.
There are NTLM helpers as part of the squid package available. Or better use 
the samba ntlm_auth helper.



guide me please...



Regards
Markus

Reply via email to