Hi Pedro,
I looked at your captures and I observed something similar to Victor’s
issue. I see KRB5KRB_AP_ERR_MODIFIED and then the use of the name of the AD
object (e.g. proxy$) instead of HTTP/<proxy fqdn>. I also see that you have
more than one AD server and I assume there is a sync problem between your AD
servers ( You said it start working after removing an unused AD server which
would support y assumption).
Regards
Markus
"Pedro Lobo" <pal...@gmail.com> wrote in message
news:09275cec-abc1-4bc6-b4f3-546e8c5d3...@gmail.com...
Hi Markus,
When I get in to the office tomorrow, I'll do that and send you the .cap file.
Thanks for all the help so far.
Pedro Lobo
On 27 Oct 2014, at 20:53, Markus Moeller <hua...@moeller.plus.com> wrote:
Hi Pedro,
Can you capture the traffic from one Windows 7 on XP client on port 88 (
just after the login before access a website via squid until successful or
unsuccessful accessing the website) using wireshark ? Send me the .cap files
to check.
Markus
"Pedro Lobo" <pal...@gmail.com> wrote in message
news:b4adceec-5a53-4212-b16c-106237fc4504@Pedros-iPhone...
Hi Markus Moeller,
Hi Markus,
Yeah, I'm currently using that option and permissions are correct too.
On 27 Oct 2014 19:47, Markus Moeller wrote:
Hi Pedro,
Did you try the –s GSS_C_NO_NAME option ?
Markus
"Pedro Lobo" <pal...@gmail.com> wrote in message
news:94f74226-f24b-4910-95b7-b86ace815...@gmail.com...
Hey Everybody,
Seems as though I celebrated too soon on Saturday. Today things are back to
not working for Windows 7+ machines and XP/2003 machines are working just fine.
I've also checked the permissions on the keytab file and they haven't
changed since Saturday, so it's not that... ARGH!!!!
Craving ideas and solutions right now... Pilot users are less than
satisfied ;)
Cheers,
Pedro
On 25 Oct 2014, at 14:13, Markus Moeller wrote:
Hi Pedro,
I wonder if he upper case in the name is a problem. Can you try
auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -d
-r -s GSS_C_NO_NAME
instead of
auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -d
-r -s HTTP/proxy01tst.fake.net
Markus
"Pedro Lobo" pal...@gmail.com wrote in message
news:fd6832b9-3f1f-48c6-a76f-47a224f16...@gmail.com...
Hi Markus,
I used msktutil to create the keytab.
msktutil -c -s HTTP/proxy01tst.fake.net -h proxy01tst.fake.net -k
/etc/squid3/PROXY.keytab --computer-name proxy01-tst --upn
HTTP/proxy01tst.fake.net --server srv01.fake.net --verbose
Output of klist -ekt:
2 10/24/2014 22:59:50 proxy01-tst$@FAKE.NET (arcfour-hmac)
2 10/24/2014 22:59:50 proxy01-tst$@FAKE.NET (aes128-cts-hmac-sha1-96)
2 10/24/2014 22:59:50 proxy01-tst$@FAKE.NET (aes256-cts-hmac-sha1-96)
2 10/24/2014 22:59:50 HTTP/proxy01tst.fake....@fake.net (arcfour-hmac)
2 10/24/2014 22:59:50 HTTP/proxy01tst.fake....@fake.net
(aes128-cts-hmac-sha1-96)
2 10/24/2014 22:59:50 HTTP/proxy01tst.fake....@fake.net
(aes256-cts-hmac-sha1-96)
2 10/24/2014 22:59:50 host/proxy01tst.fake....@fake.net (arcfour-hmac)
2 10/24/2014 22:59:50 host/proxy01tst.fake....@fake.net
(aes128-cts-hmac-sha1-96)
2 10/24/2014 22:59:50 host/proxy01tst.fake....@fake.net
(aes256-cts-hmac-sha1-96)
Yep, using MIT Kerberos
Thanks in advance for any help.
Cheers,
Pedro
On 25 Oct 2014, at 1:26, Markus Moeller wrote:
Hi Pedro,
How did you create your keytab ? What does klist –ekt <squid.keytab> show
( I assume you use MIT Kerberos) ?
Markus
"Pedro Lobo" pal...@gmail.com wrote in message
news:40e1e0e7-50c6-4117-94aa-50b065734...@gmail.com...
Hi Squid Gurus,
I'm at my wit's end and in dire need of some squid expertise.
We've got a production environment with a couple of squid 2.7 servers
using NTLM and basic authentication. Recently though, we decided to upgrade and
I'm now setting up squid 3.3 with Kerberos and NTLM Fallback. I've followed
just about every guide I could find and in my testing environment, things were
working great. Now that I've hooked it up to the main domain, things are awry.
If I use a machine that's not part of the domain, NTLM kicks in and I can
surf the web fine. If I use a Windows XP or Windows Server 2003, kerberos works
just fine, however, if I use a machine Windows 7, 8 or 2008 server, I keep
getting a popup asking me to authenticate and even then, it's and endless loop
until it fails. My cache.log is littered with:
negotiate_kerberos_auth.cc(200): pid=1607 :2014/10/24 23:03:01|
negotiate_kerberos_auth: ERROR: gss_accept_sec_context() failed: Unspecified
GSS failure. Minor code may provide more information.
2014/10/24 23:03:01| ERROR: Negotiate Authentication validating user.
Error returned 'BH gss_accept_sec_context() failed: Unspecified GSS failure.
Minor code may provide more information. '
The odd thing, is that this has worked before. Help me Obi Wan... You're
my only hope! :)
Current Setup
Squid 3.3 running on Ubuntu 14.04 server. It's connected to a 2003 server
with function level 2000 (I know, we're trying to fase out the older servers).
krb5.conf
[libdefaults]
default_realm = FAKE.NET
dns_lookup_kdc = yes
dns_lookup_realm = yes
ticket_lifetime = 24h
default_keytab_name = /etc/squid3/PROXY.keytab
; for Windows 2003
default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
[realms]
FAKE.NET = {
kdc = srv01.fake.net
kdc = srv02.fake.net
kdc = srv03.fake.net
admin_server = srv01.fake.net
default_domain = fake.net
}
[domain_realm]
.fake.net = FAKE.NET
fake.net = FAKE.NET
[logging]
kdc = FILE:/var/log/kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
squid.conf
auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -d
-r -s HTTP/proxy01tst.fake.net
auth_param negotiate children 20 startup=0 idle=1
auth_param negotiate keep_alive off
auth_param ntlm program /usr/bin/ntlm_auth --diagnostics
--helper-protocol=squid-2.5-ntlmssp --domain=FAKE.NET
auth_param ntlm children 10
auth_param ntlm keep_alive off
Cheers,
Pedro
Cumprimentos
Pedro Lobo
Solutions Architect | System Engineer
pedro.l...@pt.clara.net
Tlm.: +351 939 528 827 | Tel.: +351 214 127 314
Claranet Portugal
Ed. Parque Expo
Av. D. João II, 1.07-2.1, 4º Piso
1998-014 Lisboa
www.claranet.pt
Empresa certificada ISO 9001, ISO 20000 e ISO 27001
--------------------------------------------------------------------------
--------------------------------------------------------------------------
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
--------------------------------------------------------------------------
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Cumprimentos
Pedro Lobo
Solutions Architect | System Engineer
pedro.l...@pt.clara.net
Tlm.: +351 939 528 827 | Tel.: +351 214 127 314
Claranet Portugal
Ed. Parque Expo
Av. D. João II, 1.07-2.1, 4º Piso
1998-014 Lisboa
www.claranet.pt
Empresa certificada ISO 9001, ISO 20000 e ISO 27001
--------------------------------------------------------------------------
--------------------------------------------------------------------------
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
--------------------------------------------------------------------------
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
----------------------------------------------------------------------------
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
------------------------------------------------------------------------------
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
--------------------------------------------------------------------------------
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
