subject:"\[squid\-users\] NEGOTIATE Kerberos Auth"

Re: [squid-users] Negotiate Kerberos Auth - BH Invalid request

2017-06-13 Thread L . P . H . van Belle

First, it very handy to know your os and samba and squid versions used. 
?
Second, 
Squid/radius etc anything that uses NTLMv1 with samba stopped working after 
4.5.0 
I think your main problem can be explained by this extract from the release 
notes for 4.5.0:
?

NTLMv1 authentication disabled by default

-

　

In order to improve security we have changed the default value for the "ntlm 
auth" option from "yes" to "no".?
This may have impact on very old clients which doesn't support NTLMv2 yet.

　

The primary user of NTLMv1 is MSCHAPv2 for VPNs and 802.1x.

　

By default, Samba will only allow NTLMv2 via NTLMSSP now, 
as we have the following default "lanman auth = no", "ntlm auth = no" and "raw 
NTLMv2 auth = no".

?

?

Greetz, 

?

Louis

?

?

?

Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens 
Kevin M???hlparzer
Verzonden: dinsdag 13 juni 2017 14:00
Aan: squid-users@lists.squid-cache.org
Onderwerp: [squid-users] Negotiate Kerberos Auth - BH Invalid request




Hello list,




I asked about a problem with NTLM-Authentication before. (BH SPNEGO request 
invalid prefix; thats the error of the helper protocol 
"helper-protocol=squid-2.5-ntlmssp" I used with NTLM, while basic works fine)

A user told me I should use negotiate_kerberos_auth instead of ntlm_auth.

Now here's my new problem:





root@x-x-testproxy01:/etc/squid# /usr/lib/squid/negotiate_kerberos_auth -d -s 
HTTP/x-x-testproxy01.x-xxx.local@X-XXX.LOCAL
negotiate_kerberos_auth.cc(487): pid=5305 :2017/06/13 13:29:41| 
negotiate_kerberos_auth: INFO: Starting version 3.0.4sq
negotiate_kerberos_auth.cc(546): pid=5305 :2017/06/13 13:29:41| 
negotiate_kerberos_auth: INFO: Setting keytab to FILE:/etc/squid/HTTP.keytab
negotiate_kerberos_auth.cc(570): pid=5305 :2017/06/13 13:29:41| 
negotiate_kerberos_auth: INFO: Changed keytab to 
MEMORY:negotiate_kerberos_auth_5305
testuser xxx
negotiate_kerberos_auth.cc(610): pid=5305 :2017/06/13 13:29:47| 
negotiate_kerberos_auth: DEBUG: Got 'testuser xx' from squid (length: 18).
negotiate_kerberos_auth.cc(647): pid=5305 :2017/06/13 13:29:47| 
negotiate_kerberos_auth: ERROR: Invalid request [testuser xxx]
BH Invalid request
So my configuration has mistakes, but I can't find them. I don't really know 
where to search, or what works for sure. I tried many tutorials on krb5 and 
samba. Every form of testing I tried works fine except indeed using the 
required kerberos authentication of my squid-proxy.






Tests that come to my mind:

kinit a user

Warning: Your password will expire in 36 days on Don 20 Jul 2017 13:23:54 CEST










klist

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: testuser@X-XXX.LOCAL

Valid starting?? Expires? Service principal
2017-06-13 13:38:37? 2017-06-13 23:38:37? krbtgt/X-XXX.LOCAL@X-XXX.LOCAL
?? ?renew until 2017-06-14 13:38:34





klist -k on my HTTP.keytab



Keytab name: FILE:/etc/squid/HTTP.keytab
KVNO Principal
 --
?? 1 host/x-x-testproxy01.x-xxx.local@X-XXX.LOCAL
?? 1 host/x-x-testproxy01.x-xxx.local@X-XXX.LOCAL
?? 1 host/x-x-testproxy01.x-xxx.local@X-XXX.LOCAL
?? 1 host/x-x-testproxy01.x-xxx.local@X-XXX.LOCAL
?? 1 host/x-x-testproxy01.x-xxx.local@X-XXX.LOCAL
?? 1 host/X-X-TESTPROXY01@X-XXX.LOCAL
?? 1 host/X-X-TESTPROXY01@X-XXX.LOCAL
?? 1 host/X-X-TESTPROXY01@X-XXX.LOCAL
?? 1 host/X-X-TESTPROXY01@X-XXX.LOCAL
?? 1 host/X-X-TESTPROXY01@X-XXX.LOCAL
?? 1 X-X-TESTPROXY01$@X-XXX.LOCAL
?? 1 X-X-TESTPROXY01$@X-XXX.LOCAL
?? 1 X-X-TESTPROXY01$@X-XXX.LOCAL
?? 1 X-X-TESTPROXY01$@X-XXX.LOCAL
?? 1 X-X-TESTPROXY01$@X-XXX.LOCAL





basic-auth using ntlm


root@x-x-testproxy01:/etc/squid# /usr/bin/ntlm_auth 
--helper-protocol=squid-2.5-basic --username=testuser --password=
testuser xx
OK
testuser@x-xxx.local 
OK

wbinfo -u
administrator
testuser
...
wbinfo -g
allowed rodc password replication group
enterprise read-only domain controllers
...

wbinfo --krb5auth=testuser%xxx
plaintext kerberos password authentication for [testuser%xxx] succeeded 
(requesting cctype: FILE)

wbinfo -t
checking the trust secret for domain X-XXX via RPC calls succeeded

wbinfo --authenticate=testuser%
plaintext password authentication succeeded
challenge/response password authentication succeeded

/usr/lib/squid/negotiate_kerberos_auth_test x-x-testproxy01.x-xxx.local
Token: 
YIIFOgYGKwYBBQUCoIIFLjCCBSqgJzAlBgkqhkiG9xIBAgIGBSsFAQUCBgkqhkiC9xIBAgIGBisGAQUCBaKCBP0EggT5YIIE9QYJKoZIhvcSAQICAQBuggTkMIIE4KADAgEFoQMCAQ6iBwMFAACjggP2YYID8jCCA+6gAwIBBaENGwtYLU5FVC5MT0NBTKIuMCygAwIBA6ElMCMbBEhUVFAbG3gtbC10ZXN0cHJveHkwMS54LW5ldC5sb2NhbKOCA6YwggOioAMCARKhAwIBAaKCA5QEggOQIMtincRDtWjh44pew3twk26Gm9rTC7CbkobNrzaRq/weljVl5TSbMQTFIVRQXVe4CQBWJ/Gcg472cgLA3mjOH8Z30zxQFP8fsK46wAtTEzJhonzXLImhaPtXvCVz94xaCVG7cBlNJCUmZQHsQMxF

[squid-users] Negotiate Kerberos Auth - BH Invalid request

2017-06-13 Thread Kevin M�hlparzer

Hello list,


I asked about a problem with NTLM-Authentication before. (BH SPNEGO request 
invalid prefix; thats the error of the helper protocol 
"helper-protocol=squid-2.5-ntlmssp" I used with NTLM, while basic works fine)

A user told me I should use negotiate_kerberos_auth instead of ntlm_auth.

Now here's my new problem:


root@x-x-testproxy01:/etc/squid# /usr/lib/squid/negotiate_kerberos_auth -d -s 
HTTP/x-x-testproxy01.x-xxx.local@X-XXX.LOCAL
negotiate_kerberos_auth.cc(487): pid=5305 :2017/06/13 13:29:41| 
negotiate_kerberos_auth: INFO: Starting version 3.0.4sq
negotiate_kerberos_auth.cc(546): pid=5305 :2017/06/13 13:29:41| 
negotiate_kerberos_auth: INFO: Setting keytab to FILE:/etc/squid/HTTP.keytab
negotiate_kerberos_auth.cc(570): pid=5305 :2017/06/13 13:29:41| 
negotiate_kerberos_auth: INFO: Changed keytab to 
MEMORY:negotiate_kerberos_auth_5305
testuser xxx
negotiate_kerberos_auth.cc(610): pid=5305 :2017/06/13 13:29:47| 
negotiate_kerberos_auth: DEBUG: Got 'testuser xx' from squid (length: 18).
negotiate_kerberos_auth.cc(647): pid=5305 :2017/06/13 13:29:47| 
negotiate_kerberos_auth: ERROR: Invalid request [testuser xxx]
BH Invalid request
So my configuration has mistakes, but I can't find them. I don't really know 
where to search, or what works for sure. I tried many tutorials on krb5 and 
samba. Every form of testing I tried works fine except indeed using the 
required kerberos authentication of my squid-proxy.


Tests that come to my mind:

kinit a user

Warning: Your password will expire in 36 days on Don 20 Jul 2017 13:23:54 CEST



klist

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: testuser@X-XXX.LOCAL

Valid starting   Expires  Service principal
2017-06-13 13:38:37  2017-06-13 23:38:37  krbtgt/X-XXX.LOCAL@X-XXX.LOCAL
renew until 2017-06-14 13:38:34


klist -k on my HTTP.keytab

Keytab name: FILE:/etc/squid/HTTP.keytab
KVNO Principal
 --
   1 host/x-x-testproxy01.x-xxx.local@X-XXX.LOCAL
   1 host/x-x-testproxy01.x-xxx.local@X-XXX.LOCAL
   1 host/x-x-testproxy01.x-xxx.local@X-XXX.LOCAL
   1 host/x-x-testproxy01.x-xxx.local@X-XXX.LOCAL
   1 host/x-x-testproxy01.x-xxx.local@X-XXX.LOCAL
   1 host/X-X-TESTPROXY01@X-XXX.LOCAL
   1 host/X-X-TESTPROXY01@X-XXX.LOCAL
   1 host/X-X-TESTPROXY01@X-XXX.LOCAL
   1 host/X-X-TESTPROXY01@X-XXX.LOCAL
   1 host/X-X-TESTPROXY01@X-XXX.LOCAL
   1 X-X-TESTPROXY01$@X-XXX.LOCAL
   1 X-X-TESTPROXY01$@X-XXX.LOCAL
   1 X-X-TESTPROXY01$@X-XXX.LOCAL
   1 X-X-TESTPROXY01$@X-XXX.LOCAL
   1 X-X-TESTPROXY01$@X-XXX.LOCAL


basic-auth using ntlm

root@x-x-testproxy01:/etc/squid# /usr/bin/ntlm_auth 
--helper-protocol=squid-2.5-basic --username=testuser --password=
testuser xx
OK
testuser@x-xxx.local 
OK

wbinfo -u
administrator
testuser
...
wbinfo -g
allowed rodc password replication group
enterprise read-only domain controllers
...

wbinfo --krb5auth=testuser%xxx
plaintext kerberos password authentication for [testuser%xxx] succeeded 
(requesting cctype: FILE)

wbinfo -t
checking the trust secret for domain X-XXX via RPC calls succeeded

wbinfo --authenticate=testuser%
plaintext password authentication succeeded
challenge/response password authentication succeeded

/usr/lib/squid/negotiate_kerberos_auth_test x-x-testproxy01.x-xxx.local
Token:

Re: [squid-users] NEGOTIATE Kerberos Auth

2016-03-30 Thread akn ab


Many thanks Markus, i solved everythings!

 



 

Sent: Tuesday, March 22, 2016 at 1:25 AM
From: "Markus Moeller" <hua...@moeller.plus.com>
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] NEGOTIATE Kerberos Auth





Hi,

 

 1) Yes, you should see user@DOMAIN for kerberos authentication, but if you use –r  the @DOMAIN will be removed.

 

 2) The client in EXTERNAL.COM needs to know where to find the HTTP/@FATHER.COM principal.  I think your trust is not fully setup. You should see some cross domain TGTs. 

 

Cross Domain SPN Lookups with Active Directory

When Domains are within the same forest, the KDC should consult the GC (Global Catalog) and provide a referral if the account is in a different domain.  If the account is not in the same forest you would need to define Host Mapping for the account, unless you are using a forest trust.  Then you could define a Kerberos Forest Search Order

 

Markus

 

 



"akn ab" <drcim...@mail.com> wrote in message news:trinity-1231fb52-3516-493c-a2c9-b9fe1c1623c5-1458549367234@3capp-mailcom-lxa05...







Hello Markus,

 

firt of all thank you for your reply, today i'm having a strange issue.

KID1 and KID2 started to autenticate with kerberos correclty without any modification ...

This is so strange, but i'm very happy, so i started others configurations, but i have 2 more problems:

 

1)

On my squid logs, i can see users authenticated correctly, but not the domain users came from.

For example:

FATHER.COM\user1

KID1.FATHER.COM\user1

KID2.FATHER.COM\user1

are reported on my logs with "user1" and not in us...@kid1.father.com or KID1\user1 (for example)

I need to differentiate domains because i'm sending x-authenticated-user to my proxy peers.

Is it possible with kerberos?

 

2)

I have another domain EXTERNALS.COM with bidirectional trust with FATHER.COM, so i added it in my krb5.conf like KID1, but kerberos auth fail.

Using your instructions, i captured port 88 during handshake and i get:

 

eRR-C-PRINCIPAL-UNKNOWN

 

User's PC belonging to EXTERNALS.COM are joined to EXTERNALS.COM

 

Best Regards.

 

Sent: Saturday, March 19, 2016 at 12:28 AM
From: "Markus Moeller" <hua...@moeller.plus.com>
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] NEGOTIATE Kerberos Auth





Hi,

 

    Is you client a member of FATHER.COM or KID1.FATHER.COM / KID2.FATHER.COM ?

 

 Can you get a wireshark capture on your client on port 88  ?  You should see some TGS –REQs in the capture and I assume also TGS-REPs  with error messages.  Can you share these error messages ?

 

Regards

Markus

 

 



"akn ab" <drcim...@mail.com> wrote in message news:trinity-1aed7413-4936-4022-90fa-eac7e2d892ed-1458301713239@3capp-mailcom-lxa01...






Dear all,

 

i'm having a problem in configuring my squid 3.5.15 with negotiated kerberos authentication in my Mono Forest Multi Domains.

 

My FATHER.COM is a forest with 2 children: KID1 and KID2.

Like this: FATHER.COM -> KID1.FATHER.COM

    -> KID2.FATHER.COM

 

With actual configurazion, squid negotiated kerberos auth works with only FATHER.COM but not when my users belongs to KID1 and KID2.

I readed some discussions on mailing list about forest, but cannot find a definitive advice and procedure to authenticate childern domains users.

 

My krb5.conf:


[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = FATHER.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
default_keytab_name = /usr/local/squid/etc/HTTP.keytab
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5

[realms]
FATHER.COM = {
  kdc = dc1.father.com:88

  kdc = dc2.father.com:88
  default_domain = father.com
}
KID1.FATHER.COM = {
  kdc = dc1.kid1.father.com:88
  kdc = dc2.kid1.father.com:88
  default_domain = kid1.father.com
}

KID2.FATHER.COM = {
  kdc = dc1.kid2.father.com:88
  kdc = dc2.kid2.father.com:88
  default_domain = kid2.father.com
}

[domain_realm]
.father.com = FATHER.COM
father.com = FATHER.COM
.kid1.father.com = KID1.FATHER.COM
kid1.father.com = KID1.FATHER.COM

.kid2.father.com = KID2.FATHER.COM
kid2.father.com = KID2.FATHER.COM

[capaths]
KID1.FATHER.COM = {
   FATHER.COM = .
}

KID2.FATHER.COM = {
   FATHER.COM = .
}

 

To join kerberous auth with FATHER.COM i did:

# kinit u...@father.com

# msktutil -c -b "CN=Computers" -s HTTP/proxy1.father.com -h proxy1.father.com -k /usr/local/squid/etc/HTTP.keytab --computer-name proxy1krb --upn HTTP/proxy1.father.com --server dc1.father.com --enctypes 28 --verbose -N

 

On squid config

Re: [squid-users] NEGOTIATE Kerberos Auth

2016-03-21 Thread Markus Moeller

Hi,

 1) Yes, you should see user@DOMAIN for kerberos authentication, but if you 
use –r  the @DOMAIN will be removed. 

 2) The client in EXTERNAL.COM needs to know where to find the 
HTTP/@FATHER.COM principal.  I think your trust is not fully setup. You 
should see some cross domain TGTs.  

Cross Domain SPN Lookups with Active Directory
When Domains are within the same forest, the KDC should consult the GC (Global 
Catalog) and provide a referral if the account is in a different domain.  If 
the account is not in the same forest you would need to define Host Mapping for 
the account, unless you are using a forest trust.  Then you could define a 
Kerberos Forest Search Order


Markus


"akn ab" <drcim...@mail.com> wrote in message 
news:trinity-1231fb52-3516-493c-a2c9-b9fe1c1623c5-1458549367234@3capp-mailcom-lxa05...
Hello Markus,

firt of all thank you for your reply, today i'm having a strange issue.
KID1 and KID2 started to autenticate with kerberos correclty without any 
modification ...
This is so strange, but i'm very happy, so i started others configurations, but 
i have 2 more problems:

1)
On my squid logs, i can see users authenticated correctly, but not the domain 
users came from.
For example:
FATHER.COM\user1
KID1.FATHER.COM\user1
KID2.FATHER.COM\user1
are reported on my logs with "user1" and not in us...@kid1.father.com or 
KID1\user1 (for example)
I need to differentiate domains because i'm sending x-authenticated-user to my 
proxy peers.
Is it possible with kerberos?

2)
I have another domain EXTERNALS.COM with bidirectional trust with FATHER.COM, 
so i added it in my krb5.conf like KID1, but kerberos auth fail.
Using your instructions, i captured port 88 during handshake and i get:

eRR-C-PRINCIPAL-UNKNOWN

User's PC belonging to EXTERNALS.COM are joined to EXTERNALS.COM

Best Regards.
  
Sent: Saturday, March 19, 2016 at 12:28 AM
From: "Markus Moeller" <hua...@moeller.plus.com>
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] NEGOTIATE Kerberos Auth
Hi,

Is you client a member of FATHER.COM or KID1.FATHER.COM / KID2.FATHER.COM ?

 Can you get a wireshark capture on your client on port 88  ?  You should 
see some TGS –REQs in the capture and I assume also TGS-REPs  with error 
messages.  Can you share these error messages ?

Regards
Markus


"akn ab" <drcim...@mail.com> wrote in message 
news:trinity-1aed7413-4936-4022-90fa-eac7e2d892ed-1458301713239@3capp-mailcom-lxa01...
Dear all,

i'm having a problem in configuring my squid 3.5.15 with negotiated kerberos 
authentication in my Mono Forest Multi Domains.

My FATHER.COM is a forest with 2 children: KID1 and KID2.
Like this: FATHER.COM -> KID1.FATHER.COM
-> KID2.FATHER.COM

With actual configurazion, squid negotiated kerberos auth works with only 
FATHER.COM but not when my users belongs to KID1 and KID2.
I readed some discussions on mailing list about forest, but cannot find a 
definitive advice and procedure to authenticate childern domains users.

My krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = FATHER.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
default_keytab_name = /usr/local/squid/etc/HTTP.keytab
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
[realms]
FATHER.COM = {
  kdc = dc1.father.com:88
  kdc = dc2.father.com:88
  default_domain = father.com
}
KID1.FATHER.COM = {
  kdc = dc1.kid1.father.com:88
  kdc = dc2.kid1.father.com:88
  default_domain = kid1.father.com
}
KID2.FATHER.COM = {
  kdc = dc1.kid2.father.com:88
  kdc = dc2.kid2.father.com:88
  default_domain = kid2.father.com
}
[domain_realm]
.father.com = FATHER.COM
father.com = FATHER.COM
.kid1.father.com = KID1.FATHER.COM
kid1.father.com = KID1.FATHER.COM
.kid2.father.com = KID2.FATHER.COM
kid2.father.com = KID2.FATHER.COM
[capaths]
KID1.FATHER.COM = {
   FATHER.COM = .
}
KID2.FATHER.COM = {
   FATHER.COM = .
}

To join kerberous auth with FATHER.COM i did:
# kinit u...@father.com
# msktutil -c -b "CN=Computers" -s HTTP/proxy1.father.com -h proxy1.father.com 
-k /usr/local/squid/etc/HTTP.keytab --computer-name proxy1krb --upn 
HTTP/proxy1.father.com --server dc1.father.com --enctypes 28 --verbose -N

On squid config i have:
auth_param negotiate program /usr/local/squid/libexec/negotiate_kerberos_auth 
-r -k /usr/local/sq
uid/etc/HTTP.keytab -s HTTP/proxy1.father.com

Doing so, all my users belonging to FATHER.COM can negotiate kerberos using 
proxy1.father.com:8080 (this exact name. If i use an alias dns name, does not 
work).

Now i'm trying to add KID1 an

Re: [squid-users] NEGOTIATE Kerberos Auth

2016-03-18 Thread Markus Moeller

Hi,

Is you client a member of FATHER.COM or KID1.FATHER.COM / KID2.FATHER.COM ? 

 Can you get a wireshark capture on your client on port 88  ?  You should 
see some TGS –REQs in the capture and I assume also TGS-REPs  with error 
messages.  Can you share these error messages ? 

Regards
Markus


"akn ab"  wrote in message 
news:trinity-1aed7413-4936-4022-90fa-eac7e2d892ed-1458301713239@3capp-mailcom-lxa01...
Dear all,

i'm having a problem in configuring my squid 3.5.15 with negotiated kerberos 
authentication in my Mono Forest Multi Domains.

My FATHER.COM is a forest with 2 children: KID1 and KID2.
Like this: FATHER.COM -> KID1.FATHER.COM
-> KID2.FATHER.COM

With actual configurazion, squid negotiated kerberos auth works with only 
FATHER.COM but not when my users belongs to KID1 and KID2.
I readed some discussions on mailing list about forest, but cannot find a 
definitive advice and procedure to authenticate childern domains users.

My krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = FATHER.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
default_keytab_name = /usr/local/squid/etc/HTTP.keytab
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
[realms]
FATHER.COM = {
  kdc = dc1.father.com:88
  kdc = dc2.father.com:88
  default_domain = father.com
}
KID1.FATHER.COM = {
  kdc = dc1.kid1.father.com:88
  kdc = dc2.kid1.father.com:88
  default_domain = kid1.father.com
}
KID2.FATHER.COM = {
  kdc = dc1.kid2.father.com:88
  kdc = dc2.kid2.father.com:88
  default_domain = kid2.father.com
}
[domain_realm]
.father.com = FATHER.COM
father.com = FATHER.COM
.kid1.father.com = KID1.FATHER.COM
kid1.father.com = KID1.FATHER.COM
.kid2.father.com = KID2.FATHER.COM
kid2.father.com = KID2.FATHER.COM
[capaths]
KID1.FATHER.COM = {
   FATHER.COM = .
}
KID2.FATHER.COM = {
   FATHER.COM = .
}

To join kerberous auth with FATHER.COM i did:
# kinit u...@father.com
# msktutil -c -b "CN=Computers" -s HTTP/proxy1.father.com -h proxy1.father.com 
-k /usr/local/squid/etc/HTTP.keytab --computer-name proxy1krb --upn 
HTTP/proxy1.father.com --server dc1.father.com --enctypes 28 --verbose -N

On squid config i have:
auth_param negotiate program /usr/local/squid/libexec/negotiate_kerberos_auth 
-r -k /usr/local/sq
uid/etc/HTTP.keytab -s HTTP/proxy1.father.com

Doing so, all my users belonging to FATHER.COM can negotiate kerberos using 
proxy1.father.com:8080 (this exact name. If i use an alias dns name, does not 
work).

Now i'm trying to add KID1 and KID2 users to krb auth.
As i sayed previously, i readed some posts but i cannot find correct 
configuration to support my forest.
1) Someone say to add to HTTP.keytab KID1 and KID2. To do so i did:
- kinit u...@father.com
- msktutil -c -b "CN=Computers" -s HTTP/proxy1.father.com -h proxy1.father.com 
-k /usr/local/squid/etc/HTTP.keytab --computer-name proxy1krb-kid1 --upn 
HTTP/proxy1.father.com --server dc1.kid1.father.com --enctypes 28 --verbose -N
but this configuration give my an error authentication of my keytab or 
ticketing problem. So i tryed:
- kinit u...@kid1.father.com
but my user is an Enterprise Admin form FATHER.COM, so i cannot get the ticket.

After many, many and many hours, i need some advices to complete my 
configuration.
Is there anyone that could help me?

Many thanks in advance.


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Negotiate Kerberos Auth - BH Invalid request

[squid-users] Negotiate Kerberos Auth - BH Invalid request

Re: [squid-users] NEGOTIATE Kerberos Auth

Re: [squid-users] NEGOTIATE Kerberos Auth

Re: [squid-users] NEGOTIATE Kerberos Auth

5 matches

Site Navigation

Mail list logo

Footer information