Re: [squid-users] Squit with NTLM and Kerberos auth => a error
Hi Olivier, I think on some of your newer clients you have an issue with Negotiate and NTLM fallback. If I look at https://msdn.microsoft.com/en-us/library/ff468736.aspx I see this https://i-msdn.sec.s-msft.com/dynimg/IC426444.gif If I interpret this correctly the client will try NegoEx after failing with Kerberos and before trying NTLM. If on the client NegoEx is successful then NTLM will not be attempted. And I think that is the case here. Do you know if NegoEx is used on the client ? Does anybody else know about NegoEx ? Markus From: Olivier CALVANO Sent: Tuesday, November 03, 2015 9:22 AM To: Markus Moeller Subject: Re: [squid-users] Squit with NTLM and Kerberos auth => a error that's said that squid can by used with Windows AD ? 2015-11-02 22:46 GMT+01:00 Markus Moeller: Hi Olivier, If I decode a token I see /base64> hexdump -c base64_dec.out 000 ` 201 236 006 006 + 006 001 005 005 002 240 201 223 0 201 010 220 240 032 0 030 006 \n + 006 001 004 001 202 7 002 002 020 036 006 \n + 006 001 004 001 202 7 002 002 \n 242 r 004 030 p N E G O E X T S \0 \0 \0 \0 \0 \0 \0 040 \0 ` \0 \0 \0 p \0 \0 \0 020 366 L 3 & 023 256 050 O 271 216 4 305 \f 200 ! \t 034 340 # 327 322 177 _ 060 211 202 > 254 { g 234 325 225 001 022 225 \f 323 276 A 070 206 024 6 367 ; . \0 C 273 \0 \0 \0 \0 \0 \0 \0 080 \0 ` \0 \0 \0 001 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 090 \0 E r | 2 2 E 213 H 277 331 * k 240 ^ 244 0a0 \n 0a1 It says NEGOEXTS which points me to https://technet.microsoft.com/en-us/library/dd560645%28v=ws.10%29.aspx?f=255=-2147217396 That is not supported. Markus "Olivier CALVANO" wrote in message news:cajajpefqoygt5zsyw7fwszwrttxn-r1pd-u73xdfonax9dl...@mail.gmail.com... Hi i test a authentification AD with Kerberos/Ntlm ### negotiate kerberos and ntlm authentication auth_param negotiate program /usr/local/bin/negotiate_wrapper --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --kerberos /usr/lib64/squid/squid_kerb_auth -d -s GSS_C_NO_NAME auth_param negotiate children 160 startup=5 idle=1 auth_param negotiate keep_alive on ## Module d'authentification NTLM auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 160 startup=5 idle=1 auth_param ntlm keep_alive on ## Si echec du NTLM proposer la fenetre d'authentification auth_param basic program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-basic auth_param basic children 40 startup=5 idle=1 auth_param basic realm Company proxy-caching web server auth_param basic credentialsttl 2 hours i have a lot of user that works, but for other user, squid request Login/pass in loop. In cache.log i have: 2015/11/02 17:37:57| squid_kerb_auth: gss_accept_sec_context() failed: An unsupported mechanism was requested. Unknown error 2015/11/02 17:37:57 kid1| ERROR: Negotiate Authentication validating user. Error returned 'BH gss_accept_sec_context() failed: An unsupported mechanism was requested. Unknown error' GENSEC login failed: NT_STATUS_LOGON_FAILURE 2015/11/02 17:37:58| squid_kerb_auth: Got 'YR YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAABgcBD2TDMmE65PuY40xQyAIQkc4CPX0n9fiYI+rHtnnNWVARKVDNO+QYYUNvc7LgBDuwAAYAEAAEVyfDIyRYtIv9kqa6BepAo=' from squid (length: 219). 2015/11/02 17:37:58| squid_kerb_auth: Decode 'YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAABgcBD2TDMmE65PuY40xQyAIQkc4CPX0n9fiYI+rHtnnNWVARKVDNO+QYYUNvc7LgBDuwAAYAEAAEVyfDIyRYtIv9kqa6BepAo=' (decoded length: 161). 2015/11/02 17:37:58| squid_kerb_auth: gss_accept_sec_context() failed: An unsupported mechanism was requested. Unknown error 2015/11/02 17:37:58 kid1| ERROR: Negotiate Authentication validating user. Error returned 'BH gss_accept_sec_context() failed: An unsupported mechanism was requested. Unknown error' 2015/11/02 17:37:58| squid_kerb_auth: Got 'YR YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAABgcBH2TDMmE65PuY40xQyAIQlCKZmWETDY7iZgTnIeQF9VidD8h6SKLzwap1w7iI5lcwAAYAEAAEVyfDIyRYtIv9kqa6BepAo=' from squid (length: 219). 2015/11/02 17:37:58| squid_kerb_auth: Decode 'YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAABgcBH2TDMmE65PuY40xQyAIQlCKZmWETDY7iZgTnIeQF9VidD8h6SKLzwap1w7iI5lcwAAYAEAAEVyfDIyRYtIv9kqa6BepAo=' (decoded length: 161). 2015/11/02 17:37:58| squid_kerb_auth: gss_accept_sec_context() failed: An unsupported mechanism was requested.
Re: [squid-users] Squit with NTLM and Kerberos auth => a error
Hi Olivier, Which Kerberos version do you use ? MIT or Heimdal ? Markus "Olivier CALVANO"wrote in message news:cajajpefqoygt5zsyw7fwszwrttxn-r1pd-u73xdfonax9dl...@mail.gmail.com... Hi i test a authentification AD with Kerberos/Ntlm ### negotiate kerberos and ntlm authentication auth_param negotiate program /usr/local/bin/negotiate_wrapper --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --kerberos /usr/lib64/squid/squid_kerb_auth -d -s GSS_C_NO_NAME auth_param negotiate children 160 startup=5 idle=1 auth_param negotiate keep_alive on ## Module d'authentification NTLM auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 160 startup=5 idle=1 auth_param ntlm keep_alive on ## Si echec du NTLM proposer la fenetre d'authentification auth_param basic program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-basic auth_param basic children 40 startup=5 idle=1 auth_param basic realm Company proxy-caching web server auth_param basic credentialsttl 2 hours i have a lot of user that works, but for other user, squid request Login/pass in loop. In cache.log i have: 2015/11/02 17:37:57| squid_kerb_auth: gss_accept_sec_context() failed: An unsupported mechanism was requested. Unknown error 2015/11/02 17:37:57 kid1| ERROR: Negotiate Authentication validating user. Error returned 'BH gss_accept_sec_context() failed: An unsupported mechanism was requested. Unknown error' GENSEC login failed: NT_STATUS_LOGON_FAILURE 2015/11/02 17:37:58| squid_kerb_auth: Got 'YR YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAABgcBD2TDMmE65PuY40xQyAIQkc4CPX0n9fiYI+rHtnnNWVARKVDNO+QYYUNvc7LgBDuwAAYAEAAEVyfDIyRYtIv9kqa6BepAo=' from squid (length: 219). 2015/11/02 17:37:58| squid_kerb_auth: Decode 'YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAABgcBD2TDMmE65PuY40xQyAIQkc4CPX0n9fiYI+rHtnnNWVARKVDNO+QYYUNvc7LgBDuwAAYAEAAEVyfDIyRYtIv9kqa6BepAo=' (decoded length: 161). 2015/11/02 17:37:58| squid_kerb_auth: gss_accept_sec_context() failed: An unsupported mechanism was requested. Unknown error 2015/11/02 17:37:58 kid1| ERROR: Negotiate Authentication validating user. Error returned 'BH gss_accept_sec_context() failed: An unsupported mechanism was requested. Unknown error' 2015/11/02 17:37:58| squid_kerb_auth: Got 'YR YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAABgcBH2TDMmE65PuY40xQyAIQlCKZmWETDY7iZgTnIeQF9VidD8h6SKLzwap1w7iI5lcwAAYAEAAEVyfDIyRYtIv9kqa6BepAo=' from squid (length: 219). 2015/11/02 17:37:58| squid_kerb_auth: Decode 'YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAABgcBH2TDMmE65PuY40xQyAIQlCKZmWETDY7iZgTnIeQF9VidD8h6SKLzwap1w7iI5lcwAAYAEAAEVyfDIyRYtIv9kqa6BepAo=' (decoded length: 161). 2015/11/02 17:37:58| squid_kerb_auth: gss_accept_sec_context() failed: An unsupported mechanism was requested. Unknown error 2015/11/02 17:37:58 kid1| ERROR: Negotiate Authentication validating user. Error returned 'BH gss_accept_sec_context() failed: An unsupported mechanism was requested. Unknown error' 2015/11/02 17:37:58| squid_kerb_auth: Got 'YR YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAABgcBL2TDMmE65PuY40xQyAIQlOCybIQKGs/hmFlEu3FzYMQIag5ivNn4JcpRWBrJ5vMwAAYAEAAEVyfDIyRYtIv9kqa6BepAo=' from squid (length: 219). 2015/11/02 17:37:58| squid_kerb_auth: Decode 'YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAABgcBL2TDMmE65PuY40xQyAIQlOCybIQKGs/hmFlEu3FzYMQIag5ivNn4JcpRWBrJ5vMwAAYAEAAEVyfDIyRYtIv9kqa6BepAo=' (decoded length: 161). 2015/11/02 17:37:58| squid_kerb_auth: gss_accept_sec_context() failed: An unsupported mechanism was requested. Unknown error 2015/11/02 17:37:58 kid1| ERROR: Negotiate Authentication validating user. Error returned 'BH gss_accept_sec_context() failed: An unsupported mechanism was requested. Unknown error' GENSEC login failed: NT_STATUS_LOGON_FAILURE GENSEC login failed: NT_STATUS_LOGON_FAILURE anyone know this problems ? regards Olivier ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squit with NTLM and Kerberos auth => a error
Hi Olivier, If I decode a token I see /base64> hexdump -c base64_dec.out 000 ` 201 236 006 006 + 006 001 005 005 002 240 201 223 0 201 010 220 240 032 0 030 006 \n + 006 001 004 001 202 7 002 002 020 036 006 \n + 006 001 004 001 202 7 002 002 \n 242 r 004 030 p N E G O E X T S \0 \0 \0 \0 \0 \0 \0 040 \0 ` \0 \0 \0 p \0 \0 \0 020 366 L 3 & 023 256 050 O 271 216 4 305 \f 200 ! \t 034 340 # 327 322 177 _ 060 211 202 > 254 { g 234 325 225 001 022 225 \f 323 276 A 070 206 024 6 367 ; . \0 C 273 \0 \0 \0 \0 \0 \0 \0 080 \0 ` \0 \0 \0 001 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 090 \0 E r | 2 2 E 213 H 277 331 * k 240 ^ 244 0a0 \n 0a1 It says NEGOEXTS which points me to https://technet.microsoft.com/en-us/library/dd560645%28v=ws.10%29.aspx?f=255=-2147217396 That is not supported. Markus "Olivier CALVANO"wrote in message news:cajajpefqoygt5zsyw7fwszwrttxn-r1pd-u73xdfonax9dl...@mail.gmail.com... Hi i test a authentification AD with Kerberos/Ntlm ### negotiate kerberos and ntlm authentication auth_param negotiate program /usr/local/bin/negotiate_wrapper --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --kerberos /usr/lib64/squid/squid_kerb_auth -d -s GSS_C_NO_NAME auth_param negotiate children 160 startup=5 idle=1 auth_param negotiate keep_alive on ## Module d'authentification NTLM auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 160 startup=5 idle=1 auth_param ntlm keep_alive on ## Si echec du NTLM proposer la fenetre d'authentification auth_param basic program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-basic auth_param basic children 40 startup=5 idle=1 auth_param basic realm Company proxy-caching web server auth_param basic credentialsttl 2 hours i have a lot of user that works, but for other user, squid request Login/pass in loop. In cache.log i have: 2015/11/02 17:37:57| squid_kerb_auth: gss_accept_sec_context() failed: An unsupported mechanism was requested. Unknown error 2015/11/02 17:37:57 kid1| ERROR: Negotiate Authentication validating user. Error returned 'BH gss_accept_sec_context() failed: An unsupported mechanism was requested. Unknown error' GENSEC login failed: NT_STATUS_LOGON_FAILURE 2015/11/02 17:37:58| squid_kerb_auth: Got 'YR YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAABgcBD2TDMmE65PuY40xQyAIQkc4CPX0n9fiYI+rHtnnNWVARKVDNO+QYYUNvc7LgBDuwAAYAEAAEVyfDIyRYtIv9kqa6BepAo=' from squid (length: 219). 2015/11/02 17:37:58| squid_kerb_auth: Decode 'YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAABgcBD2TDMmE65PuY40xQyAIQkc4CPX0n9fiYI+rHtnnNWVARKVDNO+QYYUNvc7LgBDuwAAYAEAAEVyfDIyRYtIv9kqa6BepAo=' (decoded length: 161). 2015/11/02 17:37:58| squid_kerb_auth: gss_accept_sec_context() failed: An unsupported mechanism was requested. Unknown error 2015/11/02 17:37:58 kid1| ERROR: Negotiate Authentication validating user. Error returned 'BH gss_accept_sec_context() failed: An unsupported mechanism was requested. Unknown error' 2015/11/02 17:37:58| squid_kerb_auth: Got 'YR YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAABgcBH2TDMmE65PuY40xQyAIQlCKZmWETDY7iZgTnIeQF9VidD8h6SKLzwap1w7iI5lcwAAYAEAAEVyfDIyRYtIv9kqa6BepAo=' from squid (length: 219). 2015/11/02 17:37:58| squid_kerb_auth: Decode 'YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAABgcBH2TDMmE65PuY40xQyAIQlCKZmWETDY7iZgTnIeQF9VidD8h6SKLzwap1w7iI5lcwAAYAEAAEVyfDIyRYtIv9kqa6BepAo=' (decoded length: 161). 2015/11/02 17:37:58| squid_kerb_auth: gss_accept_sec_context() failed: An unsupported mechanism was requested. Unknown error 2015/11/02 17:37:58 kid1| ERROR: Negotiate Authentication validating user. Error returned 'BH gss_accept_sec_context() failed: An unsupported mechanism was requested. Unknown error' 2015/11/02 17:37:58| squid_kerb_auth: Got 'YR YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAABgcBL2TDMmE65PuY40xQyAIQlOCybIQKGs/hmFlEu3FzYMQIag5ivNn4JcpRWBrJ5vMwAAYAEAAEVyfDIyRYtIv9kqa6BepAo=' from squid (length: 219). 2015/11/02 17:37:58| squid_kerb_auth: Decode 'YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAABgcBL2TDMmE65PuY40xQyAIQlOCybIQKGs/hmFlEu3FzYMQIag5ivNn4JcpRWBrJ5vMwAAYAEAAEVyfDIyRYtIv9kqa6BepAo=' (decoded length: 161). 2015/11/02 17:37:58| squid_kerb_auth: gss_accept_sec_context() failed: An unsupported mechanism was requested. Unknown error 2015/11/02 17:37:58 kid1| ERROR: