Re: [squid-users] Squit with NTLM and Kerberos auth => a error

2015-11-05 Thread Markus Moeller 
 
Hi Olivier,

  I think on some of your newer clients you have an issue with Negotiate and 
NTLM fallback. If I look at 

https://msdn.microsoft.com/en-us/library/ff468736.aspx I see this  
https://i-msdn.sec.s-msft.com/dynimg/IC426444.gif 

If I interpret this correctly the client will try NegoEx after failing with 
Kerberos and before trying NTLM.  If on the client NegoEx is successful then 
NTLM will not be attempted.  And I think that is the case here.  Do you know if 
NegoEx is used on the client ?  


Does anybody else know about NegoEx ?

Markus


From: Olivier CALVANO 
Sent: Tuesday, November 03, 2015 9:22 AM
To: Markus Moeller 
Subject: Re: [squid-users] Squit with NTLM and Kerberos auth => a error

that's said that squid can by used with Windows AD ?




2015-11-02 22:46 GMT+01:00 Markus Moeller :


  Hi Olivier,

  If I decode a token I see

  /base64> hexdump -c base64_dec.out
  000   ` 201 236 006 006   + 006 001 005 005 002 240 201 223   0 201
  010 220 240 032   0 030 006  \n   + 006 001 004 001 202   7 002 002
  020 036 006  \n   + 006 001 004 001 202   7 002 002  \n 242   r 004
  030   p   N   E   G   O   E   X   T   S  \0  \0  \0  \0  \0  \0  \0
  040  \0   `  \0  \0  \0   p  \0  \0  \0 020 366   L   3   & 023 256
  050   O 271 216   4 305  \f 200   !  \t 034 340   # 327 322 177   _
  060 211 202   > 254   {   g 234 325 225 001 022 225  \f 323 276   A
  070 206 024   6 367   ;   .  \0   C 273  \0  \0  \0  \0  \0  \0  \0
  080  \0   `  \0  \0  \0 001  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0
  090  \0   E   r   |   2   2   E 213   H 277 331   *   k 240   ^ 244
  0a0  \n
  0a1

  It says NEGOEXTS  which points me to 
https://technet.microsoft.com/en-us/library/dd560645%28v=ws.10%29.aspx?f=255=-2147217396
 
  That is not supported.

  Markus


  "Olivier CALVANO"  wrote in message 
news:cajajpefqoygt5zsyw7fwszwrttxn-r1pd-u73xdfonax9dl...@mail.gmail.com...
  Hi


  i test a authentification AD with Kerberos/Ntlm

  ### negotiate kerberos and ntlm authentication
  auth_param negotiate program /usr/local/bin/negotiate_wrapper --ntlm 
/usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --kerberos 
/usr/lib64/squid/squid_kerb_auth -d -s GSS_C_NO_NAME
  auth_param negotiate children 160 startup=5 idle=1
  auth_param negotiate keep_alive on

  ## Module d'authentification NTLM
  auth_param ntlm program /usr/bin/ntlm_auth --diagnostics 
--helper-protocol=squid-2.5-ntlmssp
  auth_param ntlm children 160 startup=5 idle=1
  auth_param ntlm keep_alive on

  ## Si echec du NTLM proposer la fenetre d'authentification
  auth_param basic program /usr/bin/ntlm_auth --diagnostics 
--helper-protocol=squid-2.5-basic
  auth_param basic children 40 startup=5 idle=1
  auth_param basic realm Company proxy-caching web server
  auth_param basic credentialsttl 2 hours



  i have a lot of user that works, but for other user, squid request Login/pass 
in loop.


  In cache.log i have:

  2015/11/02 17:37:57| squid_kerb_auth: gss_accept_sec_context() failed: An 
unsupported mechanism was requested. Unknown error
  2015/11/02 17:37:57 kid1| ERROR: Negotiate Authentication validating user. 
Error returned 'BH gss_accept_sec_context() failed: An unsupported mechanism 
was requested. Unknown error'
  GENSEC login failed: NT_STATUS_LOGON_FAILURE
  2015/11/02 17:37:58| squid_kerb_auth: Got 'YR 
YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAABgcBD2TDMmE65PuY40xQyAIQkc4CPX0n9fiYI+rHtnnNWVARKVDNO+QYYUNvc7LgBDuwAAYAEAAEVyfDIyRYtIv9kqa6BepAo='
 from squid (length: 219).
  2015/11/02 17:37:58| squid_kerb_auth: Decode 
'YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAABgcBD2TDMmE65PuY40xQyAIQkc4CPX0n9fiYI+rHtnnNWVARKVDNO+QYYUNvc7LgBDuwAAYAEAAEVyfDIyRYtIv9kqa6BepAo='
 (decoded length: 161).
  2015/11/02 17:37:58| squid_kerb_auth: gss_accept_sec_context() failed: An 
unsupported mechanism was requested. Unknown error
  2015/11/02 17:37:58 kid1| ERROR: Negotiate Authentication validating user. 
Error returned 'BH gss_accept_sec_context() failed: An unsupported mechanism 
was requested. Unknown error'
  2015/11/02 17:37:58| squid_kerb_auth: Got 'YR 
YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAABgcBH2TDMmE65PuY40xQyAIQlCKZmWETDY7iZgTnIeQF9VidD8h6SKLzwap1w7iI5lcwAAYAEAAEVyfDIyRYtIv9kqa6BepAo='
 from squid (length: 219).
  2015/11/02 17:37:58| squid_kerb_auth: Decode 
'YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAABgcBH2TDMmE65PuY40xQyAIQlCKZmWETDY7iZgTnIeQF9VidD8h6SKLzwap1w7iI5lcwAAYAEAAEVyfDIyRYtIv9kqa6BepAo='
 (decoded length: 161).
  2015/11/02 17:37:58| squid_kerb_auth: gss_accept_sec_context() failed: An 
unsupported mechanism was requested.

Re: [squid-users] Squit with NTLM and Kerberos auth => a error

2015-11-02 Thread Markus Moeller 
Hi Olivier,

Which Kerberos version do you use ?  MIT or Heimdal ?  

Markus

"Olivier CALVANO"  wrote in message 
news:cajajpefqoygt5zsyw7fwszwrttxn-r1pd-u73xdfonax9dl...@mail.gmail.com...
Hi


i test a authentification AD with Kerberos/Ntlm

### negotiate kerberos and ntlm authentication
auth_param negotiate program /usr/local/bin/negotiate_wrapper --ntlm 
/usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --kerberos 
/usr/lib64/squid/squid_kerb_auth -d -s GSS_C_NO_NAME
auth_param negotiate children 160 startup=5 idle=1
auth_param negotiate keep_alive on

## Module d'authentification NTLM
auth_param ntlm program /usr/bin/ntlm_auth --diagnostics 
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 160 startup=5 idle=1
auth_param ntlm keep_alive on

## Si echec du NTLM proposer la fenetre d'authentification
auth_param basic program /usr/bin/ntlm_auth --diagnostics 
--helper-protocol=squid-2.5-basic
auth_param basic children 40 startup=5 idle=1
auth_param basic realm Company proxy-caching web server
auth_param basic credentialsttl 2 hours



i have a lot of user that works, but for other user, squid request Login/pass 
in loop.


In cache.log i have:

2015/11/02 17:37:57| squid_kerb_auth: gss_accept_sec_context() failed: An 
unsupported mechanism was requested. Unknown error
2015/11/02 17:37:57 kid1| ERROR: Negotiate Authentication validating user. 
Error returned 'BH gss_accept_sec_context() failed: An unsupported mechanism 
was requested. Unknown error'
GENSEC login failed: NT_STATUS_LOGON_FAILURE
2015/11/02 17:37:58| squid_kerb_auth: Got 'YR 
YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAABgcBD2TDMmE65PuY40xQyAIQkc4CPX0n9fiYI+rHtnnNWVARKVDNO+QYYUNvc7LgBDuwAAYAEAAEVyfDIyRYtIv9kqa6BepAo='
 from squid (length: 219).
2015/11/02 17:37:58| squid_kerb_auth: Decode 
'YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAABgcBD2TDMmE65PuY40xQyAIQkc4CPX0n9fiYI+rHtnnNWVARKVDNO+QYYUNvc7LgBDuwAAYAEAAEVyfDIyRYtIv9kqa6BepAo='
 (decoded length: 161).
2015/11/02 17:37:58| squid_kerb_auth: gss_accept_sec_context() failed: An 
unsupported mechanism was requested. Unknown error
2015/11/02 17:37:58 kid1| ERROR: Negotiate Authentication validating user. 
Error returned 'BH gss_accept_sec_context() failed: An unsupported mechanism 
was requested. Unknown error'
2015/11/02 17:37:58| squid_kerb_auth: Got 'YR 
YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAABgcBH2TDMmE65PuY40xQyAIQlCKZmWETDY7iZgTnIeQF9VidD8h6SKLzwap1w7iI5lcwAAYAEAAEVyfDIyRYtIv9kqa6BepAo='
 from squid (length: 219).
2015/11/02 17:37:58| squid_kerb_auth: Decode 
'YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAABgcBH2TDMmE65PuY40xQyAIQlCKZmWETDY7iZgTnIeQF9VidD8h6SKLzwap1w7iI5lcwAAYAEAAEVyfDIyRYtIv9kqa6BepAo='
 (decoded length: 161).
2015/11/02 17:37:58| squid_kerb_auth: gss_accept_sec_context() failed: An 
unsupported mechanism was requested. Unknown error
2015/11/02 17:37:58 kid1| ERROR: Negotiate Authentication validating user. 
Error returned 'BH gss_accept_sec_context() failed: An unsupported mechanism 
was requested. Unknown error'
2015/11/02 17:37:58| squid_kerb_auth: Got 'YR 
YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAABgcBL2TDMmE65PuY40xQyAIQlOCybIQKGs/hmFlEu3FzYMQIag5ivNn4JcpRWBrJ5vMwAAYAEAAEVyfDIyRYtIv9kqa6BepAo='
 from squid (length: 219).
2015/11/02 17:37:58| squid_kerb_auth: Decode 
'YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAABgcBL2TDMmE65PuY40xQyAIQlOCybIQKGs/hmFlEu3FzYMQIag5ivNn4JcpRWBrJ5vMwAAYAEAAEVyfDIyRYtIv9kqa6BepAo='
 (decoded length: 161).
2015/11/02 17:37:58| squid_kerb_auth: gss_accept_sec_context() failed: An 
unsupported mechanism was requested. Unknown error
2015/11/02 17:37:58 kid1| ERROR: Negotiate Authentication validating user. 
Error returned 'BH gss_accept_sec_context() failed: An unsupported mechanism 
was requested. Unknown error'
GENSEC login failed: NT_STATUS_LOGON_FAILURE
GENSEC login failed: NT_STATUS_LOGON_FAILURE





anyone know this problems ?


regards

Olivier






___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squit with NTLM and Kerberos auth => a error

2015-11-02 Thread Markus Moeller 

Hi Olivier,

If I decode a token I see

/base64> hexdump -c base64_dec.out
000   ` 201 236 006 006   + 006 001 005 005 002 240 201 223   0 201
010 220 240 032   0 030 006  \n   + 006 001 004 001 202   7 002 002
020 036 006  \n   + 006 001 004 001 202   7 002 002  \n 242   r 004
030   p   N   E   G   O   E   X   T   S  \0  \0  \0  \0  \0  \0  \0
040  \0   `  \0  \0  \0   p  \0  \0  \0 020 366   L   3   & 023 256
050   O 271 216   4 305  \f 200   !  \t 034 340   # 327 322 177   _
060 211 202   > 254   {   g 234 325 225 001 022 225  \f 323 276   A
070 206 024   6 367   ;   .  \0   C 273  \0  \0  \0  \0  \0  \0  \0
080  \0   `  \0  \0  \0 001  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0
090  \0   E   r   |   2   2   E 213   H 277 331   *   k 240   ^ 244
0a0  \n
0a1

It says NEGOEXTS  which points me to 
https://technet.microsoft.com/en-us/library/dd560645%28v=ws.10%29.aspx?f=255=-2147217396
 
That is not supported.

Markus


"Olivier CALVANO"  wrote in message 
news:cajajpefqoygt5zsyw7fwszwrttxn-r1pd-u73xdfonax9dl...@mail.gmail.com...
Hi


i test a authentification AD with Kerberos/Ntlm

### negotiate kerberos and ntlm authentication
auth_param negotiate program /usr/local/bin/negotiate_wrapper --ntlm 
/usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --kerberos 
/usr/lib64/squid/squid_kerb_auth -d -s GSS_C_NO_NAME
auth_param negotiate children 160 startup=5 idle=1
auth_param negotiate keep_alive on

## Module d'authentification NTLM
auth_param ntlm program /usr/bin/ntlm_auth --diagnostics 
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 160 startup=5 idle=1
auth_param ntlm keep_alive on

## Si echec du NTLM proposer la fenetre d'authentification
auth_param basic program /usr/bin/ntlm_auth --diagnostics 
--helper-protocol=squid-2.5-basic
auth_param basic children 40 startup=5 idle=1
auth_param basic realm Company proxy-caching web server
auth_param basic credentialsttl 2 hours



i have a lot of user that works, but for other user, squid request Login/pass 
in loop.


In cache.log i have:

2015/11/02 17:37:57| squid_kerb_auth: gss_accept_sec_context() failed: An 
unsupported mechanism was requested. Unknown error
2015/11/02 17:37:57 kid1| ERROR: Negotiate Authentication validating user. 
Error returned 'BH gss_accept_sec_context() failed: An unsupported mechanism 
was requested. Unknown error'
GENSEC login failed: NT_STATUS_LOGON_FAILURE
2015/11/02 17:37:58| squid_kerb_auth: Got 'YR 
YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAABgcBD2TDMmE65PuY40xQyAIQkc4CPX0n9fiYI+rHtnnNWVARKVDNO+QYYUNvc7LgBDuwAAYAEAAEVyfDIyRYtIv9kqa6BepAo='
 from squid (length: 219).
2015/11/02 17:37:58| squid_kerb_auth: Decode 
'YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAABgcBD2TDMmE65PuY40xQyAIQkc4CPX0n9fiYI+rHtnnNWVARKVDNO+QYYUNvc7LgBDuwAAYAEAAEVyfDIyRYtIv9kqa6BepAo='
 (decoded length: 161).
2015/11/02 17:37:58| squid_kerb_auth: gss_accept_sec_context() failed: An 
unsupported mechanism was requested. Unknown error
2015/11/02 17:37:58 kid1| ERROR: Negotiate Authentication validating user. 
Error returned 'BH gss_accept_sec_context() failed: An unsupported mechanism 
was requested. Unknown error'
2015/11/02 17:37:58| squid_kerb_auth: Got 'YR 
YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAABgcBH2TDMmE65PuY40xQyAIQlCKZmWETDY7iZgTnIeQF9VidD8h6SKLzwap1w7iI5lcwAAYAEAAEVyfDIyRYtIv9kqa6BepAo='
 from squid (length: 219).
2015/11/02 17:37:58| squid_kerb_auth: Decode 
'YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAABgcBH2TDMmE65PuY40xQyAIQlCKZmWETDY7iZgTnIeQF9VidD8h6SKLzwap1w7iI5lcwAAYAEAAEVyfDIyRYtIv9kqa6BepAo='
 (decoded length: 161).
2015/11/02 17:37:58| squid_kerb_auth: gss_accept_sec_context() failed: An 
unsupported mechanism was requested. Unknown error
2015/11/02 17:37:58 kid1| ERROR: Negotiate Authentication validating user. 
Error returned 'BH gss_accept_sec_context() failed: An unsupported mechanism 
was requested. Unknown error'
2015/11/02 17:37:58| squid_kerb_auth: Got 'YR 
YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAABgcBL2TDMmE65PuY40xQyAIQlOCybIQKGs/hmFlEu3FzYMQIag5ivNn4JcpRWBrJ5vMwAAYAEAAEVyfDIyRYtIv9kqa6BepAo='
 from squid (length: 219).
2015/11/02 17:37:58| squid_kerb_auth: Decode 
'YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAABgcBL2TDMmE65PuY40xQyAIQlOCybIQKGs/hmFlEu3FzYMQIag5ivNn4JcpRWBrJ5vMwAAYAEAAEVyfDIyRYtIv9kqa6BepAo='
 (decoded length: 161).
2015/11/02 17:37:58| squid_kerb_auth: gss_accept_sec_context() failed: An 
unsupported mechanism was requested. Unknown error
2015/11/02 17:37:58 kid1| ERROR: