Re: [squid-users] Re: squid proxy kerberos authentication failure. Help!!!

2013-12-29 Thread Eliezer Croitoru 

Hi Flypast,

Are you using the RPM or from source?
(My RPM is not designed to compile external_acl and other helpers)

Thanks,
Eliezer

On 30/12/13 02:30, flypast wrote:

Hi Markus,

I built a new Centos server at version 6.5 and redo all the configuration on
the new server in the same way.

Magic happened: everything is working now.

Thank you very much for your help and guidance.

[squid-users] Re: squid proxy kerberos authentication failure. Help!!!

2013-12-29 Thread flypast 
Hi Markus,

I built a new Centos server at version 6.5 and redo all the configuration on
the new server in the same way.

Magic happened: everything is working now. 

Thank you very much for your help and guidance.





--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-proxy-kerberos-authentication-failure-Help-tp4663964p4664090.html
Sent from the Squid - Users mailing list archive at Nabble.com.

[squid-users] Re: squid proxy kerberos authentication failure. Help!!!

2013-12-26 Thread Markus Moeller 
I assume the *s are not in the real file.  Can you run a strace against the 
auth helper to verify the right keytab is used ?


Markus

"flypast"  wrote in message news:1387953737367-4664034.p...@n4.nabble.com...

Hi Marcus,

Please see my current /etc/init.d/squid file. I had added your suggested
content.

[root@proxy01 ~]# cd /etc/init.d/
[root@proxy01 init.d]# more squid
#!/bin/bash
# chkconfig: - 90 25
# pidfile: /var/run/squid.pid
# config: /etc/squid/squid.conf
#
### BEGIN INIT INFO
# Provides: squid
# Short-Description: starting and stopping Squid Internet Object Cache
# Description: Squid - Internet Object Cache. Internet object caching is \
#   a way to store requested Internet objects (i.e., data available \
#   via the HTTP, FTP, and gopher protocols) on a system closer to the \
#   requesting site than to the source. Web browsers can then use the \
#   local Squid cache as a proxy HTTP server, reducing access time as \
#   well as bandwidth consumption.
### END INIT INFO


PATH=/usr/bin:/sbin:/bin:/usr/sbin
export PATH

# Source function library.
. /etc/rc.d/init.d/functions

# Source networking configuration.
. /etc/sysconfig/network

if [ -f /etc/sysconfig/squid ]; then
   . /etc/sysconfig/squid
fi

# don't raise an error if the config file is incomplete
# set defaults instead:
SQUID_OPTS=${SQUID_OPTS:-""}
SQUID_PIDFILE_TIMEOUT=${SQUID_PIDFILE_TIMEOUT:-20}
SQUID_SHUTDOWN_TIMEOUT=${SQUID_SHUTDOWN_TIMEOUT:-100}
SQUID_CONF=${SQUID_CONF:-"/etc/squid/squid.conf"}

# determine the name of the squid binary
[ -f /usr/sbin/squid ] && SQUID=squid

prog="$SQUID"

# determine which one is the cache_swap directory
CACHE_SWAP=`sed -e 's/#.*//g' $SQUID_CONF | \
   grep cache_dir | awk '{ print $3 }'`

RETVAL=0

probe() {
   # Check that networking is up.
   [ ${NETWORKING} = "no" ] && exit 1

   [ `id -u` -ne 0 ] && exit 4

   # check if the squid conf file is present
   [ -f $SQUID_CONF ] || exit 6
}

start() {
 *  KRB5_KTNAME=/etc/squid/squid.keytab
   export KRB5_KTNAME*
   probe

   parse=`$SQUID -k parse -f $SQUID_CONF 2>&1`
   RETVAL=$?
   if [ $RETVAL -ne 0 ]; then
   echo -n $"Starting $prog: "
   echo_failure
   echo
   echo "$parse"
   return 1
   fi
   for adir in $CACHE_SWAP; do
   if [ ! -d $adir/00 ]; then
   echo -n "init_cache_dir $adir... "
   $SQUID -z -F -f $SQUID_CONF >>
/var/log/squid/squid.out 2>&1
   fi
   done
   echo -n $"Starting $prog: "
   $SQUID $SQUID_OPTS -f $SQUID_CONF >> /var/log/squid/squid.out 2>&1
   RETVAL=$?
   if [ $RETVAL -eq 0 ]; then
   timeout=0;
   while : ; do
   [ ! -f /var/run/squid.pid ] || break
   if [ $timeout -ge $SQUID_PIDFILE_TIMEOUT ]; then
   RETVAL=1
   break
   fi
   sleep 1 && echo -n "."
   timeout=$((timeout+1))
   done
   fi
   [ $RETVAL -eq 0 ] && touch /var/lock/subsys/$SQUID
   [ $RETVAL -eq 0 ] && echo_success
   [ $RETVAL -ne 0 ] && echo_failure
   echo
   return $RETVAL
}

stop() {
   echo -n $"Stopping $prog: "
   $SQUID -k check -f $SQUID_CONF >> /var/log/squid/squid.out 2>&1
   RETVAL=$?
   if [ $RETVAL -eq 0 ] ; then
   $SQUID -k shutdown -f $SQUID_CONF &
   rm -f /var/lock/subsys/$SQUID
   timeout=0
   while : ; do
   [ -f /var/run/squid.pid ] || break
   if [ $timeout -ge $SQUID_SHUTDOWN_TIMEOUT ]; then
   echo
   return 1
   fi
   sleep 2 && echo -n "."
   timeout=$((timeout+2))



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-proxy-kerberos-authentication-failure-Help-tp4663964p4664034.html
Sent from the Squid - Users mailing list archive at Nabble.com.

[squid-users] Re: squid proxy kerberos authentication failure. Help!!!

2013-12-24 Thread flypast 
Hi Marcus, 

Please see my current /etc/init.d/squid file. I had added your suggested
content.

[root@proxy01 ~]# cd /etc/init.d/
[root@proxy01 init.d]# more squid
#!/bin/bash
# chkconfig: - 90 25
# pidfile: /var/run/squid.pid
# config: /etc/squid/squid.conf
#
### BEGIN INIT INFO
# Provides: squid
# Short-Description: starting and stopping Squid Internet Object Cache
# Description: Squid - Internet Object Cache. Internet object caching is \
#   a way to store requested Internet objects (i.e., data available \
#   via the HTTP, FTP, and gopher protocols) on a system closer to the \
#   requesting site than to the source. Web browsers can then use the \
#   local Squid cache as a proxy HTTP server, reducing access time as \
#   well as bandwidth consumption.
### END INIT INFO


PATH=/usr/bin:/sbin:/bin:/usr/sbin
export PATH

# Source function library.
. /etc/rc.d/init.d/functions

# Source networking configuration.
. /etc/sysconfig/network

if [ -f /etc/sysconfig/squid ]; then
. /etc/sysconfig/squid
fi

# don't raise an error if the config file is incomplete
# set defaults instead:
SQUID_OPTS=${SQUID_OPTS:-""}
SQUID_PIDFILE_TIMEOUT=${SQUID_PIDFILE_TIMEOUT:-20}
SQUID_SHUTDOWN_TIMEOUT=${SQUID_SHUTDOWN_TIMEOUT:-100}
SQUID_CONF=${SQUID_CONF:-"/etc/squid/squid.conf"}

# determine the name of the squid binary
[ -f /usr/sbin/squid ] && SQUID=squid

prog="$SQUID"

# determine which one is the cache_swap directory
CACHE_SWAP=`sed -e 's/#.*//g' $SQUID_CONF | \
grep cache_dir | awk '{ print $3 }'`

RETVAL=0

probe() {
# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 1

[ `id -u` -ne 0 ] && exit 4

# check if the squid conf file is present
[ -f $SQUID_CONF ] || exit 6
}

start() {
  *  KRB5_KTNAME=/etc/squid/squid.keytab
export KRB5_KTNAME*
probe

parse=`$SQUID -k parse -f $SQUID_CONF 2>&1`
RETVAL=$?
if [ $RETVAL -ne 0 ]; then
echo -n $"Starting $prog: "
echo_failure
echo
echo "$parse"
return 1
fi
for adir in $CACHE_SWAP; do
if [ ! -d $adir/00 ]; then
echo -n "init_cache_dir $adir... "
$SQUID -z -F -f $SQUID_CONF >>
/var/log/squid/squid.out 2>&1
fi
done
echo -n $"Starting $prog: "
$SQUID $SQUID_OPTS -f $SQUID_CONF >> /var/log/squid/squid.out 2>&1
RETVAL=$?
if [ $RETVAL -eq 0 ]; then
timeout=0;
while : ; do
[ ! -f /var/run/squid.pid ] || break
if [ $timeout -ge $SQUID_PIDFILE_TIMEOUT ]; then
RETVAL=1
break
fi
sleep 1 && echo -n "."
timeout=$((timeout+1))
done
fi
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/$SQUID
[ $RETVAL -eq 0 ] && echo_success
[ $RETVAL -ne 0 ] && echo_failure
echo
return $RETVAL
}

stop() {
echo -n $"Stopping $prog: "
$SQUID -k check -f $SQUID_CONF >> /var/log/squid/squid.out 2>&1
RETVAL=$?
if [ $RETVAL -eq 0 ] ; then
$SQUID -k shutdown -f $SQUID_CONF &
rm -f /var/lock/subsys/$SQUID
timeout=0
while : ; do
[ -f /var/run/squid.pid ] || break
if [ $timeout -ge $SQUID_SHUTDOWN_TIMEOUT ]; then
echo
return 1
fi
sleep 2 && echo -n "."
timeout=$((timeout+2))



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-proxy-kerberos-authentication-failure-Help-tp4663964p4664034.html
Sent from the Squid - Users mailing list archive at Nabble.com.

[squid-users] Re: squid proxy kerberos authentication failure. Help!!!

2013-12-24 Thread Markus Moeller 
How do you start the service ?  Do you use systemctl ?  If so you may need 
to add KRB5_KTNAME=/etc/squid/squid.keytab to

/etc/sysconfig/squid

Markus

"flypast"  wrote in message news:1387845981524-4664010.p...@n4.nabble.com...

hi Markus,

Please see the below. I just temporally change access control of  keytab
file. Still no lucky

[root@proxy01 squid]# ls -al
total 76
drwxr-xr-x.   2 root root   4096 Dec 23 14:24 .
drwxr-xr-x. 105 root root  12288 Dec 24 11:18 ..
-rw-r--r--.   1 root squid   419 Oct  1 23:40 cachemgr.conf
-rw-r--r--.   1 root root419 Oct  1 23:40 cachemgr.conf.default
-rw-r--r--.   1 root root   1547 Oct  1 23:40 errorpage.css
-rw-r--r--.   1 root root   1547 Oct  1 23:40 errorpage.css.default
-rw-r--r--.   1 root root  11651 Oct  1 23:40 mime.conf
-rw-r--r--.   1 root root  11651 Oct  1 23:40 mime.conf.default
-rw-r--r--.   1 root root421 Oct  1 23:40 msntauth.conf
-rw-r--r--.   1 root root421 Oct  1 23:40 msntauth.conf.default
-rw-r-.   1 root squid  2758 Dec 23 14:24 squid.conf
-rw-r--r--.   1 root root   2510 Oct  1 23:40 squid.conf.default
*-rwxrwxrwx.   1 root squid   451 Dec 22 13:13 squid.keytab*

In addition.
[root@proxy01 etc]# kinit -kt ./squid/squid.keytab
HTTP/proxy02.deeplayer.com
[root@proxy01 etc]# klist -ekt ./squid/squid.keytab
Keytab name: FILE:./squid/squid.keytab
KVNO Timestamp Principal
 -

 16 12/22/13 13:14:31 proxy02$@DEEPLAYER.COM (arcfour-hmac)
 16 12/22/13 13:14:31 proxy02$@DEEPLAYER.COM (aes128-cts-hmac-sha1-96)
 16 12/22/13 13:14:31 proxy02$@DEEPLAYER.COM (aes256-cts-hmac-sha1-96)
 16 12/22/13 13:14:31 HTTP/proxy02.deeplayer@deeplayer.com
(arcfour-hmac)
 16 12/22/13 13:14:31 HTTP/proxy02.deeplayer@deeplayer.com
(aes128-cts-hmac-sha1-96)
 16 12/22/13 13:14:31 HTTP/proxy02.deeplayer@deeplayer.com
(aes256-cts-hmac-sha1-96)
[root@proxy01 etc]#



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-proxy-kerberos-authentication-failure-Help-tp4663964p4664010.html
Sent from the Squid - Users mailing list archive at Nabble.com.

[squid-users] Re: squid proxy kerberos authentication failure. Help!!!

2013-12-23 Thread flypast 
hi Markus, 

Please see the below. I just temporally change access control of  keytab
file. Still no lucky

[root@proxy01 squid]# ls -al
total 76
drwxr-xr-x.   2 root root   4096 Dec 23 14:24 .
drwxr-xr-x. 105 root root  12288 Dec 24 11:18 ..
-rw-r--r--.   1 root squid   419 Oct  1 23:40 cachemgr.conf
-rw-r--r--.   1 root root419 Oct  1 23:40 cachemgr.conf.default
-rw-r--r--.   1 root root   1547 Oct  1 23:40 errorpage.css
-rw-r--r--.   1 root root   1547 Oct  1 23:40 errorpage.css.default
-rw-r--r--.   1 root root  11651 Oct  1 23:40 mime.conf
-rw-r--r--.   1 root root  11651 Oct  1 23:40 mime.conf.default
-rw-r--r--.   1 root root421 Oct  1 23:40 msntauth.conf
-rw-r--r--.   1 root root421 Oct  1 23:40 msntauth.conf.default
-rw-r-.   1 root squid  2758 Dec 23 14:24 squid.conf
-rw-r--r--.   1 root root   2510 Oct  1 23:40 squid.conf.default
*-rwxrwxrwx.   1 root squid   451 Dec 22 13:13 squid.keytab*

In addition.
[root@proxy01 etc]# kinit -kt ./squid/squid.keytab
HTTP/proxy02.deeplayer.com
[root@proxy01 etc]# klist -ekt ./squid/squid.keytab
Keytab name: FILE:./squid/squid.keytab
KVNO Timestamp Principal
 -

  16 12/22/13 13:14:31 proxy02$@DEEPLAYER.COM (arcfour-hmac) 
  16 12/22/13 13:14:31 proxy02$@DEEPLAYER.COM (aes128-cts-hmac-sha1-96) 
  16 12/22/13 13:14:31 proxy02$@DEEPLAYER.COM (aes256-cts-hmac-sha1-96) 
  16 12/22/13 13:14:31 HTTP/proxy02.deeplayer@deeplayer.com
(arcfour-hmac) 
  16 12/22/13 13:14:31 HTTP/proxy02.deeplayer@deeplayer.com
(aes128-cts-hmac-sha1-96) 
  16 12/22/13 13:14:31 HTTP/proxy02.deeplayer@deeplayer.com
(aes256-cts-hmac-sha1-96) 
[root@proxy01 etc]# 



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-proxy-kerberos-authentication-failure-Help-tp4663964p4664010.html
Sent from the Squid - Users mailing list archive at Nabble.com.

[squid-users] Re: squid proxy kerberos authentication failure. Help!!!

2013-12-23 Thread Markus Moeller 

Hi ,

  Are you sure your squid user has read access to the keytab ?  If the KVNO 
and HTTP/... name in the ticket match wht it is in the keytab it should 
work.


  If your AD entry has also the userprincipalname set to HTTP/proxy 
you can test with kinit -kt  HTTP/proxy02...  It shouldn't produce 
an error. It creates a cache which you can look at with klist.


Markus



"flypast"  wrote in message news:1387772115044-4663993.p...@n4.nabble.com...

Hi Markus,

Firstly, Thank you very much and Merry Christmas!!!

Tried as your suggestion.

But still no lucky.

The logs as below:
2013/12/23 14:27:47| squid_kerb_auth: DEBUG: Got 'YR
YIIFGgYGKwYBBQUCoIIFDjCCBQqgJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBOAEggTcYIIE2AYJKoZIhvcSAQICAQBuggTHMIIEw6ADAgEFoQMCAQ6iBwMFACCjggPuYYID6jCCA+agAwIBBaEPGw1ERUVQTEFZRVIuQ09NoigwJqADAgECoR8wHRsESFRUUBsVcHJveHkwMi5kZWVwbGF5ZXIuY29to4IDojCCA56gAwIBF6EDAgEQooIDkASCA4zi9X+m6Oeb0vJLwtyfr2nIi9TLz67eGY7xwPo/IAwjDk0ex8u/thawee+EBof8EbXr+f3lxLytvFS7B0Rn++ECej/O38uSf2Swpd0tupixSFrQgKAhBOZy/meeUNs+b4ViLygMnb9aoqOuQak2y09NSUPcaQU0jqluO5KTS37W3vYuU8ykNO+DNf4lDkGqSSQ7SPApuH8NrrQ4sAkByVjDspfsLYd9AaaptdRMBPQLzSVKFVG9L3d3tRjV9VAPavCQxogVOsh3i+bPR0VcAbunjqWBVxBalB+28TU6MkyZ1fupZIq8fsXy6Q1jdiSK6ED7H3ovxV2X+O6MEEOPSmsHXqmOYjDjkRCGsFAT3lmJOycbzA4sTAyHIcYYAnSjLhTJ0sFDVnDbTpppD4R/rfYOJTeHZ4P19/laxYczN96r5E7EE906ss4GeodF5EANpE5oEqmQ+CxK1gVTcHlZ1BWbjqTUKVYEwdikZ8k2bexB06ibFUCjA4u6FIoY5fPH2xhB4qR4aLWtjuED+1XHLcwbJzawcDnbswMJobUOoXHxHRjYxMKfuzZAtZ8mPynFSZWTt2nuMIsGNvTiGSUAupqY1ILSnRWbs3EO5OX5AXJa3+uYhj09afbQViM3Zq0Uo6/foFYWcbhY/iERhPuHgGS6EAggHDhu7cWc1NP+4uW1UQv4jH/NFTo0rkLDLqw2ip6USlvqj2HvZF
MNaBJ+WmhTDAmDQ2w7Z+XBCNdj3b8/b5qPTtF/aFoL6erc9cS6d7yqLQGVkmr193u6hx9iGoOsZ9/++olBzuE3Cr4dlbgkyLovmjytNA44R0QzjKs/6o8mZSQ7XUGZ4SqD2LP4g2/0iVa8BMPqsSCWqVXR+lGflO9wE7WX/Kemt4o6g8JHdvUr0/XvCvdGSaQLlp2sbKHE+NM3IZE1zfGrP38cmjyCsJmLsmeNGcyXYvUye9Crnu9FM1s1ZDgP9F7CJ9+KG9sybaiMqO4XQs+OMyC3kMzB3jhOhmfhqxe/Z6ohKIw3nalIog9ISCbzW1pi5uVNVMTV53Hzuw5Ww9jwHf9HkrTpFYng4ipeBhVH/DUaUjFfGUnxXMzkq1hX17MbOCfwW73fa71ZFa2zeW4B+RuOLfKWWQzFGGgDH/vAoSM6wP1FnyER6V5YBXIYkwfgOuH5EiLEHI474fL6FoxCf33SxrknpcpKmYc+SkAfZ2eZtaSBuzCBuKADAgEXooGwBIGtSESWmWq43Bh82AYW1XSYPPRL9oKMVOAn/ZERSgCz/jpooQTUTNsW6RMUgoSad14Y8bnGCog8fYHkuEu6/guI6P7fVwztLNtb1lbIeHtILSe28smMg02A9YlV7PzSD4tRA+Ob5kEAWdylpgjwHHCOfqw2qof4eMqNU79dTnfnHq13i7bn4VMwg7BWdFMS9Xi+pDplC4E4/Kpq7qaGB8WsLMRGB7KiBmQzz3VkoRE='
from squid (length: 1751).
2013/12/23 14:27:47| squid_kerb_auth: DEBUG: Decode
'YIIFGgYGKwYBBQUCoIIFDjCCBQqgJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBOAEggTcYIIE2AYJKoZIhvcSAQICAQBuggTHMIIEw6ADAgEFoQMCAQ6iBwMFACCjggPuYYID6jCCA+agAwIBBaEPGw1ERUVQTEFZRVIuQ09NoigwJqADAgECoR8wHRsESFRUUBsVcHJveHkwMi5kZWVwbGF5ZXIuY29to4IDojCCA56gAwIBF6EDAgEQooIDkASCA4zi9X+m6Oeb0vJLwtyfr2nIi9TLz67eGY7xwPo/IAwjDk0ex8u/thawee+EBof8EbXr+f3lxLytvFS7B0Rn++ECej/O38uSf2Swpd0tupixSFrQgKAhBOZy/meeUNs+b4ViLygMnb9aoqOuQak2y09NSUPcaQU0jqluO5KTS37W3vYuU8ykNO+DNf4lDkGqSSQ7SPApuH8NrrQ4sAkByVjDspfsLYd9AaaptdRMBPQLzSVKFVG9L3d3tRjV9VAPavCQxogVOsh3i+bPR0VcAbunjqWBVxBalB+28TU6MkyZ1fupZIq8fsXy6Q1jdiSK6ED7H3ovxV2X+O6MEEOPSmsHXqmOYjDjkRCGsFAT3lmJOycbzA4sTAyHIcYYAnSjLhTJ0sFDVnDbTpppD4R/rfYOJTeHZ4P19/laxYczN96r5E7EE906ss4GeodF5EANpE5oEqmQ+CxK1gVTcHlZ1BWbjqTUKVYEwdikZ8k2bexB06ibFUCjA4u6FIoY5fPH2xhB4qR4aLWtjuED+1XHLcwbJzawcDnbswMJobUOoXHxHRjYxMKfuzZAtZ8mPynFSZWTt2nuMIsGNvTiGSUAupqY1ILSnRWbs3EO5OX5AXJa3+uYhj09afbQViM3Zq0Uo6/foFYWcbhY/iERhPuHgGS6EAggHDhu7cWc1NP+4uW1UQv4jH/NFTo0rkLDLqw2ip6USlvqj2HvZ
FMNaBJ+WmhTDAmDQ2w7Z+XBCNdj3b8/b5qPTtF/aFoL6erc9cS6d7yqLQGVkmr193u6hx9iGoOsZ9/++olBzuE3Cr4dlbgkyLovmjytNA44R0QzjKs/6o8mZSQ7XUGZ4SqD2LP4g2/0iVa8BMPqsSCWqVXR+lGflO9wE7WX/Kemt4o6g8JHdvUr0/XvCvdGSaQLlp2sbKHE+NM3IZE1zfGrP38cmjyCsJmLsmeNGcyXYvUye9Crnu9FM1s1ZDgP9F7CJ9+KG9sybaiMqO4XQs+OMyC3kMzB3jhOhmfhqxe/Z6ohKIw3nalIog9ISCbzW1pi5uVNVMTV53Hzuw5Ww9jwHf9HkrTpFYng4ipeBhVH/DUaUjFfGUnxXMzkq1hX17MbOCfwW73fa71ZFa2zeW4B+RuOLfKWWQzFGGgDH/vAoSM6wP1FnyER6V5YBXIYkwfgOuH5EiLEHI474fL6FoxCf33SxrknpcpKmYc+SkAfZ2eZtaSBuzCBuKADAgEXooGwBIGtSESWmWq43Bh82AYW1XSYPPRL9oKMVOAn/ZERSgCz/jpooQTUTNsW6RMUgoSad14Y8bnGCog8fYHkuEu6/guI6P7fVwztLNtb1lbIeHtILSe28smMg02A9YlV7PzSD4tRA+Ob5kEAWdylpgjwHHCOfqw2qof4eMqNU79dTnfnHq13i7bn4VMwg7BWdFMS9Xi+pDplC4E4/Kpq7qaGB8WsLMRGB7KiBmQzz3VkoRE='
(decoded length: 1310).
2013/12/23 14:27:47| squid_kerb_auth: ERROR: gss_accept_sec_context()
failed: Unspecified GSS failure.  Minor code may provide more information.
2013/12/23 14:27:47| squid_kerb_auth: INFO: User not authenticated
2013/12/23 14:27:47| authenticateNegotiateHandleReply: Error validating user
via Negotiate. Error returned 'BH gss_accept_sec_context() failed:
Unspecified GSS failure.  Minor code may provide more information

BTW:

On the DC
C:\Users\Administrator>setspn -L proxy02
Registered ServicePrincipalNames for
CN=proxy02,CN=Computers,DC=deeplayer,DC=com
:
   HTTP/proxy02.deeplayer.com

[root@proxy01 squid]# klist -ekt /etc/squid/squid.keytab
Keytab name: FILE:/etc/squid/squid.keytab
KVNO Timestamp Principal
 --

[squid-users] Re: squid proxy kerberos authentication failure. Help!!!

2013-12-22 Thread flypast 
Hi Markus,

Firstly, Thank you very much and Merry Christmas!!!

Tried as your suggestion.

But still no lucky.

The logs as below:
2013/12/23 14:27:47| squid_kerb_auth: DEBUG: Got 'YR
YIIFGgYGKwYBBQUCoIIFDjCCBQqgJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBOAEggTcYIIE2AYJKoZIhvcSAQICAQBuggTHMIIEw6ADAgEFoQMCAQ6iBwMFACCjggPuYYID6jCCA+agAwIBBaEPGw1ERUVQTEFZRVIuQ09NoigwJqADAgECoR8wHRsESFRUUBsVcHJveHkwMi5kZWVwbGF5ZXIuY29to4IDojCCA56gAwIBF6EDAgEQooIDkASCA4zi9X+m6Oeb0vJLwtyfr2nIi9TLz67eGY7xwPo/IAwjDk0ex8u/thawee+EBof8EbXr+f3lxLytvFS7B0Rn++ECej/O38uSf2Swpd0tupixSFrQgKAhBOZy/meeUNs+b4ViLygMnb9aoqOuQak2y09NSUPcaQU0jqluO5KTS37W3vYuU8ykNO+DNf4lDkGqSSQ7SPApuH8NrrQ4sAkByVjDspfsLYd9AaaptdRMBPQLzSVKFVG9L3d3tRjV9VAPavCQxogVOsh3i+bPR0VcAbunjqWBVxBalB+28TU6MkyZ1fupZIq8fsXy6Q1jdiSK6ED7H3ovxV2X+O6MEEOPSmsHXqmOYjDjkRCGsFAT3lmJOycbzA4sTAyHIcYYAnSjLhTJ0sFDVnDbTpppD4R/rfYOJTeHZ4P19/laxYczN96r5E7EE906ss4GeodF5EANpE5oEqmQ+CxK1gVTcHlZ1BWbjqTUKVYEwdikZ8k2bexB06ibFUCjA4u6FIoY5fPH2xhB4qR4aLWtjuED+1XHLcwbJzawcDnbswMJobUOoXHxHRjYxMKfuzZAtZ8mPynFSZWTt2nuMIsGNvTiGSUAupqY1ILSnRWbs3EO5OX5AXJa3+uYhj09afbQViM3Zq0Uo6/foFYWcbhY/iERhPuHgGS6EAggHDhu7cWc1NP+4uW1UQv4jH/NFTo0rkLDLqw2ip6USlvqj2HvZFMNaBJ+WmhTDAmDQ2w7Z+XBCNdj3b8/b5qPTtF/aFoL6erc9cS6d7yqLQGVkmr193u6hx9iGoOsZ9/++olBzuE3Cr4dlbgkyLovmjytNA44R0QzjKs/6o8mZSQ7XUGZ4SqD2LP4g2/0iVa8BMPqsSCWqVXR+lGflO9wE7WX/Kemt4o6g8JHdvUr0/XvCvdGSaQLlp2sbKHE+NM3IZE1zfGrP38cmjyCsJmLsmeNGcyXYvUye9Crnu9FM1s1ZDgP9F7CJ9+KG9sybaiMqO4XQs+OMyC3kMzB3jhOhmfhqxe/Z6ohKIw3nalIog9ISCbzW1pi5uVNVMTV53Hzuw5Ww9jwHf9HkrTpFYng4ipeBhVH/DUaUjFfGUnxXMzkq1hX17MbOCfwW73fa71ZFa2zeW4B+RuOLfKWWQzFGGgDH/vAoSM6wP1FnyER6V5YBXIYkwfgOuH5EiLEHI474fL6FoxCf33SxrknpcpKmYc+SkAfZ2eZtaSBuzCBuKADAgEXooGwBIGtSESWmWq43Bh82AYW1XSYPPRL9oKMVOAn/ZERSgCz/jpooQTUTNsW6RMUgoSad14Y8bnGCog8fYHkuEu6/guI6P7fVwztLNtb1lbIeHtILSe28smMg02A9YlV7PzSD4tRA+Ob5kEAWdylpgjwHHCOfqw2qof4eMqNU79dTnfnHq13i7bn4VMwg7BWdFMS9Xi+pDplC4E4/Kpq7qaGB8WsLMRGB7KiBmQzz3VkoRE='
from squid (length: 1751).
2013/12/23 14:27:47| squid_kerb_auth: DEBUG: Decode
'YIIFGgYGKwYBBQUCoIIFDjCCBQqgJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBOAEggTcYIIE2AYJKoZIhvcSAQICAQBuggTHMIIEw6ADAgEFoQMCAQ6iBwMFACCjggPuYYID6jCCA+agAwIBBaEPGw1ERUVQTEFZRVIuQ09NoigwJqADAgECoR8wHRsESFRUUBsVcHJveHkwMi5kZWVwbGF5ZXIuY29to4IDojCCA56gAwIBF6EDAgEQooIDkASCA4zi9X+m6Oeb0vJLwtyfr2nIi9TLz67eGY7xwPo/IAwjDk0ex8u/thawee+EBof8EbXr+f3lxLytvFS7B0Rn++ECej/O38uSf2Swpd0tupixSFrQgKAhBOZy/meeUNs+b4ViLygMnb9aoqOuQak2y09NSUPcaQU0jqluO5KTS37W3vYuU8ykNO+DNf4lDkGqSSQ7SPApuH8NrrQ4sAkByVjDspfsLYd9AaaptdRMBPQLzSVKFVG9L3d3tRjV9VAPavCQxogVOsh3i+bPR0VcAbunjqWBVxBalB+28TU6MkyZ1fupZIq8fsXy6Q1jdiSK6ED7H3ovxV2X+O6MEEOPSmsHXqmOYjDjkRCGsFAT3lmJOycbzA4sTAyHIcYYAnSjLhTJ0sFDVnDbTpppD4R/rfYOJTeHZ4P19/laxYczN96r5E7EE906ss4GeodF5EANpE5oEqmQ+CxK1gVTcHlZ1BWbjqTUKVYEwdikZ8k2bexB06ibFUCjA4u6FIoY5fPH2xhB4qR4aLWtjuED+1XHLcwbJzawcDnbswMJobUOoXHxHRjYxMKfuzZAtZ8mPynFSZWTt2nuMIsGNvTiGSUAupqY1ILSnRWbs3EO5OX5AXJa3+uYhj09afbQViM3Zq0Uo6/foFYWcbhY/iERhPuHgGS6EAggHDhu7cWc1NP+4uW1UQv4jH/NFTo0rkLDLqw2ip6USlvqj2HvZFMNaBJ+WmhTDAmDQ2w7Z+XBCNdj3b8/b5qPTtF/aFoL6erc9cS6d7yqLQGVkmr193u6hx9iGoOsZ9/++olBzuE3Cr4dlbgkyLovmjytNA44R0QzjKs/6o8mZSQ7XUGZ4SqD2LP4g2/0iVa8BMPqsSCWqVXR+lGflO9wE7WX/Kemt4o6g8JHdvUr0/XvCvdGSaQLlp2sbKHE+NM3IZE1zfGrP38cmjyCsJmLsmeNGcyXYvUye9Crnu9FM1s1ZDgP9F7CJ9+KG9sybaiMqO4XQs+OMyC3kMzB3jhOhmfhqxe/Z6ohKIw3nalIog9ISCbzW1pi5uVNVMTV53Hzuw5Ww9jwHf9HkrTpFYng4ipeBhVH/DUaUjFfGUnxXMzkq1hX17MbOCfwW73fa71ZFa2zeW4B+RuOLfKWWQzFGGgDH/vAoSM6wP1FnyER6V5YBXIYkwfgOuH5EiLEHI474fL6FoxCf33SxrknpcpKmYc+SkAfZ2eZtaSBuzCBuKADAgEXooGwBIGtSESWmWq43Bh82AYW1XSYPPRL9oKMVOAn/ZERSgCz/jpooQTUTNsW6RMUgoSad14Y8bnGCog8fYHkuEu6/guI6P7fVwztLNtb1lbIeHtILSe28smMg02A9YlV7PzSD4tRA+Ob5kEAWdylpgjwHHCOfqw2qof4eMqNU79dTnfnHq13i7bn4VMwg7BWdFMS9Xi+pDplC4E4/Kpq7qaGB8WsLMRGB7KiBmQzz3VkoRE='
(decoded length: 1310).
2013/12/23 14:27:47| squid_kerb_auth: ERROR: gss_accept_sec_context()
failed: Unspecified GSS failure.  Minor code may provide more information. 
2013/12/23 14:27:47| squid_kerb_auth: INFO: User not authenticated
2013/12/23 14:27:47| authenticateNegotiateHandleReply: Error validating user
via Negotiate. Error returned 'BH gss_accept_sec_context() failed:
Unspecified GSS failure.  Minor code may provide more information

BTW:

On the DC
C:\Users\Administrator>setspn -L proxy02
Registered ServicePrincipalNames for
CN=proxy02,CN=Computers,DC=deeplayer,DC=com
:
HTTP/proxy02.deeplayer.com

[root@proxy01 squid]# klist -ekt /etc/squid/squid.keytab 
Keytab name: FILE:/etc/squid/squid.keytab
KVNO Timestamp Principal
 -

  16 12/22/13 13:14:31 proxy02$@DEEPLAYER.COM (arcfour-hmac) 
  16 12/22/13 13:14:31 proxy02$@DEEPLAYER.COM (aes128-cts-hmac-sha1-96) 
  16 12/22/13 13:14:31 proxy02$@DEEPLAYER.COM (aes256-cts-hmac-sha1-96) 
  16 12/22/13 13:14:31 HTTP/proxy02.deeplayer@deeplayer.com
(arcfour-hmac) 
  16 12/22/13 13:14:31 HTTP/proxy02.deeplayer@deeplayer.com
(aes128-cts-hmac-sha1-96) 
  16 12/22/13 13:1

[squid-users] Re: squid proxy kerberos authentication failure. Help!!!

2013-12-22 Thread Markus Moeller 

Hi

Can you try

auth_param negotiate program /usr/lib/squid/squid_kerb_auth -d -i -s 
GSS_C_NO_NAME


instead of

auth_param negotiate program /usr/lib/squid/squid_kerb_auth -d -i -s 
HTTP/proxy02.deeplayer@deeplayer.com


I wonder if the kerberos library get confused having hostname proxy01 and 
keytab proxy02.  It shouldn't.


You could also try to remove the invalid  KVNO entries from the keytab using 
ktutils (I assume you use MIT Kerberos).


Markus


"flypast"  wrote in message news:1387686832968-4663976.p...@n4.nabble.com...

thx for your confirmation(i did the right. thing ). let us go back to my
issue. cld you pls help ?



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-proxy-kerberos-authentication-failure-Help-tp4663964p4663976.html
Sent from the Squid - Users mailing list archive at Nabble.com.

[squid-users] Re: squid proxy kerberos authentication failure. Help!!!

2013-12-21 Thread flypast 
thx for your confirmation(i did the right. thing ). let us go back to my
issue. cld you pls help ?



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-proxy-kerberos-authentication-failure-Help-tp4663964p4663976.html
Sent from the Squid - Users mailing list archive at Nabble.com.

Re: [squid-users] Re: squid proxy kerberos authentication failure. Help!!!

2013-12-21 Thread Amos Jeffries 
On 22/12/2013 3:22 p.m., flypast wrote:
> Hi Markus.
> 
> my proxy hostname is 
> [root@proxy01 squid]# hostname -f 
> proxy01.deeplayer.com
> 
> I use the CLI below to create the keytab. 
> 
> msktutil -c -b "CN=COMPUTERS" -s HTTP/proxy02.deeplayer.com -k
> /etc/squid/squid.keytab --computer-name proxy02 --upn
> HTTP/proxy02.deeplayer.com --server dc1.deeplayer.com --verbose --enctypes
> 28
> 
> Cld u pls help to confirm my CLI is ok. 
> 
> My DC (dc1.deeplayer.com) is windows 2008 R2 at 2003 functional level.
> 

As Markus earlier email said, this will only matter if the browser
config panel is configured with the *string*  "proxy02.deeplayer.com" as
the name of the proxy being connected to.

Amos

[squid-users] Re: squid proxy kerberos authentication failure. Help!!!

2013-12-21 Thread flypast 
Hi Markus.

my proxy hostname is 
[root@proxy01 squid]# hostname -f 
proxy01.deeplayer.com

I use the CLI below to create the keytab. 

msktutil -c -b "CN=COMPUTERS" -s HTTP/proxy02.deeplayer.com -k
/etc/squid/squid.keytab --computer-name proxy02 --upn
HTTP/proxy02.deeplayer.com --server dc1.deeplayer.com --verbose --enctypes
28

Cld u pls help to confirm my CLI is ok. 

My DC (dc1.deeplayer.com) is windows 2008 R2 at 2003 functional level.



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-proxy-kerberos-authentication-failure-Help-tp4663964p4663973.html
Sent from the Squid - Users mailing list archive at Nabble.com.

[squid-users] Re: squid proxy kerberos authentication failure. Help!!!

2013-12-21 Thread flypast 
latest log:

2013/12/22 12:26:24| squid_kerb_auth: ERROR: gss_acquire_cred() failed:
Unspecified GSS failure.  Minor code may provide more information. 
2013/12/22 12:26:24| squid_kerb_auth: INFO: User not authenticated
2013/12/22 12:26:24| authenticateNegotiateHandleReply: Error validating user
via Negotiate. Error returned 'BH gss_acquire_cred() failed: Unspecified GSS
failure.  Minor code may provide more information. '
2013/12/22 12:26:38| squid_kerb_auth: DEBUG: Got 'YR
YIIFGgYGKwYBBQUCoIIFDjCCBQqgJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBOAEggTcYIIE2AYJKoZIhvcSAQICAQBuggTHMIIEw6ADAgEFoQMCAQ6iBwMFACCjggPuYYID6jCCA+agAwIBBaEPGw1ERUVQTEF
ZRVIuQ09NoigwJqADAgECoR8wHRsESFRUUBsVcHJveHkwMi5kZWVwbGF5ZXIuY29to4IDojCCA56gAwIBF6EDAgEPooIDkASCA4xYMd5ZQQjXOrNC15UCPB+xftE/133s2qkj3/9qc0qXXuEqsZJA0ACwn5PI6bu99V/OmWO1h5Qrz5VLE0Kcsn08fJ1eNfpR3pzChnCl3zq9L8DJVnhmrTI0R0z/WWqTnoFtAOkW9lN
dbJRhsNrQc7IfboSdYGFkHXkRMdnHFtdUv9ts11drDGseUgU0xl5BsOSbvqFzLYXr00s1F4+4sc2qTReRfloE+bHc+fKeFFFbF4O6zpv8reGpJKAAlm1noFYGzgH84PI0npon5cz3pwy6bSR5e8A1lQDaid24Yns5i6l3N8bHpwqhVi2sJreNgXQzRQfbdqo9TEwFGAURip81F/8tgjtYqMtvGt/zOBqr8RfUNlKsCE8
DJ6FUu54gy7yAxJhIOY7qZAP1rfNGZYdQOMwRajAuVO22Ga+V+DOqyN7pLX6i53PM01JwxXhRZQWL+56M31OtMxIWCzjw/LMr7OwlGjx6akr41BfcGJjqc5Y/mm4NbiAXyupSl1uBVLRvIoi93RpaBlFpdns+9C10DgaR6ZRh+w1DFyAFs0ffFw7ZdXGfiTxQ6Vf3AQ5CBOXMVxrb18f7/5ZkMRiyDUEzPGZwWK2lHAQ
0/Wq+2IS+Ddeqrqt6fkcisXNn72CicinNZaKXITcblJ0oCYOdiSQPwFtKPpAEtqoru1DBRkuHF0F3dWGHZFbLUxFsWGz7VHXyUxCavOi9mX1YJgWJYyRZcrbEDU+/433LLil/SxGuyARHHQ6ECwUzifjzzp3sU7/PKNT2keBDO4drTuR9C+pjUyv4hzoZpWKEDK+SHyCEijDELSO5ug6n16Sntlsdl4GF/RrtFwJhy29
oDZ36V2fzGxuNNzRzUGBRY8+fNqxLs+DoR7325JtwmPe8fsRigaqc0Yck82l5ksTPaCkh2khCz7LBjMKXXuE6eDhRXaiwceVCWUsopTDiKNraVxELfVnSLE1gmf4jc6Dr5TWWy2emj/xxTX2s9UZo6zoKvXJHckchsO13glo3wfAqkDdhVs55BXrLe8FbFPhr3qP64QiXyg/Y3r63Mz0ypbrXtj6Lx/LCgsFD7JvceHU
L9xbKT4Qx3pGo+bL1nkmpeEwX+uUs8cfdOAWwr1soADtBv/ehyjd9rQtVbbOO/eZTXyFk4mi+S7xVGYsmaLcwrejRZynNkOzqjwIYSIwnZusuzjckzyvHTuGJWV5MJ5GES6SBuzCBuKADAgEXooGwBIGtBz5unRKYDFzHSAXV3j9y1tDcKNst559K3ImQ8YWOTaouv3+GIPta8+AIIowgdzPHtF5bVDTDQacnVmYr+CB
39tL+f97ZU+iDFRqtLDh15GBLkvXWccdtuFRHOKPAPI3dJ7H7Y8w4ku+4L2Qd+KY4twJKFbAb2j1/Uuv8Q4T9E5z3h5+bA2gMwmCJEuJFGwghn7zi6wStf5Ovdgq5YehSLD0h/1FBZkfGH4ZOOlQ='
from squid (length: 1751).
2013/12/22 12:26:38| squid_kerb_auth: DEBUG: Decode
'YIIFGgYGKwYBBQUCoIIFDjCCBQqgJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBOAEggTcYIIE2AYJKoZIhvcSAQICAQBuggTHMIIEw6ADAgEFoQMCAQ6iBwMFACCjggPuYYID6jCCA+agAwIBBaEPGw1ERUVQTEF
ZRVIuQ09NoigwJqADAgECoR8wHRsESFRUUBsVcHJveHkwMi5kZWVwbGF5ZXIuY29to4IDojCCA56gAwIBF6EDAgEPooIDkASCA4xYMd5ZQQjXOrNC15UCPB+xftE/133s2qkj3/9qc0qXXuEqsZJA0ACwn5PI6bu99V/OmWO1h5Qrz5VLE0Kcsn08fJ1eNfpR3pzChnCl3zq9L8DJVnhmrTI0R0z/WWqTnoFtAOkW9lN
dbJRhsNrQc7IfboSdYGFkHXkRMdnHFtdUv9ts11drDGseUgU0xl5BsOSbvqFzLYXr00s1F4+4sc2qTReRfloE+bHc+fKeFFFbF4O6zpv8reGpJKAAlm1noFYGzgH84PI0npon5cz3pwy6bSR5e8A1lQDaid24Yns5i6l3N8bHpwqhVi2sJreNgXQzRQfbdqo9TEwFGAURip81F/8tgjtYqMtvGt/zOBqr8RfUNlKsCE8
DJ6FUu54gy7yAxJhIOY7qZAP1rfNGZYdQOMwRajAuVO22Ga+V+DOqyN7pLX6i53PM01JwxXhRZQWL+56M31OtMxIWCzjw/LMr7OwlGjx6akr41BfcGJjqc5Y/mm4NbiAXyupSl1uBVLRvIoi93RpaBlFpdns+9C10DgaR6ZRh+w1DFyAFs0ffFw7ZdXGfiTxQ6Vf3AQ5CBOXMVxrb18f7/5ZkMRiyDUEzPGZwWK2lHAQ
0/Wq+2IS+Ddeqrqt6fkcisXNn72CicinNZaKXITcblJ0oCYOdiSQPwFtKPpAEtqoru1DBRkuHF0F3dWGHZFbLUxFsWGz7VHXyUxCavOi9mX1YJgWJYyRZcrbEDU+/433LLil/SxGuyARHHQ6ECwUzifjzzp3sU7/PKNT2keBDO4drTuR9C+pjUyv4hzoZpWKEDK+SHyCEijDELSO5ug6n16Sntlsdl4GF/RrtFwJhy29
oDZ36V2fzGxuNNzRzUGBRY8+fNqxLs+DoR7325JtwmPe8fsRigaqc0Yck82l5ksTPaCkh2khCz7LBjMKXXuE6eDhRXaiwceVCWUsopTDiKNraVxELfVnSLE1gmf4jc6Dr5TWWy2emj/xxTX2s9UZo6zoKvXJHckchsO13glo3wfAqkDdhVs55BXrLe8FbFPhr3qP64QiXyg/Y3r63Mz0ypbrXtj6Lx/LCgsFD7JvceHU
L9xbKT4Qx3pGo+bL1nkmpeEwX+uUs8cfdOAWwr1soADtBv/ehyjd9rQtVbbOO/eZTXyFk4mi+S7xVGYsmaLcwrejRZynNkOzqjwIYSIwnZusuzjckzyvHTuGJWV5MJ5GES6SBuzCBuKADAgEXooGwBIGtBz5unRKYDFzHSAXV3j9y1tDcKNst559K3ImQ8YWOTaouv3+GIPta8+AIIowgdzPHtF5bVDTDQacnVmYr+CB
39tL+f97ZU+iDFRqtLDh15GBLkvXWccdtuFRHOKPAPI3dJ7H7Y8w4ku+4L2Qd+KY4twJKFbAb2j1/Uuv8Q4T9E5z3h5+bA2gMwmCJEuJFGwghn7zi6wStf5Ovdgq5YehSLD0h/1FBZkfGH4ZOOlQ='
(decoded length: 1310).
2013/12/22 12:26:38| squid_kerb_auth: ERROR: gss_acquire_cred() failed:
Unspecified GSS failure.  Minor code may provide more information. 
2013/12/22 12:26:38| squid_kerb_auth: INFO: User not authenticated
2013/12/22 12:26:38| authenticateNegotiateHandleReply: Error validating user
via Negotiate. Error returned 'BH gss_acquire_cred() failed: Unspecified GSS
failure.  Minor code may provide more information. '
2013/12/22 12:26:38| squid_kerb_auth: DEBUG: Got 'YR
YIIFGgYGKwYBBQUCoIIFDjCCBQqgJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBOAEggTcYIIE2AYJKoZIhvcSAQICAQBuggTHMIIEw6ADAgEFoQMCAQ6iBwMFACCjggPuYYID6jCCA+agAwIBBaEPGw1ERUVQTEF
ZRVIuQ09NoigwJqADAgECoR8wHRsESFRUUBsVcHJveHkwMi5kZWVwbGF5ZXIuY29to4IDojCCA56gAwIBF6EDAgEPooIDkASCA4wER4pi2b6CWS+9i0M6bbcTyjRzBGP90er5GCRWlpxlyRSfRbyt5zlK62AHOBnJ2RpaTxgSOELFnSBHDjJITIAXr3hM6qg6WRwu8h//q1olW0RcLPRZa+1BJsOKWCa/tTHrvBK0rNN
xhGgVuZQtWQAp

[squid-users] Re: squid proxy kerberos authentication failure. Help!!!

2013-12-21 Thread flypast 
Hi Markus,

As suggested, I perform a packet capture by wireshark on proxy client.

I can get the TGS-REP packet with no error. The ticket KVNO (version 15)and
encryption type (RC4-hmac)match proxy end.

Please see the below:

 

In addition, the klist on client shows i have got the key of proxy as well.
 



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-proxy-kerberos-authentication-failure-Help-tp4663964p4663971.html
Sent from the Squid - Users mailing list archive at Nabble.com.

[squid-users] Re: squid proxy kerberos authentication failure. Help!!!

2013-12-21 Thread Markus Moeller 

Hi,

 If you get an NTLM token form the client it usually means that the client 
can not get the service principal for HTTP/ where  is the 
string (yes string if it is an IP it is used as a string) of the configured 
Browser proxy.  If you take a wireshark capture on the client you should see 
on port 88 the TGS Requests and TGS Replies with the error code.


Markus


"flypast"  wrote in message news:1387662168302-4663967.p...@n4.nabble.com...

Hi,

BTW, below is the latest alert log
==> /var/log/squid/cache.log <==
2013/12/22 08:39:39| squid_kerb_auth: DEBUG: Got 'YR
TlRMTVNTUAABt4II4gAFASgKDw==' from squid
(length: 59).
2013/12/22 08:39:39| squid_kerb_auth: DEBUG: Decode
'TlRMTVNTUAABt4II4gAFASgKDw==' (decoded length:
40).
2013/12/22 08:39:39| squid_kerb_auth: WARNING: received type 1 NTLM token
2013/12/22 08:39:39| authenticateNegotiateHandleReply: Error validating user
via Negotiate. Error returned 'BH received type 1 NTLM token'



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-proxy-kerberos-authentication-failure-Help-tp4663964p4663967.html
Sent from the Squid - Users mailing list archive at Nabble.com.

[squid-users] Re: squid proxy kerberos authentication failure. Help!!!

2013-12-21 Thread flypast 
Hi,

BTW, below is the latest alert log
==> /var/log/squid/cache.log <==
2013/12/22 08:39:39| squid_kerb_auth: DEBUG: Got 'YR
TlRMTVNTUAABt4II4gAFASgKDw==' from squid
(length: 59).
2013/12/22 08:39:39| squid_kerb_auth: DEBUG: Decode
'TlRMTVNTUAABt4II4gAFASgKDw==' (decoded length:
40).
2013/12/22 08:39:39| squid_kerb_auth: WARNING: received type 1 NTLM token
2013/12/22 08:39:39| authenticateNegotiateHandleReply: Error validating user
via Negotiate. Error returned 'BH received type 1 NTLM token'



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-proxy-kerberos-authentication-failure-Help-tp4663964p4663967.html
Sent from the Squid - Users mailing list archive at Nabble.com.

[squid-users] Re: squid proxy kerberos authentication failure. Help!!!

2013-12-21 Thread flypast 
HI Markus,

Thank you very much!

Sorry that I read the capture wrongly.

Looks like the KVNO version and encryption type match between the client XP
PC and squid proxy.
 

[root@proxy01 squid]# klist -ekt squid.keytab 
Keytab name: FILE:squid.keytab
KVNO Timestamp Principal
 -

   8 12/21/13 19:32:36 proxy02$@DEEPLAYER.COM (arcfour-hmac) 
   8 12/21/13 19:32:36 proxy02$@DEEPLAYER.COM (aes128-cts-hmac-sha1-96) 
   8 12/21/13 19:32:36 proxy02$@DEEPLAYER.COM (aes256-cts-hmac-sha1-96) 
   8 12/21/13 19:32:36 HTTP/proxy02.deeplayer@deeplayer.com
(arcfour-hmac) 
   8 12/21/13 19:32:36 HTTP/proxy02.deeplayer@deeplayer.com
(aes128-cts-hmac-sha1-96) 
   8 12/21/13 19:32:36 HTTP/proxy02.deeplayer@deeplayer.com
(aes256-cts-hmac-sha1-96) 
  12 12/21/13 20:15:26 proxy02$@DEEPLAYER.COM (arcfour-hmac) 
  12 12/21/13 20:15:26 proxy02$@DEEPLAYER.COM (aes128-cts-hmac-sha1-96) 
  12 12/21/13 20:15:26 proxy02$@DEEPLAYER.COM (aes256-cts-hmac-sha1-96) 
  12 12/21/13 20:15:26 HTTP/proxy02.deeplayer@deeplayer.com
(arcfour-hmac) 
  12 12/21/13 20:15:26 HTTP/proxy02.deeplayer@deeplayer.com
(aes128-cts-hmac-sha1-96) 
  12 12/21/13 20:15:26 HTTP/proxy02.deeplayer@deeplayer.com
(aes256-cts-hmac-sha1-96) 
  15 12/22/13 07:21:34 proxy02$@DEEPLAYER.COM (arcfour-hmac) 
  15 12/22/13 07:21:34 proxy02$@DEEPLAYER.COM (aes128-cts-hmac-sha1-96) 
  15 12/22/13 07:21:34 proxy02$@DEEPLAYER.COM (aes256-cts-hmac-sha1-96) 
  15 12/22/13 07:21:34 HTTP/proxy02.deeplayer@deeplayer.com
(arcfour-hmac) 
  15 12/22/13 07:21:34 HTTP/proxy02.deeplayer@deeplayer.com
(aes128-cts-hmac-sha1-96) 
  15 12/22/13 07:21:34 HTTP/proxy02.deeplayer@deeplayer.com
(aes256-cts-hmac-sha1-96) 

I did add below into the startup scripts.
KRB5_KTNAME=/etc/squid/squid.keytab
export KRB5_KTNAME


[root@proxy01 init.d]# more squid
#!/bin/bash
# chkconfig: - 90 25
# pidfile: /var/run/squid.pid
# config: /etc/squid/squid.conf
#
### BEGIN INIT INFO
# Provides: squid
# Short-Description: starting and stopping Squid Internet Object Cache
# Description: Squid - Internet Object Cache. Internet object caching is \
#   a way to store requested Internet objects (i.e., data available \
#   via the HTTP, FTP, and gopher protocols) on a system closer to the \
#   requesting site than to the source. Web browsers can then use the \
#   local Squid cache as a proxy HTTP server, reducing access time as \
#   well as bandwidth consumption.
### END INIT INFO


PATH=/usr/bin:/sbin:/bin:/usr/sbin
export PATH

# Source function library.
. /etc/rc.d/init.d/functions

# Source networking configuration.
. /etc/sysconfig/network

if [ -f /etc/sysconfig/squid ]; then
. /etc/sysconfig/squid
fi

# don't raise an error if the config file is incomplete
# set defaults instead:
SQUID_OPTS=${SQUID_OPTS:-""}
SQUID_PIDFILE_TIMEOUT=${SQUID_PIDFILE_TIMEOUT:-20}
SQUID_SHUTDOWN_TIMEOUT=${SQUID_SHUTDOWN_TIMEOUT:-100}
SQUID_CONF=${SQUID_CONF:-"/etc/squid/squid.conf"}

# determine the name of the squid binary
[ -f /usr/sbin/squid ] && SQUID=squid

prog="$SQUID"

# determine which one is the cache_swap directory
CACHE_SWAP=`sed -e 's/#.*//g' $SQUID_CONF | \
grep cache_dir | awk '{ print $3 }'`

RETVAL=0

probe() {
# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 1

[ `id -u` -ne 0 ] && exit 4

# check if the squid conf file is present
[ -f $SQUID_CONF ] || exit 6
}

start() {
KRB5_KTNAME=/etc/squid/squid.keytab
export KRB5_KTNAME
probe

parse=`$SQUID -k parse -f $SQUID_CONF 2>&1`
RETVAL=$?
if [ $RETVAL -ne 0 ]; then
echo -n $"Starting $prog: "
echo_failure
echo
echo "$parse"
return 1
fi
for adir in $CACHE_SWAP; do
if [ ! -d $adir/00 ]; then
echo -n "init_cache_dir $adir... "
$SQUID -z -F -f $SQUID_CONF >>
/var/log/squid/squid.out 2>&1
fi
done
echo -n $"Starting $prog: "
$SQUID $SQUID_OPTS -f $SQUID_CONF >> /var/log/squid/squid.out 2>&1
RETVAL=$?
if [ $RETVAL -eq 0 ]; then
timeout=0;
while : ; do
[ ! -f /var/run/squid.pid ] || break
if [ $timeout -ge $SQUID_PIDFILE_TIMEOUT ]; then
RETVAL=1
break
fi
sleep 1 && echo -n "."
timeout=$((timeout+1))
done
fi
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/$SQUID
[ $RETVAL -eq 0 ] && echo_success
[ $RETVAL -ne 0 ] && echo_failure
echo
return $RETVAL
}

stop() {

[squid-users] Re: squid proxy kerberos authentication failure. Help!!!

2013-12-21 Thread Markus Moeller 
What is the KVNO and encryption type you see in the capture ?   You may need 
to clear the cache on the XP machine  by  either lock/unlock the PC pr 
logging off/on or using kerbtray. It could be that XP had an old key cached.


Markus

"flypast"  wrote in message news:1387618150867-4663964.p...@n4.nabble.com...

Hi,
I am working to enable kerberos authentication for Squid proxy.

My environment is as below:

DC: dc1.deeplayer.com (windows 2008 r2 domain level 2003) IP 10.1.1.91
Squid proxy: centos 6.4 IP 10.1.1.97
Client: windows xp sp3, IE8 IP 10.1.1.211

I have followed the guide at
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos

I use the CLI below to create the keytab file.
msktutil -c -b "CN=COMPUTERS" -s HTTP/proxy02.deeplayer.com -k
/etc/squid/squid.keytab --computer-name proxy02 --upn
HTTP/proxy02.deeplayer.com --server dc1.deeplayer.com --verbose --enctypes
28

everything looks good.

But the authentication is failed.

I did a few tests. DNS all works.

[root@proxy01 ~]# klist -etk /etc/squid/squid.keytab
Keytab name: FILE:/etc/squid/squid.keytab
KVNO Timestamp Principal
 -
 
  8 12/21/13 19:32:36 proxy02$@DEEPLAYER.COM (arcfour-hmac)

  8 12/21/13 19:32:36 proxy02$@DEEPLAYER.COM (aes128-cts-hmac-sha1-96)
  8 12/21/13 19:32:36 proxy02$@DEEPLAYER.COM (aes256-cts-hmac-sha1-96)
  8 12/21/13 19:32:36 HTTP/proxy02.deeplayer@deeplayer.com
(arcfour-hmac)
  8 12/21/13 19:32:36 HTTP/proxy02.deeplayer@deeplayer.com
(aes128-cts-hmac-sha1-96)
  8 12/21/13 19:32:36 HTTP/proxy02.deeplayer@deeplayer.com
(aes256-cts-hmac-sha1-96)

I reset the proxy02 account in AD DC.

Then update the keytab as below. Looks good as well.
[root@proxy01 squid]# msktutil --auto-update --verbose --computer-name
proxy02 -k squid.keytab
-- init_password: Wiping the computer password structure
-- generate_new_password: Generating a new, random password for the
computer account
-- generate_new_password:  Characters read from /dev/udandom = 81
-- get_dc_host: Attempting to find a Domain Controller to use (DNS SRV RR
TCP)
-- get_dc_host: Found DC: dc1.deeplayer.com
-- get_dc_host: Canonicalizing DC through forward/reverse lookup...
-- get_dc_host: Found Domain Controller: dc1.deeplayer.com
-- create_fake_krb5_conf: Created a fake krb5.conf file:
/tmp/.msktkrb5.conf-5Mu62Q
-- reload: Reloading Kerberos Context
-- finalize_exec: SAM Account Name is: proxy02$
-- try_machine_keytab_princ: Trying to authenticate for proxy02$ from local
keytab...
-- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed
(Preauthentication failed)
-- try_machine_keytab_princ: Authentication with keytab failed
-- try_machine_keytab_princ: Trying to authenticate for
host/proxy01.deeplayer.com from local keytab...
-- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Key
table entry not found)
-- try_machine_keytab_princ: Authentication with keytab failed
-- try_machine_password: Trying to authenticate for proxy02$ with password.
-- create_default_machine_password: Default machine password for proxy02$
is proxy02
-- try_machine_password: Error: krb5_get_init_creds_keytab failed
(Preauthentication failed)
-- try_machine_password: Authentication with password failed
-- try_user_creds: Checking if default ticket cache has tickets...
-- finalize_exec: Authenticated using method 4

-- ldap_connect: Connecting to LDAP server: dc1.deeplayer.com try_tls=YES
-- ldap_connect: Connecting to LDAP server: dc1.deeplayer.com try_tls=NO
SASL/GSSAPI authentication started
SASL username: administra...@deeplayer.com
SASL SSF: 56
SASL data security layer installed.
-- ldap_connect: LDAP_OPT_X_SASL_SSF=56

-- ldap_get_base_dn: Determining default LDAP base: dc=DEEPLAYER,dc=COM
-- get_default_ou: Determining default OU: CN=Computers,DC=deeplayer,DC=com
-- ldap_check_account: Checking that a computer account for proxy02$ exists
-- ldap_check_account: Checking computer account - found
-- ldap_check_account: Found userAccountControl = 0x1000

-- ldap_check_account: Found supportedEncryptionTypes = 28

-- ldap_check_account: Found dNSHostName = proxy01.deeplayer.com

-- ldap_check_account:   Found Principal: HTTP/proxy02.deeplayer.com
-- ldap_check_account:   Found User Principal: HTTP/proxy02.deeplayer.com
-- ldap_check_account_strings: Inspecting (and updating) computer account
attributes
-- ldap_set_supportedEncryptionTypes: No need to change
msDs-supportedEncryptionTypes they are 28

-- ldap_set_userAccountControl_flag: Setting userAccountControl bit at
0x20 to 0x0
-- ldap_set_userAccountControl_flag:  userAccountControl not changed 0x1000

-- set_password: Attempting to reset computer's password
-- set_password: Try change password using user's ticket cache

-- ldap_get_pwdLastSet: pwdLastSet is 130320907474715458
-- set_password: Successfully set password, waiting for it to be reflected
in LDAP.
-- ldap_get_pwdLastSet: pwdLastSet is 1303209