Re: [squid-users] Kerberos authentication problem - squid 3.4.11

Sat, 14 Feb 2015 05:00:37 -0800 

Hi Ludovit,
Yes the client determines the encryption strength and squid needs to have all of them in the keytab (You can disallow DES or other weak encryption by not adding these encryptions to the keytab). 

Regards
Markus

"Ludovit Koren"  wrote in message news:86lhk0j2xe....@gmail.com...


Markus Moeller <hua...@moeller.plus.com> writes:


   > It could be the new AD server  is setup to be backward  compatible
   > meaning it use RC4 despite being able to use AES.  I suggest you crate
   > an additional keytab entry for RC4.  How did you create the keytab ?

Now it seems to work:



# /usr/local/libexec/squid/negotiate_kerberos_auth_test proxy.mdpt.local | 
awk '{sub(/Token:/,"YR"); print $0}END{print "QQ"}' | 
/usr/local/libexec/squid/negotiate_kerberos_auth -r -s HTTP/proxy.mdpt.local

AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg== HTTP/proxy.mdpt.local
BH quit command

respectively with debug output


# /usr/local/libexec/squid/negotiate_kerberos_auth_test proxy.mdpt.local | 
awk '{sub(/Token:/,"YR"); print $0}END{print "QQ"}' | 
/usr/local/libexec/squid/negotiate_kerberos_auth -d -r -s 
HTTP/proxy.mdpt.local
negotiate_kerberos_auth.cc(212): pid=59316 :2015/02/14 09:40:23| 
negotiate_kerberos_auth: INFO: Starting version 3.0.4sq
negotiate_kerberos_auth.cc(258): pid=59316 :2015/02/14 09:40:23| 
negotiate_kerberos_auth: DEBUG: Got 'YR 
YIIFkgYGKwYBBQUCoIIFhjCCBYKgDTALBgkqhkiG9xIBAgKiggVvBIIFa2CCBWcGCSqGSIb3EgECAgEAboIFVjCCBVKgAwIBBaEDAgEOogcDBQAAAAAAo4IEQGGCBDwwggQ4oAMCAQWhDBsKTURQVC5MT0NBTKIjMCGgAwIBA6EaMBgbBEhUVFAbEHByb3h5Lm1kcHQubG9jYWyjggP8MIID+KADAgEXoQMCAQaiggPqBIID5sVhPZfpC5bIQPSFoRRkg/yI1a3e+rJhYMx9v8sahJtT0prtSF715Q1TAqiXKDZJ479BKKPA27BL63p/mwvu7bf4gznZNTZLFIfHYU/ImK//RrvgkDv1uFSqm/skfzEECQBth4rxozQMfqLgmADCvAdEQVBIeG3D/QlhJ6LNdk4V4f0RBPr8zsagJ7529iSJK0otclE8McAg/5ZB4uA4L9PW6db+UOE3wR1LXK1w40dJkh3YRZX7SjZTEEpT003IRCulEq+fqIfLOPbL8+bbTrECYvvShaMuZF+RAlRZTrxS8P4KPk1f7muLEvA5/EvsGKXmtyTeytd9eRdfAhw5LBuUbwjDsuoliD1ARTPXL1syTtUy4CgJUNu6a6GGgh3uBF2zdDu7cY/4wtU1do3DJRq2NFzjQxcc4TzT64/HjYR+pi2MgchXJBbD3J79AQmKAvtO2B0xI9w/qSCH2uLoPwwzGEXGvr4DsXNgBbkaandw0UtpUyyfd6Gk313mc58dc+G10J3xPhsUOz9a1EOmmETquEPLgjkfpUQY6/MTRbWk/aRl9l681664Ywb6gp9mJioNfz6cxcF7C7fIGKrvBDSyZCBEGH+HOBfBr0REYkqKOqw1xVg0LfYYX4/6pE9ZfJMk3XTHmWKDa+EIahs5ibMsfi+MBx5iEOva3SC8s+rEZyWiG3soowE3U2BCgkGihRAI1thGJVUKLMQy3AokSX7xZF/RiYA4C4MdnFbDdCUJ14vNH4gYZs3A15wbbBUe6aUz3hblSHhFM/vjc4+EyMMyhiJLLYJ9wqe+Y2+eAl0H8wErSjb4ivFv8pNUZuGgbtT4buAE4AHYahWn+f/0S0r05T9uV+273KyA56+KZ4tXnbzhMo9ybqSA6B0BYpsEeDvZDYfUfrDyo4fyT/W2Rem+UMvuJ/o5HRrZWiSP45ANGkqLQcOXwjSDPQQUQaytPeClrqUamnZxbD/XsBosKUUbOfvxnQgWOrVbaDwNN8WfQ+Tv1ZQO8tXoDt9RE1fewaKF8cJS9zsbcSuucBsmQGcMHKn035bsEni8JoiWU1g9ieXeqvRTg5nAkf6bzP3rs4awhXTa3if11liCSZojMUi1Q2d/HZ8X9ZJhu2VS6+EVNQ0dlHspnH3nV8GMz5JI0eQuwPfE2rTOcv4vFZldK2+jJVlCOHu/sMW+gojLjoTg4yrMp1RFq9P3JIlo388eoInu94nAjrbcRgX6W/t+tdUMxGs7+xEoVuCwvnl7jbny31QHzSV2B2n5bGH04z0kAzgOfZmUkJyZivOR8fFisBEX69BWAPXuhQaJFhRsA1pHPPASEYcApIH4MIH1oAMCAReige0Eger41GqgKOrnmoPBzgQ+QQQICBbu/8WBFqzn7Cn4vVSrhsU5umcgSpzTIioLSNQWktPeZQRh/ZcPb+gIWZHaP9LvUEeqXbIT0oYTyStS1bgMCl/yfI4WzGpCKhZbd43jShcQB6SOjQlua7V/0dFOpUv+q1LVD//FFl2dIGoKZHXU5NYpf1yl9dX5Cgd4oKlJUyqgXWclIRzPeGl8nJ8oPvi2af9GGPazSF31Cu7jA/fG9mM4Tses4gI3EPBQBgCAThJ7QeNASK0GEXKsoQE2gYcmaQBTOUP0mhMs43vPqCQckoOcK3/l7SsPwg0=' 
from squid (length: 1911).
negotiate_kerberos_auth.cc(311): pid=59316 :2015/02/14 09:40:23| 
negotiate_kerberos_auth: DEBUG: Decode 
'YIIFkgYGKwYBBQUCoIIFhjCCBYKgDTALBgkqhkiG9xIBAgKiggVvBIIFa2CCBWcGCSqGSIb3EgECAgEAboIFVjCCBVKgAwIBBaEDAgEOogcDBQAAAAAAo4IEQGGCBDwwggQ4oAMCAQWhDBsKTURQVC5MT0NBTKIjMCGgAwIBA6EaMBgbBEhUVFAbEHByb3h5Lm1kcHQubG9jYWyjggP8MIID+KADAgEXoQMCAQaiggPqBIID5sVhPZfpC5bIQPSFoRRkg/yI1a3e+rJhYMx9v8sahJtT0prtSF715Q1TAqiXKDZJ479BKKPA27BL63p/mwvu7bf4gznZNTZLFIfHYU/ImK//RrvgkDv1uFSqm/skfzEECQBth4rxozQMfqLgmADCvAdEQVBIeG3D/QlhJ6LNdk4V4f0RBPr8zsagJ7529iSJK0otclE8McAg/5ZB4uA4L9PW6db+UOE3wR1LXK1w40dJkh3YRZX7SjZTEEpT003IRCulEq+fqIfLOPbL8+bbTrECYvvShaMuZF+RAlRZTrxS8P4KPk1f7muLEvA5/EvsGKXmtyTeytd9eRdfAhw5LBuUbwjDsuoliD1ARTPXL1syTtUy4CgJUNu6a6GGgh3uBF2zdDu7cY/4wtU1do3DJRq2NFzjQxcc4TzT64/HjYR+pi2MgchXJBbD3J79AQmKAvtO2B0xI9w/qSCH2uLoPwwzGEXGvr4DsXNgBbkaandw0UtpUyyfd6Gk313mc58dc+G10J3xPhsUOz9a1EOmmETquEPLgjkfpUQY6/MTRbWk/aRl9l681664Ywb6gp9mJioNfz6cxcF7C7fIGKrvBDSyZCBEGH+HOBfBr0REYkqKOqw1xVg0LfYYX4/6pE9ZfJMk3XTHmWKDa+EIahs5ibMsfi+MBx5iEOva3SC8s+rEZyWiG3soowE3U2BCgkGihRAI1thGJVUKLMQy3AokSX7xZF/RiYA4C4MdnFbDdCUJ14vNH4gYZs3A15wbbBUe6aUz3hblSHhFM/vjc4+EyMMyhiJLLYJ9wqe+Y2+eAl0H8wErSjb4ivFv8pNUZuGgbtT4buAE4AHYahWn+f/0S0r05T9uV+273KyA56+KZ4tXnbzhMo9ybqSA6B0BYpsEeDvZDYfUfrDyo4fyT/W2Rem+UMvuJ/o5HRrZWiSP45ANGkqLQcOXwjSDPQQUQaytPeClrqUamnZxbD/XsBosKUUbOfvxnQgWOrVbaDwNN8WfQ+Tv1ZQO8tXoDt9RE1fewaKF8cJS9zsbcSuucBsmQGcMHKn035bsEni8JoiWU1g9ieXeqvRTg5nAkf6bzP3rs4awhXTa3if11liCSZojMUi1Q2d/HZ8X9ZJhu2VS6+EVNQ0dlHspnH3nV8GMz5JI0eQuwPfE2rTOcv4vFZldK2+jJVlCOHu/sMW+gojLjoTg4yrMp1RFq9P3JIlo388eoInu94nAjrbcRgX6W/t+tdUMxGs7+xEoVuCwvnl7jbny31QHzSV2B2n5bGH04z0kAzgOfZmUkJyZivOR8fFisBEX69BWAPXuhQaJFhRsA1pHPPASEYcApIH4MIH1oAMCAReige0Eger41GqgKOrnmoPBzgQ+QQQICBbu/8WBFqzn7Cn4vVSrhsU5umcgSpzTIioLSNQWktPeZQRh/ZcPb+gIWZHaP9LvUEeqXbIT0oYTyStS1bgMCl/yfI4WzGpCKhZbd43jShcQB6SOjQlua7V/0dFOpUv+q1LVD//FFl2dIGoKZHXU5NYpf1yl9dX5Cgd4oKlJUyqgXWclIRzPeGl8nJ8oPvi2af9GGPazSF31Cu7jA/fG9mM4Tses4gI3EPBQBgCAThJ7QeNASK0GEXKsoQE2gYcmaQBTOUP0mhMs43vPqCQckoOcK3/l7SsPwg0=' 
(decoded length: 1430).
negotiate_kerberos_pac.cc(368): pid=59316 :2015/02/14 09:40:23| 
negotiate_kerberos_auth: INFO: Got PAC data of lengh 464
negotiate_kerberos_pac.cc(186): pid=59316 :2015/02/14 09:40:23| 
negotiate_kerberos_auth: INFO: Found 2 rids
negotiate_kerberos_pac.cc(193): pid=59316 :2015/02/14 09:40:23| 
negotiate_kerberos_auth: Info: Got rid: 513
negotiate_kerberos_pac.cc(193): pid=59316 :2015/02/14 09:40:23| 
negotiate_kerberos_auth: Info: Got rid: 8830
negotiate_kerberos_pac.cc(255): pid=59316 :2015/02/14 09:40:23| 
negotiate_kerberos_auth: INFO: Got DomainLogonId 
S-1-5-21-770342266-1452753317-1341851483
negotiate_kerberos_pac.cc(277): pid=59316 :2015/02/14 09:40:23| 
negotiate_kerberos_auth: INFO: Found 1 ExtraSIDs
negotiate_kerberos_pac.cc(325): pid=59316 :2015/02/14 09:40:23| 
negotiate_kerberos_auth: INFO: Got ExtraSid S-1-18-1
negotiate_kerberos_pac.cc(448): pid=59316 :2015/02/14 09:40:23| 
negotiate_kerberos_auth: INFO: Read 464 of 464 bytes
negotiate_kerberos_auth.cc(426): pid=59316 :2015/02/14 09:40:23| 
negotiate_kerberos_auth: DEBUG: Groups 
group=AQUAAAAAAAUVAAAAen3qLaVBl1ZbB/tPAQIAAA== 
group=AQUAAAAAAAUVAAAAen3qLaVBl1ZbB/tPfiIAAA== group=AQEAAAAAABIBAAAA

AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg== HTTP/proxy.mdpt.local

negotiate_kerberos_auth.cc(431): pid=59316 :2015/02/14 09:40:23| 
negotiate_kerberos_auth: DEBUG: AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg== 
HTTP/proxy.mdpt.local
negotiate_kerberos_auth.cc(258): pid=59316 :2015/02/14 09:40:23| 
negotiate_kerberos_auth: DEBUG: Got 'QQ' from squid (length: 2).

BH quit command

It looks like there should be specified all ciphers which could use
different MS clients...

Am I right?

lk
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org

http://lists.squid-cache.org/listinfo/squid-users 



_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
























					Reply via email to