First, it very handy to know your os and samba and squid versions used. ? Second, Squid/radius etc anything that uses NTLMv1 with samba stopped working after 4.5.0 I think your main problem can be explained by this extract from the release notes for 4.5.0: ?
NTLMv1 authentication disabled by default ----------------------------------------- In order to improve security we have changed the default value for the "ntlm auth" option from "yes" to "no".? This may have impact on very old clients which doesn't support NTLMv2 yet. The primary user of NTLMv1 is MSCHAPv2 for VPNs and 802.1x. By default, Samba will only allow NTLMv2 via NTLMSSP now, as we have the following default "lanman auth = no", "ntlm auth = no" and "raw NTLMv2 auth = no". ? ? Greetz, ? Louis ? ? ? Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens Kevin M???hlparzer Verzonden: dinsdag 13 juni 2017 14:00 Aan: squid-users@lists.squid-cache.org Onderwerp: [squid-users] Negotiate Kerberos Auth - BH Invalid request Hello list, I asked about a problem with NTLM-Authentication before. (BH SPNEGO request invalid prefix; thats the error of the helper protocol "helper-protocol=squid-2.5-ntlmssp" I used with NTLM, while basic works fine) A user told me I should use negotiate_kerberos_auth instead of ntlm_auth. Now here's my new problem: root@x-x-testproxy01:/etc/squid# /usr/lib/squid/negotiate_kerberos_auth -d -s HTTP/x-x-testproxy01.x-xxx.local@X-XXX.LOCAL negotiate_kerberos_auth.cc(487): pid=5305 :2017/06/13 13:29:41| negotiate_kerberos_auth: INFO: Starting version 3.0.4sq negotiate_kerberos_auth.cc(546): pid=5305 :2017/06/13 13:29:41| negotiate_kerberos_auth: INFO: Setting keytab to FILE:/etc/squid/HTTP.keytab negotiate_kerberos_auth.cc(570): pid=5305 :2017/06/13 13:29:41| negotiate_kerberos_auth: INFO: Changed keytab to MEMORY:negotiate_kerberos_auth_5305 testuser xxxxxxx negotiate_kerberos_auth.cc(610): pid=5305 :2017/06/13 13:29:47| negotiate_kerberos_auth: DEBUG: Got 'testuser xxxxxx' from squid (length: 18). negotiate_kerberos_auth.cc(647): pid=5305 :2017/06/13 13:29:47| negotiate_kerberos_auth: ERROR: Invalid request [testuser xxxxxxx] BH Invalid request So my configuration has mistakes, but I can't find them. I don't really know where to search, or what works for sure. I tried many tutorials on krb5 and samba. Every form of testing I tried works fine except indeed using the required kerberos authentication of my squid-proxy. Tests that come to my mind: kinit a user Warning: Your password will expire in 36 days on Don 20 Jul 2017 13:23:54 CEST klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: testuser@X-XXX.LOCAL Valid starting?????? Expires????????????? Service principal 2017-06-13 13:38:37? 2017-06-13 23:38:37? krbtgt/X-XXX.LOCAL@X-XXX.LOCAL ?? ?renew until 2017-06-14 13:38:34 klist -k on my HTTP.keytab Keytab name: FILE:/etc/squid/HTTP.keytab KVNO Principal ---- -------------------------------------------------------------------------- ?? 1 host/x-x-testproxy01.x-xxx.local@X-XXX.LOCAL ?? 1 host/x-x-testproxy01.x-xxx.local@X-XXX.LOCAL ?? 1 host/x-x-testproxy01.x-xxx.local@X-XXX.LOCAL ?? 1 host/x-x-testproxy01.x-xxx.local@X-XXX.LOCAL ?? 1 host/x-x-testproxy01.x-xxx.local@X-XXX.LOCAL ?? 1 host/X-X-TESTPROXY01@X-XXX.LOCAL ?? 1 host/X-X-TESTPROXY01@X-XXX.LOCAL ?? 1 host/X-X-TESTPROXY01@X-XXX.LOCAL ?? 1 host/X-X-TESTPROXY01@X-XXX.LOCAL ?? 1 host/X-X-TESTPROXY01@X-XXX.LOCAL ?? 1 X-X-TESTPROXY01$@X-XXX.LOCAL ?? 1 X-X-TESTPROXY01$@X-XXX.LOCAL ?? 1 X-X-TESTPROXY01$@X-XXX.LOCAL ?? 1 X-X-TESTPROXY01$@X-XXX.LOCAL ?? 1 X-X-TESTPROXY01$@X-XXX.LOCAL basic-auth using ntlm root@x-x-testproxy01:/etc/squid# /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic --username=testuser --password=xxxxxxxx testuser xxxxxxxxxx OK testuser@x-xxx.local xxxxxxxx OK wbinfo -u administrator testuser ... wbinfo -g allowed rodc password replication group enterprise read-only domain controllers ... wbinfo --krb5auth=testuser%xxxxxxx plaintext kerberos password authentication for [testuser%xxxxxxx] succeeded (requesting cctype: FILE) wbinfo -t checking the trust secret for domain X-XXX via RPC calls succeeded wbinfo --authenticate=testuser%xxxxxxxx plaintext password authentication succeeded challenge/response password authentication succeeded /usr/lib/squid/negotiate_kerberos_auth_test x-x-testproxy01.x-xxx.local Token: YIIFOgYGKwYBBQUCoIIFLjCCBSqgJzAlBgkqhkiG9xIBAgIGBSsFAQUCBgkqhkiC9xIBAgIGBisGAQUCBaKCBP0EggT5YIIE9QYJKoZIhvcSAQICAQBuggTkMIIE4KADAgEFoQMCAQ6iBwMFAAAAAACjggP2YYID8jCCA+6gAwIBBaENGwtYLU5FVC5MT0NBTKIuMCygAwIBA6ElMCMbBEhUVFAbG3gtbC10ZXN0cHJveHkwMS54LW5ldC5sb2NhbKOCA6YwggOioAMCARKhAwIBAaKCA5QEggOQIMtincRDtWjh44pew3twk26Gm9rTC7CbkobNrzaRq/weljVl5TSbMQTFIVRQXVe4CQBWJ/Gcg472cgLA3mjOH8Z30zxQFP8fsK46wAtTEzJhonzXLImhaPtXvCVz94xaCVG7cBlNJCUmZQHsQMxFsGJZfKCkDvztiNplXEEwRgT7S6f8HQNm62xPAyz9aK8Wqfz9suW5cSBk8wdRAQNleKP1Xe/2LqZ4jfDpodPdcy9A8vh1dKu4tmbz+EJ/bKvWA+/twuXiOhhGq4W39TlOu/3zD87pXAh65ka1QsepkCWgUMHImDw8nUr8Zvi4j4vI9WhyMyLFYBya8BvAX9kLg73zl80g82bQVIAb8QU3gS2Akhpd7r1flfUbfRDUQfuS/bsaHspZoP+2c8+Bxy38OML4Gg29y6fJvRNfDaCnqmTQdiPtyqELVUS+4x7r260mM1wQKzD2Jb5pcz4wMHUK0sdw8xmMARGxB7XdyGSbo759GD6tOaTAKkNwccno6i9wyOoLqfhVRjE/K9FLCvCnzEFI07q1/dFz1Ce/ZzroW3nOwNQe3V6qqBELwuTvHgxIdGq4HEPeLqAUkVWxneXemRNbLKiOs/BIe3qkXxizgAkFLqRO5az2pVOD7/KBevxYZKeAgIuDsbIYG/u3Ic+KtCDaaM/to2b41SB8ZOFKJau3BuMPOvZ4ipiMbv0N/Svk4Tg61BIhN3CJYKA3ep/3p3wSfJlkcYeRVkDpasQnmFnjxV2YS7Q8nvmf9LIz+KIYBIT8X9yRPuV/E2lSELZlxJ8CySLFLUKgtMj97GPMlacc+UN3lJjyoExUKHpMZtUmaKrw7ueT3wnLMWgx0BBPkiAebUAedKj9u9sEscFylmI/+PdCCraMNbkOckCsggYXfJm6LxFZJhnDvw1+Z87xsJFDs5fasF6j8REiG8aHTmKHgt2M9TmIRNo/PsYrZGvuVQhkk2fuyFxwwyfs7ysNEkOmBWlFlTEjddjT9YShHfV8Fo8+M2UYY5nYiUIQq5BBfZ679ntivs7F80lKMOqhc7SOY63VwRJOwoq35+bnsIB08b9cttySiOcFsZb6uTnYvHzUFVSUha4nxrg3zW3fL9KVu4XY+lgCRZrBZMxioy6vbAOJBmpqXOJvel2gBbGN6PEd2ReeX43l1gcn+Bd3mQykmUIEzMMuRpSHda9233aWHbwEZ9H9rOdJdhgX4U+upIHQMIHNoAMCARKigcUEgcJu7kcC1zuJdhOQk+YA0Hw2G9kyg46tpaNIgj1CEgkD/KE28kaKivCTZTnHfrNOpIOJaaiYw4RMwJsbgZdRU+fz/jUwxvXdUSGon6JrU7S2XZ9CjXRXfdpXc4HjP0QW6Cql1SE95MpkcbMRH8FQvGNryBzsqIkELnvXceTGCmwlN3n60nqkoR5/41p2PtSz4hFMOVdT6AkPlNC5VTCtCZUj7YbrYVYImPnG3aAfQxXEHRy19/v0mL2845jZFA7Xw96s1A== Sorry for posting so many output... I already read many documentations, but no one really tests in small steps, they just assume that it works for everyone out of the box... Does anyone have a clue what could be my mistake? Thanks in advance.
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
