[squid-users] Re: Re: Re: Re: Creating a kerberos Service Principal.

[Markus Moeller]

Hi Bilal,

    Firstly there is a difference in supporting IWA for web authentication 
and IWA for proxy authentication. If I remember right proxy authentication 
with Negotiate  is only available  from IE 7 onwards.

    Can you capture the traffic from your client on port 88 with wireshark 
? You should see on a just started machine a TGS (=Ticket Granting Service) 
request for HTTP/fqdn where fqdn is the proxy dns name. Before the TGS 
request you may also see AS (Authentication Service) requests.

   There is also a microsoft tool called kerbtray which can list and delete 
tickets on the windows client and thereby force a new TGS request.

Regards
Markus


"GIGO ." <gi...@msn.com> wrote in message 
news:snt134-w179c7d9f5ee51c47c1e816b9...@phx.gbl...

Markus,

Now what to do why this behaviour of the browser though i have confirmed 
that windows integrated authentication is checked. IE version can do the 
kerberos. DNS name as proxy is given. The only missing thing is DNS reverse 
lookup settings on my Domaincontoller/dns. Checked on two clients. I have a 
virtual environment made on VMware.



How to move forward from here.


To: squid-users@squid-cache.org
From: hua...@moeller.plus.com
Date: Fri, 16 Apr 2010 15:18:27 +0100
Subject: [squid-users] Re: Re: Re: Creating a kerberos Service Principal.

Hi Bilal,

In your case the browser is returning a NTLM token not a Kerberos token 
whu
squid_kerb_auth will deny access.

Regards
Markus

"GIGO ." <gi...@msn.com> wrote in message
news:snt134-w155de8e05828b08d15c09ab9...@phx.gbl...

Dear Nick,

This was the result of my klist -k command:

[r...@squidlhrtest log]# klist -k /etc/squid/HTTP.keytab
Keytab name: FILE:/etc/squid/HTTP.keytab
KVNO Principal
---- --------------------------------------------------------------------------
2 HTTP/vdc.v.com...@v.com.pk
2 HTTP/vdc.v.com...@v.com.pk
2 HTTP/vdc.v.com...@v.com.pk
---------------------------------------

i recreated the spn as follows in my new lab ( domaincontroller name is 
now
vdc.v.local and proxyname is squidLhrTest)
msktutil -c -b "CN=COMPUTERS" -s HTTP/vdc.v.local -h 
squidLhrTest.v.local -k
/etc/squid/HTTP.keytab --computer-name squid-http --upn
HTTP/squidLhrTest.v.local --server vdc.v.local --verbose



However whenever a client try to access the internet this error appears:

CacheHost: squidLhrTest
ErrPage: ERR_CACHE_ACCESS_DENIED
Err: [none]
TimeStamp: Fri, 16 Apr 2010 10:43:51 GMT
ClientIP: 10.1.82.54
HTTP Request:
GET /isapi/redir.dll?prd=ie&ar=hotmail HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg,
application/x-shockwave-flash, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; 
Trident/4.0)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: www.microsoft.com
Proxy-Authorization: Negotiate
TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==



thank you so much for you consideration Nick. yes despite doing lots of
efforts not being able to get this thing to work and am frustated now.....
however in the journey at least learnt many things :)



regards,

Bilal Aslam

















From: nick.cairncr...@condenast.co.uk
To: gi...@msn.com
Date: Fri, 16 Apr 2010 09:39:11 +0100
Subject: Re: [squid-users] Re: Re: Creating a kerberos Service Principal.

Bilal,

I understand your frustration! First off: What happens when you klist -k
/etc/squid/HTTP.keytab
As I understand it, shouldn't you be specifying the spn as
HTTP/yoursquidproxy and not your DC? You want to be able to authenticate
from the squid proxy, using the HTTP service to the squid-http computer
account.

Nick





On 16/04/2010 08:43, "GIGO ." wrote:



Dear Nick/Markus,

I am totally lost in translation and am not sure what to do i need your
help please. The problem is that my kerberos authentication is not
working. In my virtual environment i have two machines one configured as
Domain Controller and the other one as SquidProxy. I am trying to use the
internet from my domain controller( internet explorer 7 & DNS name is
given instead of the ip). However it only popup a authentication window
and never works like it should.




I have setup the squid authentication as follows:


Steps:

I copied the squid_kerb_auth files to correct directory. (SELinux is
enabled)

cp -r squid_kerb_auth /usr/libexec/squid/

I then Installed the msktutil software

step No 1: i changed my krb5.conf file as follows;

------------------------krb5.conf-----------------------------------------------------------------------------
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = V.COM.PK
dns_lookup_realm = no
dns_lookup_kdc = no
ticket_lifetime = 24h
forwardable = yes
default_keytab_name= /etc/krb5.keytab
; for windows 2003
default_tgs_enctypes= rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes= rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes= rc4-hmac des-cbc-crc des-cbc-md5
[realms]
V.LOCAL = {
kdc = vdc.v.com.pk:88
admin_server = vdc.v.com.pk:749
default_domain = v.com.pk
}
[domain_realm]
.linux.home = V.COM.PK
.v.com.pk=V.COM.PK
v.local=V.COM.PK

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

Step 2: I verified the settings in resolv.conf & hosts file
------------------etc/resolv.conf---------------------------------------
nameserver 10.1.82.51 (My domain conroller and DNS)

------------------------/etc/hosts
file----------------------------------------
127.0.0.1 squidLhrTest localhost.localdomain localhost
10.1.82.52 squidLhrTest.v.com.pk
::1 localhost6.localdomain6 localhost6
-------------------------------------------------------------------------------


Step 3:
i created the keytab as follows:
kinit administra...@v.local

msktutil -c -b "CN=COMPUTERS" -s HTTP/vdc.v.com.pk -h
squidLhrTest.v.com.pk -k /etc/squid/HTTP.keytab --computer-name
squid-http --upn HTTP/vdc.v.com.pk --server vdc.v.com.pk --verbose

Out put of my command:

[r...@squidlhrtest msktutil-0.3.16]# msktutil -c -b "CN=COMPUTERS" -s
HTTP/vdc.v.com.pk -h squidLhrTest.v.com.pk -k
/etc/squid/HTTP.keytab --computer-name squid-http --upn
HTTP/vdc.v.com.pk --server vdc.v.com.pk --verbose
-- init_password: Wiping the computer password structure
-- finalize_exec: Determining user principal name
-- finalize_exec: User Principal Name is: HTTP/vdc.v.com...@v.com.pk
-- create_fake_krb5_conf: Created a fake krb5.conf file:
/tmp/.mskt-9130krb5.conf
-- get_krb5_context: Creating Kerberos Context
-- try_machine_keytab: Using the local credential cache:
/tmp/.mskt-9130krb5_ccache
-- try_machine_keytab: krb5_get_init_creds_keytab failed (Client not 
found
in Kerberos database)
-- try_machine_keytab: Unable to authenticate using the local keytab
-- try_ldap_connect: Connecting to LDAP server: vdc.v.com.pk
-- try_ldap_connect: Connecting to LDAP server: vdc.v.com.pk
SASL/GSSAPI authentication started
SASL username: administra...@v.com.pk
SASL SSF: 56
SASL installing layers
-- ldap_get_base_dn: Determining default LDAP base: dc=v,dc=com,dc=pk
-- get_short_hostname: Determined short hostname: squidLhrTest
-- finalize_exec: SAM Account Name is: squid-http$
Updating all entries for squidLhrTest.v.com.pk in the keytab
/etc/squid/HTTP.keytab
-- try_set_password: Attempting to reset computer's password
-- ldap_check_account: Checking that a computer account for squid-http$
exists
No computer account for squid-http found, creating a new one.
-- ldap_check_account_strings: Inspecting (and updating) computer account
attributes
-- get_user_principal: Obtaining Principal for the executing user
-- generate_new_password: Generating a new, random password for the
computer account
-- try_set_password: krb5_get_init_creds_keytab failed (No such file or
directory)
-- try_set_password: Attempting to reset computer's password
-- ldap_check_account: Checking that a computer account for squid-http$
exists
-- ldap_check_account: Checking computer account found
-- ldap_check_account_strings: Inspecting (and updating) computer account
attributes
-- get_user_principal: Obtaining Principal for the executing user
-- generate_new_password: Generating a new, random password for the
computer account
-- ldap_get_pwdLastSet: pwdLastSet is 0
-- ldap_get_pwdLastSet: pwdLastSet is 129158200838811250
-- try_set_password: Successfully reset computer's password
-- update_keytab: Updating all entires for squidLhrTest
-- ldap_list_principals: Listing principals for LDAP entry
-- ldap_list_principals: Found Principal: HTTP/vdc.v.com.pk
-- ldap_add_principal: Checking that adding principal HTTP/vdc.v.com.pk 
to
squidLhrTest won't cause a conflict
-- ldap_add_principal: Adding principal HTTP/vdc.v.com.pk to LDAP entry
-- add_principal: Adding principal to keytab: HTTP/vdc.v.com.pk
-- ldap_get_kvno: KVNO is 2
-- ldap_get_des_bit: Determined DES-only flag is 0
-- add_principal: Using salt of V.COM.PKhostsquid-http.v.com.pk
-- add_principal: Adding entry of enctype 0x1
-- add_principal: Using salt of V.COM.PKhostsquid-http.v.com.pk
-- add_principal: Adding entry of enctype 0x3
-- add_principal: Using salt of V.COM.PKHTTPvdc.v.com.pk
-- add_principal: Adding entry of enctype 0x17
-- krb5_cleanup: Destroying Kerberos Context
-- ldap_cleanup: Disconnecting from LDAP server
-- init_password: Wiping the computer password structure
[r...@squidlhrtest msktutil-0.3.16]#





I assigned the proper permissions to the keytab file that i have created.
chown proxy /etc/squid/HTTP.keytab
chmod 400 /etc/squid/HTTP.keytab


Step 4:
I changed my squid.conf to include the following lines

My squid.conf files lines;;;;
------------------------------------------squid.conf---------------------------------------------------------------------
auth_param negotiate program /usr/libexec/squid/squid_kerb_auth
auth_param negotiate children 10
auth_param negotiate keep_alive on
#http_access allow all
acl auth proxy_auth REQUIRED
http_access deny !auth
http_access allow auth
http_access deny all






i run this command from shell as well:

KRB5_KTNAME=/etc/squid/HTTP.keytab
export KRB5_KTNAME
KRB5RCACHETYPE=none
export KRB5RCACHETYPE

squid started with no errors at all however when i tried to use internet
from my DomainController itself. Only pop up windows with never being 
able
to get through......
------------------------------------------Access.log-------------------------------------------------------------------
1271402564.794 0 10.1.82.51 TCP_DENIED/407 2352 GET
http://www.yahoo.com/ - NONE/- text/html
1271402586.850 0 10.1.82.51 TCP_DENIED/407 2352 GET
http://www.yahoo.com/ - NONE/- text/html
1271402601.448 0 10.1.82.51 TCP_DENIED/407 2352 GET
http://www.yahoo.com/ - NONE/- text/html
1271402602.093 0 10.1.82.51 TCP_DENIED/407 2352 GET
http://www.yahoo.com/ - NONE/- text/html


Thanks for the support given earlier and advance.

regards,

Bilal Aslam


_________________________________________________________________
Hotmail: Powerful Free email with security by Microsoft.
https://signup.live.com/signup.aspx?id=60969


** Please consider the environment before printing this e-mail **

The information contained in this e-mail is of a confidential nature and
is intended only for the addressee. If you are not the intended 
addressee,
any disclosure, copying or distribution by you is prohibited and may be
unlawful. Disclosure to any party other than the addressee, whether
inadvertent or otherwise, is not intended to waive privilege or
confidentiality. Internet communications are not secure and therefore
Conde Nast does not accept legal responsibility for the contents of this
message. Any views or opinions expressed are those of the author.

Company Registration details:
The Conde Nast Publications Ltd
Vogue House
Hanover Square
London W1S 1JU

Registered in London No. 226900
_________________________________________________________________
Hotmail: Trusted email with powerful SPAM protection.
https://signup.live.com/signup.aspx?id=60969


_________________________________________________________________
Hotmail: Free, trusted and rich email service.
https://signup.live.com/signup.aspx?id=60969