Error authenticating squid with Active Directory and Kerberos

active-directory squid kerberos
9,736

Solution 1

The 'negotiate_kerberos_auth: WARNING: received type 1 NTLM token' in log means your browser supplied the Negotiate/NTLM token instead of Negotiate/Kerberos that your negotiate_kerberos_auth is able to handle.

You will need to have NTLM authenticator for Negotiate authentication scheme configured too. One way is to install and configure Samba as indicated on http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory#NTLM or use the redirection of NTLM credentials to LDAP server as indicated on http://docs.diladele.com/administrator_guide_4_6/active_directory/install_prerequisites_for_ntlm_authentication.html

If your machine is within domain and user is a domain user then most probably you have configured your proxy as IP address and Kerberos requires proxy to be set as FQDN in browser. For troubleshooting steps see http://docs.diladele.com/administrator_guide_4_6/active_directory/troubleshooting.html.

Solution 2

Well, finally thanks @Rafael I've found the solution:

Replace:

auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth -d  -s HTTP/[email protected]

by:

auth_param negotiate program /usr/lib64/squid/negotiate_wrapper_auth -d --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=EXAMPLE --kerberos /usr/lib64/squid/negotiate_kerberos_auth -d -s GSS_C_NO_NAME

Also, I've started smb and winbind services

Share:
9,736

Related videos on Youtube

sebelk
Author by

sebelk

Updated on September 18, 2022

Comments

  • sebelk
    sebelk over 1 year

    I'm trying to integrate squid 3.5.19 with AD/Kerberos (Windows 2008 R2), but I get always TCP_DENIED:HIER_NONE

    These are the errors in /var/log/squid/cache.log

    2016/07/28 10:26:01.583 kid1| 29,4| UserRequest.cc(290) authenticate: No Proxy-Auth header and no working alternative. Requesting auth header.
2016/07/28 10:26:01.584 kid1| 29,9| UserRequest.cc(487) addReplyAuthHeader: headertype:46 authuser:NULL
2016/07/28 10:26:01.584 kid1| 29,9| Config.cc(188) fixHeader: Sending type:46 header: 'Negotiate'
2016/07/28 10:26:01.625 kid1| 29,9| UserRequest.cc(328) authenticate: header Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKAFopAAAADw==.
2016/07/28 10:26:01.625 kid1| 29,9| UserRequest.cc(332) authenticate: This is a new checklist test on:local=192.168.50.22:3128 remote=192.168.50.47:56015 FD 16 flags=1
2016/07/28 10:26:01.625 kid1| 29,4| UserRequest.cc(350) authenticate: No connection authentication type
2016/07/28 10:26:01.625 kid1| 29,9| Config.cc(36) CreateAuthUser: header = 'Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKAFopAAAADw=='
2016/07/28 10:26:01.625 kid1| 29,5| User.cc(39) User: Initialised auth_user '0x2857400'.
2016/07/28 10:26:01.625 kid1| 29,5| UserRequest.cc(95) UserRequest: initialised request 0x28576b0
2016/07/28 10:26:01.625 kid1| 29,9| Config.cc(267) decode: decode Negotiate authentication
2016/07/28 10:26:01.625 kid1| 29,9| UserRequest.cc(53) valid: Validating Auth::UserRequest '0x28576b0'.
2016/07/28 10:26:01.625 kid1| 29,5| UserRequest.cc(73) valid: Validated. Auth::UserRequest '0x28576b0'.
2016/07/28 10:26:01.625 kid1| 29,9| UserRequest.cc(53) valid: Validating Auth::UserRequest '0x28576b0'.
2016/07/28 10:26:01.625 kid1| 29,5| UserRequest.cc(73) valid: Validated. Auth::UserRequest '0x28576b0'.
2016/07/28 10:26:01.625 kid1| 29,9| UserRequest.cc(63) authenticated: user not fully authenticated.
2016/07/28 10:26:01.625 kid1| 29,9| UserRequest.cc(225) authenticate: auth state negotiate none. Received blob: 'Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKAFopAAAADw=='
2016/07/28 10:26:01.625 kid1| 29,9| UserRequest.cc(53) valid: Validating Auth::UserRequest '0x28576b0'.
2016/07/28 10:26:01.625 kid1| 29,5| UserRequest.cc(73) valid: Validated. Auth::UserRequest '0x28576b0'.
2016/07/28 10:26:01.625 kid1| 29,9| UserRequest.cc(63) authenticated: user not fully authenticated.
2016/07/28 10:26:01.625 kid1| 29,9| UserRequest.cc(53) valid: Validating Auth::UserRequest '0x28576b0'.
2016/07/28 10:26:01.625 kid1| 29,5| UserRequest.cc(73) valid: Validated. Auth::UserRequest '0x28576b0'.
2016/07/28 10:26:01.625 kid1| 29,9| UserRequest.cc(46) start: 0x28576b0
2016/07/28 10:26:01.625 kid1| 29,8| UserRequest.cc(134) startHelperLookup: credentials state is '2'
negotiate_kerberos_auth.cc(610): pid=11509 :2016/07/28 10:26:01| negotiate_kerberos_auth: DEBUG: Got 'YR TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKAFopAAAADw==' from squid (length: 59).
negotiate_kerberos_auth.cc(663): pid=11509 :2016/07/28 10:26:01| negotiate_kerberos_auth: DEBUG: Decode 'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKAFopAAAADw==' (decoded length: 40).
negotiate_kerberos_auth.cc(673): pid=11509 :2016/07/28 10:26:01| negotiate_kerberos_auth: WARNING: received type 1 NTLM token
2016/07/28 10:26:01.626 kid1| 29,8| UserRequest.cc(266) HandleReply: helper: '0x2860438/0x2860438' sent us reply={result=BH, notes={message: received type 1 NTLM token; }}
2016/07/28 10:26:01.626 kid1| 29,6| UserRequest.cc(175) releaseAuthServer: releasing Negotiate auth server '0x2860438'
2016/07/28 10:26:01.626 kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: received type 1 NTLM token; }}
2016/07/28 10:26:01.626 kid1| 29,9| UserRequest.cc(53) valid: Validating Auth::UserRequest '0x28576b0'.
2016/07/28 10:26:01.626 kid1| 29,5| UserRequest.cc(73) valid: Validated. Auth::UserRequest '0x28576b0'.
2016/07/28 10:26:01.626 kid1| 29,9| UserRequest.cc(53) valid: Validating Auth::UserRequest '0x28576b0'.
2016/07/28 10:26:01.626 kid1| 29,5| UserRequest.cc(73) valid: Validated. Auth::UserRequest '0x28576b0'.
2016/07/28 10:26:01.626 kid1| 29,9| UserRequest.cc(63) authenticated: user not fully authenticated.
2016/07/28 10:26:01.626 kid1| 29,9| UserRequest.cc(328) authenticate: header Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKAFopAAAADw==.
2016/07/28 10:26:01.626 kid1| 29,9| UserRequest.cc(53) valid: Validating Auth::UserRequest '0x28576b0'.
2016/07/28 10:26:01.626 kid1| 29,5| UserRequest.cc(73) valid: Validated. Auth::UserRequest '0x28576b0'.
2016/07/28 10:26:01.626 kid1| 29,9| UserRequest.cc(63) authenticated: user not fully authenticated.
2016/07/28 10:26:01.626 kid1| 29,9| UserRequest.cc(256) authenticate: auth state negotiate failed. Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKAFopAAAADw==
2016/07/28 10:26:01.626 kid1| 29,9| UserRequest.cc(53) valid: Validating Auth::UserRequest '0x28576b0'.
2016/07/28 10:26:01.626 kid1| 29,5| UserRequest.cc(73) valid: Validated. Auth::UserRequest '0x28576b0'.
2016/07/28 10:26:01.626 kid1| 29,9| UserRequest.cc(63) authenticated: user not fully authenticated.
2016/07/28 10:26:01.626 kid1| 29,9| UserRequest.cc(487) addReplyAuthHeader: headertype:46 authuser:NULL
2016/07/28 10:26:01.626 kid1| 29,9| Config.cc(188) fixHeader: Sending type:46 header: 'Negotiate'
2016/07/28 10:26:01.732 kid1| 29,9| UserRequest.cc(487) addReplyAuthHeader: headertype:46 authuser:NULL
2016/07/28 10:26:01.732 kid1| 29,9| Config.cc(188) fixHeader: Sending type:46 header: 'Negotiate'
2016/07/28 10:26:01.913 kid1| 29,9| UserRequest.cc(487) addReplyAuthHeader: headertype:46 authuser:NULL
2016/07/28 10:26:01.913 kid1| 29,9| Config.cc(188) fixHeader: Sending type:46 header: 'Negotiate'
2016/07/28 10:26:01.956 kid1| 29,9| UserRequest.cc(487) addReplyAuthHeader: headertype:46 authuser:NULL
2016/07/28 10:26:01.956 kid1| 29,9| Config.cc(188) fixHeader: Sending type:46 header: 'Negotiate'
2016/07/28 10:26:01.980 kid1| 29,9| UserRequest.cc(487) addReplyAuthHeader: headertype:46 authuser:NULL
2016/07/28 10:26:01.980 kid1| 29,9| Config.cc(188) fixHeader: Sending type:46 header: 'Negotiate'
2016/07/28 10:26:01.993 kid1| 29,9| UserRequest.cc(487) addReplyAuthHeader: headertype:46 authuser:NULL
2016/07/28 10:26:01.993 kid1| 29,9| Config.cc(188) fixHeader: Sending type:46 header: 'Negotiate'
2016/07/28 10:26:02.004 kid1| 29,9| UserRequest.cc(487) addReplyAuthHeader: headertype:46 authuser:NULL
2016/07/28 10:26:02.004 kid1| 29,9| Config.cc(188) fixHeader: Sending type:46 header: 'Negotiate'
2016/07/28 10:26:09.555 kid1| 29,6| UserRequest.cc(179) releaseAuthServer: No Negotiate auth server to release.
2016/07/28 10:26:09.556 kid1| 29,6| UserRequest.cc(179) releaseAuthServer: No Negotiate auth server to release.
2016/07/28 10:26:09.556 kid1| 29,5| UserRequest.cc(101) ~UserRequest: freeing request 0x28576b0
2016/07/28 10:26:09.556 kid1| 29,5| User.cc(21) ~User: doing nothing to clear Negotiate scheme data for '0x2857400'
2016/07/28 10:26:09.556 kid1| 29,5| User.cc(127) ~User: Freeing auth_user '0x2857400'.
2016/07/28 10:26:09.559 kid1| 29,6| UserRequest.cc(179) releaseAuthServer: No Negotiate auth server to release.
2016/07/28 10:26:09.559 kid1| 29,6| UserRequest.cc(179) releaseAuthServer: No Negotiate auth server to release.
2016/07/28 10:26:09.559 kid1| 29,5| UserRequest.cc(101) ~UserRequest: freeing request 0x286f4d0
2016/07/28 10:26:09.559 kid1| 29,5| User.cc(21) ~User: doing nothing to clear Negotiate scheme data for '0x286f2a0'
2016/07/28 10:26:09.559 kid1| 29,5| User.cc(127) ~User: Freeing auth_user '0x286f2a0'.
2016/07/28 10:26:09.563 kid1| 29,6| UserRequest.cc(179) releaseAuthServer: No Negotiate auth server to release.
2016/07/28 10:26:09.563 kid1| 29,6| UserRequest.cc(179) releaseAuthServer: No Negotiate auth server to release.
2016/07/28 10:26:09.563 kid1| 29,5| UserRequest.cc(101) ~UserRequest: freeing request 0x2857ab0
2016/07/28 10:26:09.563 kid1| 29,5| User.cc(21) ~User: doing nothing to clear Negotiate scheme data for '0x241e990'
2016/07/28 10:26:09.563 kid1| 29,5| User.cc(127) ~User: Freeing auth_user '0x241e990'.

    I've created the keytab on Windows using ktpass:

    ktpass /princ host/[email protected] /mapuser [email protected] /crypto rc4-hmac-nt /pass * /ptype KRB5_NT_PRINCIPAL /out C:\Soporte\winkrb5.keytab

    and then copied to squid, and I see the following thing:

     klist -kt /etc/squid/HTTP.keytab
Keytab name: FILE:/etc/squid/HTTP.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   3 12/31/1969 21:00:00 HTTP/[email protected]

    I wonder if the wrong timestamp has to do with the problem

    Kerberos and relevant squid config files are as follows:

    [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log

    [libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 default_realm = EXAMPLE.LOCAL
 default_ccache_name = KEYRING:persistent:%{uid}

; for Windows 2008 with AES
    default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
    default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
    permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5

    squid.conf:

    auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth -d  -s HTTP/[email protected]
auth_param negotiate children 10
auth_param negotiate keep_alive on
acl kerb_auth proxy_auth REQUIRED

    Is the keytab timestamp the cause of errors? Am I doing something wrong?

    • Admin
      Admin almost 8 years
      What about the browser? Does it support Kerberos auth and is it configured to do so?
    • Admin
      Admin almost 8 years
      I tested with Internet Explorer, AFAIK theroretically it suppors out of the box. Also with Firefox, with network.negotiate-auth.trusted-uris using .example.local. Anyone of them work.
  • sebelk
    sebelk almost 8 years
    I login from Windows 7 and joined to domain. I'd want to use kerberos. I'm tried with both Internet Explorer and Firefox with proxy set as FQDN.
  • sebelk
    sebelk almost 8 years
    Is mandatory to use NTLM authenticator too besides kerberos?
  • Grigory Sergeev
    Grigory Sergeev almost 8 years
    Why not mark Rafael's answer as such then? :)

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Client not found in kerberos database while getting initial
Squid Kerberos/LDAP Active Directory only works on IE not on Firefox and chrome
Getting Squid to authenticate with kerberos and Windows 2008/2003/7/XP
Apache Kerberos Authentication - Client didn't delegate us their credential
How to verify kerberos token?
Why is JDK1.8.0u121 unable to find the kerberos default_tkt_enctypes types? (KrbException: no supported default etypes for default_tkt_enctypes)
Edit Sudoers file to allow sudo rights to a AD domain group
How do I clear a user's cached Active Directory password on CentOS 7?
Couldn't join realm: Insufficient permissions to join the domain
Squid + windows active directory Authentication + Dansguardian