[squid-users] Re: squid_kerb_auth: Unspecified GSS failure (W2K8)

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Sun, 3 Nov 2013 17:57:03 -0000

Hi Mihail,

   I use mostly msktutil and not the samba tools. So I don't know what extra
rights you might need for samba. I give myself write access to a separate
OU to manage Unix service principals with msktutil.

Regards
Markus

"Mihail Lukin" wrote in message
news:CAAmm_rZyAg2WA7rOkK43G14Ot6w1PNkm=1fYPfW_N-H1jGZR6A_at_mail.gmail.com...

I've just noticed that there is also LDAP modify request in captured
traffic that is trying to set servicePrincipalName attribute and ends
up with insufficientAccessRights result! I will ask for additional
privileges from our domain admin and see if it solves the issue.

On Sun, Nov 3, 2013 at 9:36 AM, Mihail Lukin <mihail.lukin_at_gmail.com> wrote:
> I wonder why `net ads keytab add HTTP` doesn't change the keytab. The
> output of this command is:
>
> <pre>Warning: "kerberos method" must be set to a keytab method to use
> keytab functions.
> Processing principals to add...</pre>
>
> and exit code is 0, so there is no sign of an error.
> I sniffed network traffic while running this command and found that
> there was an LDAP search query and the result contained this
> computer's entry which has servicePrincipalName with 4 values and
> HTTP/squidsrv.my.doma.in is there.
>
> Unfortunately, this service principal didn't appear in keytab.
>
>
> On Sun, Nov 3, 2013 at 4:20 AM, Markus Moeller <huaraz_at_moeller.plus.com>
> wrote:
>> Exactly you need the HTTP service principal in the keytab.
>>
>> Regards
>> Markus
>>
>>
>> "Mihail Lukin" wrote in message
>> news:CAAmm_rYG0GiLjvaT50eeFL4JTzU9Ux0k01CvDCXH7D5H2C=0uQ_at_mail.gmail.com...
>>
>>
>> Thanks for the tip!
>>
>> Here is what it shows:
>> Server Name (Service and Instance): HTTP/squidsrv.my.doma.in
>>
>> So, it is the right protocol and host name. But I do not see exact
>> much in keytab. I'm not sure if it is the issue. I created keytab
>> exactly as was shown here:
>> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos#Create_keytab
>> (samba version, not msktutil).
>>
>>
>> On Sun, Nov 3, 2013 at 1:29 AM, Markus Moeller <huaraz_at_moeller.plus.com>
>> wrote:
>>>
>>> Hi Mihail,
>>>
>>> If you use wireshark you can expand the details of:
>>>
>>> Proxy-Authorization: Negotiate YIIHoAYGKwYBB...
>>>
>>> It will tell you which service principal the client is sending to the
>>> server ? I wonder if the name matches the names in your keytab.
>>>
>>>
>>> Markus
>>>
>>> -----Original Message----- From: Mihail Lukin
>>> Sent: Saturday, November 02, 2013 9:15 PM
>>> To: Markus Moeller
>>> Cc: squid-users
>>> Subject: Re: [squid-users] Re: squid_kerb_auth: Unspecified GSS failure
>>> (W2K8)
>>>
>>>
>>> Hi, Markus!
>>>
>>> 1) Here is the output:
>>> Keytab name: FILE:/etc/squid/HTTP.keytab
>>> KVNO Timestamp Principal
>>> ---- -----------------
>>> --------------------------------------------------------
>>> 2 10/30/13 14:14:09 host/squidsrv.my.doma.in_at_MY.DOMA.IN (des-cbc-crc)
>>> 2 10/30/13 14:14:09 host/squidsrv.my.doma.in_at_MY.DOMA.IN (des-cbc-md5)
>>> 2 10/30/13 14:14:09 host/squidsrv.my.doma.in_at_MY.DOMA.IN (arcfour-hmac)
>>> 2 10/30/13 14:14:09 host/squidsrv.my.doma.in_at_MY.DOMA.IN
>>> (aes128-cts-hmac-sha1-96)
>>> 2 10/30/13 14:14:09 host/squidsrv.my.doma.in_at_MY.DOMA.IN
>>> (aes256-cts-hmac-sha1-96)
>>> 2 10/30/13 14:14:09 host/squidsrv_at_MY.DOMA.IN (des-cbc-crc)
>>> 2 10/30/13 14:14:09 host/squidsrv_at_MY.DOMA.IN (des-cbc-md5)
>>> 2 10/30/13 14:14:09 host/squidsrv_at_MY.DOMA.IN (arcfour-hmac)
>>> 2 10/30/13 14:14:09 host/squidsrv_at_MY.DOMA.IN (aes128-cts-hmac-sha1-96)
>>> 2 10/30/13 14:14:09 host/squidsrv_at_MY.DOMA.IN (aes256-cts-hmac-sha1-96)
>>> 2 10/30/13 14:14:09 SQUIDSRV$@MY.DOMA.IN (des-cbc-crc)
>>> 2 10/30/13 14:14:10 SQUIDSRV$@MY.DOMA.IN (des-cbc-md5)
>>> 2 10/30/13 14:14:10 SQUIDSRV$@MY.DOMA.IN (arcfour-hmac)
>>> 2 10/30/13 14:14:10 SQUIDSRV$@MY.DOMA.IN (aes128-cts-hmac-sha1-96)
>>> 2 10/30/13 14:14:10 SQUIDSRV$@MY.DOMA.IN (aes256-cts-hmac-sha1-96)
>>>
>>> 2) I see request header "Proxy-Authorization: Negotiate
>>> YIIHoAYGKwYBB..."
>>> 3) It worth to mention that using ntlm_auth instead of squid_kerb_auth
>>> works fine on this server.
>>>
>>>
>>> On Fri, Nov 1, 2013 at 1:45 AM, Markus Moeller <huaraz_at_moeller.plus.com>
>>> wrote:
>>>>
>>>>
>>>> Hi Mihail,
>>>>
>>>> What does a klist -ekt <keytab> show ? ( I assume you use MIT
>>>> Kerberos
>>>> on
>>>> the squid server)
>>>>
>>>> What do you see with wireshark in the authentication header send to
>>>> squid
>>>> ?
>>>>
>>>> Markus
>>>>
>>>> "Mihail Lukin" wrote in message
>>>>
>>>> news:CAAmm_rZHZ8m1VbYF5mVW-ZbQYvOQhW0Nmf4saOp8GsY5x9KVJQ_at_mail.gmail.com...
>>>>
>>>>
>>>> I don't know why access-time is not being updated, but strace has
>>>> shown that keytab is being read successfully by squid_kerb_auth
>>>> process.
>>>>
>>>> On Thu, Oct 31, 2013 at 8:15 AM, Mihail Lukin <mihail.lukin_at_gmail.com>
>>>> wrote:
>>>>>
>>>>>
>>>>>
>>>>> Hello, Markus!
>>>>>
>>>>> Sorry for not mentioning it at once, KRB5_KTNAME is being exported in
>>>>> /etc/sysconfig/squid and is readable by squid group. But there is
>>>>> still something wrong with it: keytab's access time is not changed
>>>>> neither when I restart squid not when I request an URL through the
>>>>> proxy.
>>>>>
>>>>> I think I should strace squid_kerb_auth to see what happens. Thanks
>>>>> for the hint!
>>>>>
>>>>> On Thu, Oct 31, 2013 at 12:53 AM, Markus Moeller
>>>>> <huaraz_at_moeller.plus.com> wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>> Hi Mihail,
>>>>>>
>>>>>> Did you use export KRB5_KTNAME to point to the right keytab ? Is
>>>>>> the
>>>>>> keytab readable by the user under which squid runs ?
>>>>>>
>>>>>> Markus
>>>>>>
>>>>>> "Mihail Lukin" wrote in message
>>>>>>
>>>>>>
>>>>>>
>>>>>> news:CAAmm_rZ8jNoeFMRGthiYeHQ+GgSfmySFnw8708dwdDVUW3=R_g_at_mail.gmail.com...
>>>>>>
>>>>>> Hello,
>>>>>>
>>>>>> I'm trying to configure Squid 3.1 to authenticate through AD with
>>>>>> W2K8
>>>>>> DC with Kerberos. I used this how-to:
>>>>>> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos on
>>>>>> CentOS 6 box that I've joined to domain with `net ads join`.
>>>>>>
>>>>>> Now I'm getting the error in cache.log when I'm trying to visit any
>>>>>> URL through this proxy:
>>>>>>
>>>>>> 2013/10/30 17:07:41| squid_kerb_auth: DEBUG: Got 'YR base64 encoded
>>>>>> data' from squid (length: 2295).
>>>>>> 2013/10/30 17:07:41| squid_kerb_auth: DEBUG: Decode 'base64 encoded
>>>>>> data' (decoded length: 1717).
>>>>>> 2013/10/30 17:07:41| squid_kerb_auth: ERROR: gss_acquire_cred()
>>>>>> failed: Unspecified GSS failure. Minor code may provide more
>>>>>> information.
>>>>>> 2013/10/30 17:07:41| authenticateNegotiateHandleReply: Error
>>>>>> validating user via Negotiate. Error returned 'BH gss_acquire_cred()
>>>>>> failed: Unspecified GSS failure. Minor code may provide more
>>>>>> information. '
>>>>>>
>>>>>> I could not figure out what the "minor code" is... I googled a lot
>>>>>> with
>>>>>> no
>>>>>> luck.
>>>>>> Any help is very appreciated. Thanks in advance!
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> � ���������,
>>>>> ������ �����
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> � ���������,
>>>> ������ �����
>>>>
>>>
>>>
>>
>>
Received on Sun Nov 03 2013 - 18:07:31 MST

This archive was generated by hypermail 2.2.0 : Mon Nov 04 2013 - 12:00:08 MST