How can I inspect why Active Directory can't use kerberos and fallsback to NTLM?

4

I have been trying to get squid running with kerberos auth for a few days but I'm in some trouble. The problem has been asked and replied many times on both the squid-users list and on the web, I have read them all, and tried to solve the problem. But still no luck.

I'm not sure why client tries to authorize with NTLM instead of Kerberos, and I would really appreciate if you explain me how to inspect the reason, and how to fix the problem.

Here is some of my log files and tests. (config files are prepared as exactly as with the wiki; http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos)

--> tail -f cache.log
2012/01/11 11:54:06| squid_kerb_auth: DEBUG: Got 'YR
TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==' from squid
(length: 59).
2012/01/11 11:54:06| squid_kerb_auth: DEBUG: Decode
'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==' (decoded
length: 40).
2012/01/11 11:54:06| squid_kerb_auth: WARNING: received type 1 NTLM token
2012/01/11 11:54:06| authenticateNegotiateHandleReply: Error
validating user via Negotiate. Error returned 'BH received type 1 NTLM
token'

--> tail -f access.log
192.168.0.147 - - [11/Jan/2012:11:54:08 +0200] "GET
http://www.google.com.tr/ HTTP/1.1" 407 1524 TCP_DENIED:NONE
192.168.0.147 - - [11/Jan/2012:11:54:08 +0200] "GET
http://www.google.com.tr/ HTTP/1.1" 407 1524 TCP_DENIED:NONE

I have tested kerberos on the server side with;

--> klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@LABRISTEST.COM

--> kinit -V -k -t /opt/labris/etc/labris-webcache/HTTP.keytab
HTTP/test2008.labristest.com
Authenticated to Kerberos v5

I have captured the packets with wireshark as suggested some of the earlier solutions, it looks like client still tries to authenticate with NTLM while we want to use kerberos.

Here is the some of the parts of wireshark log; (if needed, you can get the full log from here: http://pastebin.com/btp9PzYu )

client to server;
Hypertext Transfer Protocol
    GET http://www.google.com.tr/ HTTP/1.1\r\n
        [Expert Info (Chat/Sequence): GET http://www.google.com.tr/
HTTP/1.1\r\n]
        Request Method: GET
        Request URI: http://www.google.com.tr/
        Request Version: HTTP/1.1
    Host: www.google.com.tr\r\n
    User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:8.0) Gecko/20100101
Firefox/8.0\r\n
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n
    Accept-Language: tr-tr,tr;q=0.8,en-us;q=0.5,en;q=0.3\r\n
    Accept-Encoding: gzip, deflate\r\n
    Accept-Charset: ISO-8859-9,utf-8;q=0.7,*;q=0.7\r\n
    Proxy-Connection: keep-alive\r\n


server reply;
Hypertext Transfer Protocol
    HTTP/1.0 407 Proxy Authentication Required\r\n
        [Expert Info (Chat/Sequence): HTTP/1.0 407 Proxy
Authentication Required\r\n]
        Request Version: HTTP/1.0
        Status Code: 407
        Response Phrase: Proxy Authentication Required
    Server: squid/3.1.12\r\n
    Mime-Version: 1.0\r\n
    Date: Wed, 11 Jan 2012 11:28:01 GMT\r\n
    Content-Type: text/html\r\n
    Content-Length: 1152\r\n
    X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0\r\n
    Proxy-Authenticate: Negotiate\r\n
    X-Cache: MISS from labris-1\r\n
    X-Cache-Lookup: NONE from labris-1:3128\r\n
    Via: 1.0 labris-1 (squid/3.1.12)\r\n
    Connection: keep-alive\r\n
    \r\n


client tries authentication;
Hypertext Transfer Protocol
    GET http://www.google.com.tr/ HTTP/1.1\r\n
        [Expert Info (Chat/Sequence): GET http://www.google.com.tr/
HTTP/1.1\r\n]
        Request Method: GET
        Request URI: http://www.google.com.tr/
        Request Version: HTTP/1.1
    Host: www.google.com.tr\r\n
    User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:8.0) Gecko/20100101
Firefox/8.0\r\n
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n
    Accept-Language: tr-tr,tr;q=0.8,en-us;q=0.5,en;q=0.3\r\n
    Accept-Encoding: gzip, deflate\r\n
    Accept-Charset: ISO-8859-9,utf-8;q=0.7,*;q=0.7\r\n
    Proxy-Connection: keep-alive\r\n
    Proxy-Authorization: Negotiate
TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==\r\n
        NTLM Secure Service Provider
            NTLMSSP identifier: NTLMSSP
            NTLM Message Type: NTLMSSP_NEGOTIATE (0x00000001)
            Flags: 0xe2088297
            Calling workstation domain: NULL
            Calling workstation name: NULL
            Version 6.1 (Build 7601); NTLM Current Revision 15
                Major Version: 6
                Minor Version: 1
                Build Number: 7601
                NTLM Current Revision: 15

Please see me as a newbie, I'd really appreciate a detailed solution to get squid working with kerberos.

Thanks in advance.

active-directory
squid
kerberos
ntlm
asked on Server Fault Jan 11, 2012 by Muhammet Can • edited Jan 11, 2012 by nedm

1 Answer

1

Since you are using Firefox, did you configure Firefox to allow negotiation using kerberos for the proxy in question? Firefox does not do that by default. You will have to add your proxy to network.negotiate-auth.trusted-uris in about:config. If you have multiple proxies you can enter a comma-separated list like this "proxy01.example.com, proxy02.example.com[,...]".

answered on Server Fault Jan 11, 2012 by lsmooth

User contributions licensed under CC BY-SA 3.0