[prev in list] [next in list] [prev in thread] [next in thread]
List: squid-users
Subject: Re: [squid-users] Authenticacion with Active Directory fails
From: Sergio Belkin <sebelk () gmail ! com>
Date: 2016-07-19 18:38:42
Message-ID: CABZC=5zDbJ4dhcJ0p4xP0pzuUW1-47-tx7a5ZszHkos4Wujzag () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
2016-07-15 12:11 GMT-03:00 Sergio Belkin <sebelk@gmail.com>:
>
> 2016-07-15 6:31 GMT-03:00 Amos Jeffries <squid3@treenet.co.nz>:
>
>> On 15/07/2016 4:07 a.m., Sergio Belkin wrote:
>> > Hi,
>> >
>> > Using squid squid-3.5.19-1.el7.centos.x86_64,
>> >
>> > I obtain a kerberos ticket but I get the following when trying to use
>> the
>> > proxy:
>> >
>> > 2016/07/14 12:57:03.711 kid1| 29,4| UserRequest.cc(290) authenticate: No
>> > Proxy-Auth header and no working alternative. Requesting auth header.
>> > 2016/07/14 12:57:03.712 kid1| 29,9| UserRequest.cc(487)
>> addReplyAuthHeader:
>> > headertype:46 authuser:NULL
>> > 2016/07/14 12:57:03.712 kid1| 29,9| Config.cc(188) fixHeader: Sending
>> > type:46 header: 'Negotiate'
>> > 2016/07/14 12:57:04.159 kid1| 29,4| UserRequest.cc(290) authenticate: No
>> > Proxy-Auth header and no working alternative. Requesting auth header.
>> > 2016/07/14 12:57:04.159 kid1| 29,9| UserRequest.cc(487)
>> addReplyAuthHeader:
>> > headertype:46 authuser:NULL
>> > 2016/07/14 12:57:04.159 kid1| 29,9| Config.cc(188) fixHeader: Sending
>> > type:46 header: 'Negotiate'
>> >
>>
>> That looks like a debug log of Negotiate/Kerberos authentication
>> beginning on two connections.
>>
>> A good secure client does not send credentials until it needs to. Squdi
>> has received a request that it needs to authenticate, but does not yet
>> have credentiasl. So it responds with a 407 or 401 message requesting
>> the client send them using "Negotiate" auth protocol.
>> No problem visible.
>>
>>
>> <snip>
>>
>> > Please could you help me? Am I doing something wrong?
>>
>> Perhapse if you described what your problem was ?
>>
>
>
> Amos, thanks, for your clarification, I get as follows:
>
> "Sorry, you are not currently allowed to request http://www.lxer.com/
> from this cache until you have authenticated yourself"
>
> ( trying to use from a Linux client:)
>
> (And in fact I've RTFM :-) )
>
> tail /var/log/squid/access.log
>
> 192.168.50.37 - - [15/Jul/2016:12:01:05 -0300] "GET http://www.lxer.com/
> HTTP/1.1" 407 4064 "-" "curl/7.43.0" TCP_DENIED:HIER_NONE
>
> I have a kerberos ticket:
>
> klist
> Ticket cache: KEYRING:persistent:16777216:16777216
> Default principal: john.doe@EXAMPLE.LOCAL
>
> Valid starting Expires Service principal
> 15/07/16 12:00:31 15/07/16 22:00:31 krbtgt/EXAMPLE.LOCAL@EXAMPLE.LOCAL
> renew until 22/07/16 12:00:31
>
>
> End of output
>
> I don't know what I'm doing wrong.
>
> Thanks in advance!
>
>
>>
>> Amos
>>
>> _______________________________________________
>> squid-users mailing list
>> squid-users@lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>>
>
>
>
> --
> -
>
Please any ideas?
squid is on Centos 7.2
AD is Windows 2008 R2 Standard
Below more details from cache.log when trying to access from a Windows
machine:
2016/07/15 19:53:47.334 kid1| 29,4| UserRequest.cc(290) authenticate: No
Proxy-Auth header and no working alternative. Requesting auth header.
2016/07/15 19:53:47.347 kid1| 29,9| UserRequest.cc(487) addReplyAuthHeader:
headertype:46 authuser:NULL
2016/07/15 19:53:47.347 kid1| 29,9| Config.cc(188) fixHeader: Sending
type:46 header: 'Negotiate'
2016/07/15 19:53:47.447 kid1| 29,9| UserRequest.cc(328) authenticate:
header Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKAFopAAAADw==.
2016/07/15 19:53:47.447 kid1| 29,9| UserRequest.cc(332) authenticate: This
is a new checklist test on:local=192.168.50.22:3128 remote=
192.168.50.47:61011 FD 12 flags=1
2016/07/15 19:53:47.447 kid1| 29,4| UserRequest.cc(350) authenticate: No
connection authentication type
2016/07/15 19:53:47.447 kid1| 29,9| Config.cc(36) CreateAuthUser: header =
'Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKAFopAAAADw=='
2016/07/15 19:53:47.447 kid1| 29,5| User.cc(39) User: Initialised auth_user
'0x2cf1e00'.
2016/07/15 19:53:47.447 kid1| 29,5| UserRequest.cc(95) UserRequest:
initialised request 0x30c4be0
2016/07/15 19:53:47.447 kid1| 29,9| Config.cc(267) decode: decode Negotiate
authentication
2016/07/15 19:53:47.447 kid1| 29,9| UserRequest.cc(53) valid: Validating
Auth::UserRequest '0x30c4be0'.
2016/07/15 19:53:47.447 kid1| 29,5| UserRequest.cc(73) valid: Validated.
Auth::UserRequest '0x30c4be0'.
2016/07/15 19:53:47.447 kid1| 29,9| UserRequest.cc(53) valid: Validating
Auth::UserRequest '0x30c4be0'.
2016/07/15 19:53:47.447 kid1| 29,5| UserRequest.cc(73) valid: Validated.
Auth::UserRequest '0x30c4be0'.
2016/07/15 19:53:47.447 kid1| 29,9| UserRequest.cc(63) authenticated: user
not fully authenticated.
2016/07/15 19:53:47.447 kid1| 29,9| UserRequest.cc(225) authenticate: auth
state negotiate none. Received blob: 'Negotiate
TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKAFopAAAADw=='
2016/07/15 19:53:47.447 kid1| 29,9| UserRequest.cc(53) valid: Validating
Auth::UserRequest '0x30c4be0'.
2016/07/15 19:53:47.447 kid1| 29,5| UserRequest.cc(73) valid: Validated.
Auth::UserRequest '0x30c4be0'.
2016/07/15 19:53:47.447 kid1| 29,9| UserRequest.cc(63) authenticated: user
not fully authenticated.
2016/07/15 19:53:47.447 kid1| 29,9| UserRequest.cc(53) valid: Validating
Auth::UserRequest '0x30c4be0'.
2016/07/15 19:53:47.447 kid1| 29,5| UserRequest.cc(73) valid: Validated.
Auth::UserRequest '0x30c4be0'.
2016/07/15 19:53:47.447 kid1| 29,9| UserRequest.cc(46) start: 0x30c4be0
2016/07/15 19:53:47.447 kid1| 29,8| UserRequest.cc(134) startHelperLookup:
credentials state is '2'
negotiate_kerberos_auth.cc(610): pid=5236 :2016/07/15 19:53:47|
negotiate_kerberos_auth: DEBUG: Got 'YR
TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKAFopAAAADw==' from squid
(length: 59).
negotiate_kerberos_auth.cc(663): pid=5236 :2016/07/15 19:53:47|
negotiate_kerberos_auth: DEBUG: Decode
'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKAFopAAAADw==' (decoded length:
40).
negotiate_kerberos_auth.cc(673): pid=5236 :2016/07/15 19:53:47|
negotiate_kerberos_auth: WARNING: received type 1 NTLM token
2016/07/15 19:53:47.447 kid1| 29,8| UserRequest.cc(266) HandleReply:
helper: '0x30c5698/0x30c5698' sent us reply={result=BH, notes={message:
received type 1 NTLM token; }}
2016/07/15 19:53:47.447 kid1| 29,6| UserRequest.cc(175) releaseAuthServer:
releasing Negotiate auth server '0x30c5698'
2016/07/15 19:53:47.447 kid1| ERROR: Negotiate Authentication validating
user. Result: {result=BH, notes={message: received type 1 NTLM token; }}
2016/07/15 19:53:47.447 kid1| 29,9| UserRequest.cc(53) valid: Validating
Auth::UserRequest '0x30c4be0'.
2016/07/15 19:53:47.447 kid1| 29,5| UserRequest.cc(73) valid: Validated.
Auth::UserRequest '0x30c4be0'.
2016/07/15 19:53:47.447 kid1| 29,9| UserRequest.cc(53) valid: Validating
Auth::UserRequest '0x30c4be0'.
2016/07/15 19:53:47.447 kid1| 29,5| UserRequest.cc(73) valid: Validated.
Auth::UserRequest '0x30c4be0'.
2016/07/15 19:53:47.447 kid1| 29,9| UserRequest.cc(63) authenticated: user
not fully authenticated.
2016/07/15 19:53:47.447 kid1| 29,9| UserRequest.cc(328) authenticate:
header Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKAFopAAAADw==.
2016/07/15 19:53:47.447 kid1| 29,9| UserRequest.cc(53) valid: Validating
Auth::UserRequest '0x30c4be0'.
2016/07/15 19:53:47.447 kid1| 29,5| UserRequest.cc(73) valid: Validated.
Auth::UserRequest '0x30c4be0'.
2016/07/15 19:53:47.447 kid1| 29,9| UserRequest.cc(63) authenticated: user
not fully authenticated.
2016/07/15 19:53:47.447 kid1| 29,9| UserRequest.cc(256) authenticate: auth
state negotiate failed. Negotiate
TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKAFopAAAADw==
2016/07/15 19:53:47.447 kid1| 29,9| UserRequest.cc(53) valid: Validating
Auth::UserRequest '0x30c4be0'.
2016/07/15 19:53:47.447 kid1| 29,5| UserRequest.cc(73) valid: Validated.
Auth::UserRequest '0x30c4be0'.
2016/07/15 19:53:47.447 kid1| 29,9| UserRequest.cc(63) authenticated: user
not fully authenticated.
2016/07/15 19:53:47.448 kid1| 29,9| UserRequest.cc(487) addReplyAuthHeader:
headertype:46 authuser:NULL
2016/07/15 19:53:47.448 kid1| 29,9| Config.cc(188) fixHeader: Sending
type:46 header: 'Negotiate'
2016/07/15 19:53:47.532 kid1| 29,9| UserRequest.cc(487) addReplyAuthHeader:
headertype:46 authuser:NULL
2016/07/15 19:53:47.532 kid1| 29,9| Config.cc(188) fixHeader: Sending
type:46 header: 'Negotiate'
2016/07/15 19:53:47.655 kid1| 29,9| UserRequest.cc(487) addReplyAuthHeader:
headertype:46 authuser:NULL
2016/07/15 19:53:47.655 kid1| 29,9| Config.cc(188) fixHeader: Sending
type:46 header: 'Negotiate'
2016/07/15 19:53:47.688 kid1| 29,4| UserRequest.cc(290) authenticate: No
Proxy-Auth header and no working alternative. Requesting auth header.
2016/07/15 19:53:47.688 kid1| 29,9| UserRequest.cc(487) addReplyAuthHeader:
headertype:46 authuser:NULL
2016/07/15 19:53:47.688 kid1| 29,9| Config.cc(188) fixHeader: Sending
type:46 header: 'Negotiate'
2016/07/15 19:53:47.698 kid1| 29,6| UserRequest.cc(179) releaseAuthServer:
No Negotiate auth server to release.
2016/07/15 19:53:47.698 kid1| 29,6| UserRequest.cc(179) releaseAuthServer:
No Negotiate auth server to release.
2016/07/15 19:53:47.698 kid1| 29,5| UserRequest.cc(101) ~UserRequest:
freeing request 0x30c4be0
2016/07/15 19:53:47.698 kid1| 29,5| User.cc(21) ~User: doing nothing to
clear Negotiate scheme data for '0x2cf1e00'
2016/07/15 19:53:47.698 kid1| 29,5| User.cc(127) ~User: Freeing auth_user
'0x2cf1e00'.
2016/07/15 19:53:47.717 kid1| 29,9| UserRequest.cc(328) authenticate:
header Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKAFopAAAADw==.
2016/07/15 19:53:47.717 kid1| 29,9| UserRequest.cc(332) authenticate: This
is a new checklist test on:local=192.168.50.22:3128 remote=
192.168.50.47:61012 FD 16 flags=1
2016/07/15 19:53:47.717 kid1| 29,4| UserRequest.cc(350) authenticate: No
connection authentication type
2016/07/15 19:53:47.717 kid1| 29,9| Config.cc(36) CreateAuthUser: header =
'Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKAFopAAAADw=='
2016/07/15 19:53:47.717 kid1| 29,5| User.cc(39) User: Initialised auth_user
'0x2cf1e00'.
2016/07/15 19:53:47.717 kid1| 29,5| UserRequest.cc(95) UserRequest:
initialised request 0x30c4be0
2016/07/15 19:53:47.717 kid1| 29,9| Config.cc(267) decode: decode Negotiate
authentication
2016/07/15 19:53:47.717 kid1| 29,9| UserRequest.cc(53) valid: Validating
Auth::UserRequest '0x30c4be0'.
2016/07/15 19:53:47.717 kid1| 29,5| UserRequest.cc(73) valid: Validated.
Auth::UserRequest '0x30c4be0'.
2016/07/15 19:53:47.717 kid1| 29,9| UserRequest.cc(53) valid: Validating
Auth::UserRequest '0x30c4be0'.
2016/07/15 19:53:47.717 kid1| 29,5| UserRequest.cc(73) valid: Validated.
Auth::UserRequest '0x30c4be0'.
2016/07/15 19:53:47.717 kid1| 29,9| UserRequest.cc(63) authenticated: user
not fully authenticated.
2016/07/15 19:53:47.717 kid1| 29,9| UserRequest.cc(225) authenticate: auth
state negotiate none. Received blob: 'Negotiate
TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKAFopAAAADw=='
2016/07/15 19:53:47.717 kid1| 29,9| UserRequest.cc(53) valid: Validating
Auth::UserRequest '0x30c4be0'.
2016/07/15 19:53:47.717 kid1| 29,5| UserRequest.cc(73) valid: Validated.
Auth::UserRequest '0x30c4be0'.
2016/07/15 19:53:47.717 kid1| 29,9| UserRequest.cc(63) authenticated: user
not fully authenticated.
2016/07/15 19:53:47.717 kid1| 29,9| UserRequest.cc(53) valid: Validating
Auth::UserRequest '0x30c4be0'.
2016/07/15 19:53:47.717 kid1| 29,5| UserRequest.cc(73) valid: Validated.
Auth::UserRequest '0x30c4be0'.
2016/07/15 19:53:47.717 kid1| 29,9| UserRequest.cc(46) start: 0x30c4be0
2016/07/15 19:53:47.717 kid1| 29,8| UserRequest.cc(134) startHelperLookup:
credentials state is '2'
negotiate_kerberos_auth.cc(610): pid=5236 :2016/07/15 19:53:47|
negotiate_kerberos_auth: DEBUG: Got 'YR
TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKAFopAAAADw==' from squid
(length: 59).
negotiate_kerberos_auth.cc(663): pid=5236 :2016/07/15 19:53:47|
negotiate_kerberos_auth: DEBUG: Decode
'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKAFopAAAADw==' (decoded length:
40).
negotiate_kerberos_auth.cc(673): pid=5236 :2016/07/15 19:53:47|
negotiate_kerberos_auth: WARNING: received type 1 NTLM token
2016/07/15 19:53:47.717 kid1| 29,8| UserRequest.cc(266) HandleReply:
helper: '0x30c5698/0x30c5698' sent us reply={result=BH, notes={message:
received type 1 NTLM token; }}
2016/07/15 19:53:47.717 kid1| 29,6| UserRequest.cc(175) releaseAuthServer:
releasing Negotiate auth server '0x30c5698'
2016/07/15 19:53:47.717 kid1| ERROR: Negotiate Authentication validating
user. Result: {result=BH, notes={message: received type 1 NTLM token; }}
2016/07/15 19:53:47.718 kid1| 29,9| UserRequest.cc(53) valid: Validating
Auth::UserRequest '0x30c4be0'.
2016/07/15 19:53:47.718 kid1| 29,5| UserRequest.cc(73) valid: Validated.
Auth::UserRequest '0x30c4be0'.
2016/07/15 19:53:47.718 kid1| 29,9| UserRequest.cc(53) valid: Validating
Auth::UserRequest '0x30c4be0'.
2016/07/15 19:53:47.718 kid1| 29,5| UserRequest.cc(73) valid: Validated.
Auth::UserRequest '0x30c4be0'.
2016/07/15 19:53:47.718 kid1| 29,9| UserRequest.cc(63) authenticated: user
not fully authenticated.
2016/07/15 19:53:47.718 kid1| 29,9| UserRequest.cc(328) authenticate:
header Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKAFopAAAADw==.
2016/07/15 19:53:47.718 kid1| 29,9| UserRequest.cc(53) valid: Validating
Auth::UserRequest '0x30c4be0'.
2016/07/15 19:53:47.718 kid1| 29,5| UserRequest.cc(73) valid: Validated.
Auth::UserRequest '0x30c4be0'.
2016/07/15 19:53:47.718 kid1| 29,9| UserRequest.cc(63) authenticated: user
not fully authenticated.
2016/07/15 19:53:47.718 kid1| 29,9| UserRequest.cc(256) authenticate: auth
state negotiate failed. Negotiate
TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKAFopAAAADw==
2016/07/15 19:53:47.718 kid1| 29,9| UserRequest.cc(53) valid: Validating
Auth::UserRequest '0x30c4be0'.
2016/07/15 19:53:47.718 kid1| 29,5| UserRequest.cc(73) valid: Validated.
Auth::UserRequest '0x30c4be0'.
2016/07/15 19:53:47.718 kid1| 29,9| UserRequest.cc(63) authenticated: user
not fully authenticated.
2016/07/15 19:53:47.718 kid1| 29,9| UserRequest.cc(487) addReplyAuthHeader:
headertype:46 authuser:NULL
2016/07/15 19:53:47.718 kid1| 29,9| Config.cc(188) fixHeader: Sending
type:46 header: 'Negotiate'
2016/07/15 19:53:47.743 kid1| 29,9| UserRequest.cc(487) addReplyAuthHeader:
headertype:46 authuser:NULL
2016/07/15 19:53:47.743 kid1| 29,9| Config.cc(188) fixHeader: Sending
type:46 header: 'Negotiate'
2016/07/15 19:53:47.754 kid1| 29,9| UserRequest.cc(487) addReplyAuthHeader:
headertype:46 authuser:NULL
2016/07/15 19:53:47.754 kid1| 29,9| Config.cc(188) fixHeader: Sending
type:46 header: 'Negotiate'
Thanks in advance!
--
--
Sergio Belkin
LPIC-2 Certified - http://www.lpi.org
[Attachment #5 (text/html)]
<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">2016-07-15 \
12:11 GMT-03:00 Sergio Belkin <span dir="ltr"><<a href="mailto:sebelk@gmail.com" \
target="_blank">sebelk@gmail.com</a>></span>:<br><blockquote class="gmail_quote" \
style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><br><div \
class="gmail_quote"><div><div class="h5">2016-07-15 6:31 GMT-03:00 Amos Jeffries \
<span dir="ltr"><<a href="mailto:squid3@treenet.co.nz" \
target="_blank">squid3@treenet.co.nz</a>></span>:<br><blockquote \
class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex"><span>On 15/07/2016 4:07 a.m., Sergio Belkin \
wrote:<br> > Hi,<br>
><br>
> Using squid squid-3.5.19-1.el7.centos.x86_64,<br>
><br>
> I obtain a kerberos ticket but I get the following when trying to use the<br>
> proxy:<br>
><br>
> 2016/07/14 12:57:03.711 kid1| 29,4| UserRequest.cc(290) authenticate: No<br>
> Proxy-Auth header and no working alternative. Requesting auth header.<br>
> 2016/07/14 12:57:03.712 kid1| 29,9| UserRequest.cc(487) addReplyAuthHeader:<br>
> headertype:46 authuser:NULL<br>
> 2016/07/14 12:57:03.712 kid1| 29,9| Config.cc(188) fixHeader: Sending<br>
> type:46 header: 'Negotiate'<br>
> 2016/07/14 12:57:04.159 kid1| 29,4| UserRequest.cc(290) authenticate: No<br>
> Proxy-Auth header and no working alternative. Requesting auth header.<br>
> 2016/07/14 12:57:04.159 kid1| 29,9| UserRequest.cc(487) addReplyAuthHeader:<br>
> headertype:46 authuser:NULL<br>
> 2016/07/14 12:57:04.159 kid1| 29,9| Config.cc(188) fixHeader: Sending<br>
> type:46 header: 'Negotiate'<br>
><br>
<br>
</span>That looks like a debug log of Negotiate/Kerberos authentication<br>
beginning on two connections.<br>
<br>
A good secure client does not send credentials until it needs to. Squdi<br>
has received a request that it needs to authenticate, but does not yet<br>
have credentiasl. So it responds with a 407 or 401 message requesting<br>
the client send them using "Negotiate" auth protocol.<br>
No problem visible.<br>
<br>
<br>
<snip><br>
<span><br>
> Please could you help me? Am I doing something wrong?<br>
<br>
</span>Perhapse if you described what your problem was \
?<br></blockquote><div><br><br></div></div></div><div>Amos, thanks, for your \
clarification, I get as follows: <br><br>"Sorry, you are not currently allowed \
to request <a href="http://www.lxer.com/" target="_blank">http://www.lxer.com/</a> \
from this cache until you have authenticated yourself"<br><br>( trying to use \
from a Linux client:)<br><br></div><div>(And in fact I've RTFM :-) \
)<br></div><div><br></div><div>tail /var/log/squid/access.log<br><br>192.168.50.37 - \
- [15/Jul/2016:12:01:05 -0300] "GET <a href="http://www.lxer.com/" \
target="_blank">http://www.lxer.com/</a> HTTP/1.1" 407 4064 "-" \
"curl/7.43.0" TCP_DENIED:HIER_NONE<br><br></div><div>I have a kerberos \
ticket:<br><br>klist<br>Ticket cache: KEYRING:persistent:16777216:16777216<br>Default \
principal: john.doe@EXAMPLE.LOCAL<br><br>Valid starting Expires \
Service principal<br>15/07/16 12:00:31 15/07/16 22:00:31 \
krbtgt/EXAMPLE.LOCAL@EXAMPLE.LOCAL<br> renew until 22/07/16 \
12:00:31<br><br><br></div><div>End of output<br></div><div><br></div><div>I don't \
know what I'm doing wrong.<br><br></div><div>Thanks in advance!<br></div><span \
class=""><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> <span><font \
color="#888888"><br> Amos<br>
</font></span><div><div><br>
_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org" \
target="_blank">squid-users@lists.squid-cache.org</a><br> <a \
href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" \
target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br> \
</div></div></blockquote></span></div><br><br clear="all"><span class=""><br>-- \
<br><div data-smartmail="gmail_signature"><div dir="ltr"><div><div \
dir="ltr">-<br></div></div></div></div></span></div></div></blockquote><div><br></div><div>Please \
any ideas?<br><br></div><div>squid is on Centos 7.2<br></div><div>AD is Windows 2008 \
R2 Standard<br><br></div><div>Below more details from cache.log when trying to access \
from a Windows machine:<br><br> 2016/07/15 19:53:47.334 kid1| 29,4| \
UserRequest.cc(290) authenticate: No Proxy-Auth header and no working alternative. \
Requesting auth header.<br>2016/07/15 19:53:47.347 kid1| 29,9| UserRequest.cc(487) \
addReplyAuthHeader: headertype:46 authuser:NULL<br>2016/07/15 19:53:47.347 kid1| \
29,9| Config.cc(188) fixHeader: Sending type:46 header: \
'Negotiate'<br>2016/07/15 19:53:47.447 kid1| 29,9| UserRequest.cc(328) \
authenticate: header Negotiate \
TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKAFopAAAADw==.<br>2016/07/15 19:53:47.447 \
kid1| 29,9| UserRequest.cc(332) authenticate: This is a new checklist test \
on:local=<a href="http://192.168.50.22:3128">192.168.50.22:3128</a> remote=<a \
href="http://192.168.50.47:61011">192.168.50.47:61011</a> FD 12 flags=1<br>2016/07/15 \
19:53:47.447 kid1| 29,4| UserRequest.cc(350) authenticate: No connection \
authentication type<br>2016/07/15 19:53:47.447 kid1| 29,9| Config.cc(36) \
CreateAuthUser: header = 'Negotiate \
TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKAFopAAAADw=='<br>2016/07/15 \
19:53:47.447 kid1| 29,5| User.cc(39) User: Initialised auth_user \
'0x2cf1e00'.<br>2016/07/15 19:53:47.447 kid1| 29,5| UserRequest.cc(95) \
UserRequest: initialised request 0x30c4be0<br>2016/07/15 19:53:47.447 kid1| 29,9| \
Config.cc(267) decode: decode Negotiate authentication<br>2016/07/15 19:53:47.447 \
kid1| 29,9| UserRequest.cc(53) valid: Validating Auth::UserRequest \
'0x30c4be0'.<br>2016/07/15 19:53:47.447 kid1| 29,5| UserRequest.cc(73) valid: \
Validated. Auth::UserRequest '0x30c4be0'.<br>2016/07/15 19:53:47.447 kid1| \
29,9| UserRequest.cc(53) valid: Validating Auth::UserRequest \
'0x30c4be0'.<br>2016/07/15 19:53:47.447 kid1| 29,5| UserRequest.cc(73) valid: \
Validated. Auth::UserRequest '0x30c4be0'.<br>2016/07/15 19:53:47.447 kid1| \
29,9| UserRequest.cc(63) authenticated: user not fully authenticated.<br>2016/07/15 \
19:53:47.447 kid1| 29,9| UserRequest.cc(225) authenticate: auth state negotiate none. \
Received blob: 'Negotiate \
TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKAFopAAAADw=='<br>2016/07/15 \
19:53:47.447 kid1| 29,9| UserRequest.cc(53) valid: Validating Auth::UserRequest \
'0x30c4be0'.<br>2016/07/15 19:53:47.447 kid1| 29,5| UserRequest.cc(73) valid: \
Validated. Auth::UserRequest '0x30c4be0'.<br>2016/07/15 19:53:47.447 kid1| \
29,9| UserRequest.cc(63) authenticated: user not fully authenticated.<br>2016/07/15 \
19:53:47.447 kid1| 29,9| UserRequest.cc(53) valid: Validating Auth::UserRequest \
'0x30c4be0'.<br>2016/07/15 19:53:47.447 kid1| 29,5| UserRequest.cc(73) valid: \
Validated. Auth::UserRequest '0x30c4be0'.<br>2016/07/15 19:53:47.447 kid1| \
29,9| UserRequest.cc(46) start: 0x30c4be0<br>2016/07/15 19:53:47.447 kid1| 29,8| \
UserRequest.cc(134) startHelperLookup: credentials state is \
'2'<br>negotiate_kerberos_auth.cc(610): pid=5236 :2016/07/15 19:53:47| \
negotiate_kerberos_auth: DEBUG: Got 'YR \
TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKAFopAAAADw==' from squid (length: \
59).<br>negotiate_kerberos_auth.cc(663): pid=5236 :2016/07/15 19:53:47| \
negotiate_kerberos_auth: DEBUG: Decode \
'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKAFopAAAADw==' (decoded length: \
40).<br>negotiate_kerberos_auth.cc(673): pid=5236 :2016/07/15 19:53:47| \
negotiate_kerberos_auth: WARNING: received type 1 NTLM token<br>2016/07/15 \
19:53:47.447 kid1| 29,8| UserRequest.cc(266) HandleReply: helper: \
'0x30c5698/0x30c5698' sent us reply={result=BH, notes={message: received type \
1 NTLM token; }}<br>2016/07/15 19:53:47.447 kid1| 29,6| UserRequest.cc(175) \
releaseAuthServer: releasing Negotiate auth server '0x30c5698'<br>2016/07/15 \
19:53:47.447 kid1| ERROR: Negotiate Authentication validating user. Result: \
{result=BH, notes={message: received type 1 NTLM token; }}<br>2016/07/15 19:53:47.447 \
kid1| 29,9| UserRequest.cc(53) valid: Validating Auth::UserRequest \
'0x30c4be0'.<br>2016/07/15 19:53:47.447 kid1| 29,5| UserRequest.cc(73) valid: \
Validated. Auth::UserRequest '0x30c4be0'.<br>2016/07/15 19:53:47.447 kid1| \
29,9| UserRequest.cc(53) valid: Validating Auth::UserRequest \
'0x30c4be0'.<br>2016/07/15 19:53:47.447 kid1| 29,5| UserRequest.cc(73) valid: \
Validated. Auth::UserRequest '0x30c4be0'.<br>2016/07/15 19:53:47.447 kid1| \
29,9| UserRequest.cc(63) authenticated: user not fully authenticated.<br>2016/07/15 \
19:53:47.447 kid1| 29,9| UserRequest.cc(328) authenticate: header Negotiate \
TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKAFopAAAADw==.<br>2016/07/15 19:53:47.447 \
kid1| 29,9| UserRequest.cc(53) valid: Validating Auth::UserRequest \
'0x30c4be0'.<br>2016/07/15 19:53:47.447 kid1| 29,5| UserRequest.cc(73) valid: \
Validated. Auth::UserRequest '0x30c4be0'.<br>2016/07/15 19:53:47.447 kid1| \
29,9| UserRequest.cc(63) authenticated: user not fully authenticated.<br>2016/07/15 \
19:53:47.447 kid1| 29,9| UserRequest.cc(256) authenticate: auth state negotiate \
failed. Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKAFopAAAADw==<br>2016/07/15 \
19:53:47.447 kid1| 29,9| UserRequest.cc(53) valid: Validating Auth::UserRequest \
'0x30c4be0'.<br>2016/07/15 19:53:47.447 kid1| 29,5| UserRequest.cc(73) valid: \
Validated. Auth::UserRequest '0x30c4be0'.<br>2016/07/15 19:53:47.447 kid1| \
29,9| UserRequest.cc(63) authenticated: user not fully authenticated.<br>2016/07/15 \
19:53:47.448 kid1| 29,9| UserRequest.cc(487) addReplyAuthHeader: headertype:46 \
authuser:NULL<br>2016/07/15 19:53:47.448 kid1| 29,9| Config.cc(188) fixHeader: \
Sending type:46 header: 'Negotiate'<br>2016/07/15 19:53:47.532 kid1| 29,9| \
UserRequest.cc(487) addReplyAuthHeader: headertype:46 authuser:NULL<br>2016/07/15 \
19:53:47.532 kid1| 29,9| Config.cc(188) fixHeader: Sending type:46 header: \
'Negotiate'<br>2016/07/15 19:53:47.655 kid1| 29,9| UserRequest.cc(487) \
addReplyAuthHeader: headertype:46 authuser:NULL<br>2016/07/15 19:53:47.655 kid1| \
29,9| Config.cc(188) fixHeader: Sending type:46 header: \
'Negotiate'<br>2016/07/15 19:53:47.688 kid1| 29,4| UserRequest.cc(290) \
authenticate: No Proxy-Auth header and no working alternative. Requesting auth \
header.<br>2016/07/15 19:53:47.688 kid1| 29,9| UserRequest.cc(487) \
addReplyAuthHeader: headertype:46 authuser:NULL<br>2016/07/15 19:53:47.688 kid1| \
29,9| Config.cc(188) fixHeader: Sending type:46 header: \
'Negotiate'<br>2016/07/15 19:53:47.698 kid1| 29,6| UserRequest.cc(179) \
releaseAuthServer: No Negotiate auth server to release.<br>2016/07/15 19:53:47.698 \
kid1| 29,6| UserRequest.cc(179) releaseAuthServer: No Negotiate auth server to \
release.<br>2016/07/15 19:53:47.698 kid1| 29,5| UserRequest.cc(101) ~UserRequest: \
freeing request 0x30c4be0<br>2016/07/15 19:53:47.698 kid1| 29,5| User.cc(21) ~User: \
doing nothing to clear Negotiate scheme data for '0x2cf1e00'<br>2016/07/15 \
19:53:47.698 kid1| 29,5| User.cc(127) ~User: Freeing auth_user \
'0x2cf1e00'.<br>2016/07/15 19:53:47.717 kid1| 29,9| UserRequest.cc(328) \
authenticate: header Negotiate \
TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKAFopAAAADw==.<br>2016/07/15 19:53:47.717 \
kid1| 29,9| UserRequest.cc(332) authenticate: This is a new checklist test \
on:local=<a href="http://192.168.50.22:3128">192.168.50.22:3128</a> remote=<a \
href="http://192.168.50.47:61012">192.168.50.47:61012</a> FD 16 flags=1<br>2016/07/15 \
19:53:47.717 kid1| 29,4| UserRequest.cc(350) authenticate: No connection \
authentication type<br>2016/07/15 19:53:47.717 kid1| 29,9| Config.cc(36) \
CreateAuthUser: header = 'Negotiate \
TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKAFopAAAADw=='<br>2016/07/15 \
19:53:47.717 kid1| 29,5| User.cc(39) User: Initialised auth_user \
'0x2cf1e00'.<br>2016/07/15 19:53:47.717 kid1| 29,5| UserRequest.cc(95) \
UserRequest: initialised request 0x30c4be0<br>2016/07/15 19:53:47.717 kid1| 29,9| \
Config.cc(267) decode: decode Negotiate authentication<br>2016/07/15 19:53:47.717 \
kid1| 29,9| UserRequest.cc(53) valid: Validating Auth::UserRequest \
'0x30c4be0'.<br>2016/07/15 19:53:47.717 kid1| 29,5| UserRequest.cc(73) valid: \
Validated. Auth::UserRequest '0x30c4be0'.<br>2016/07/15 19:53:47.717 kid1| \
29,9| UserRequest.cc(53) valid: Validating Auth::UserRequest \
'0x30c4be0'.<br>2016/07/15 19:53:47.717 kid1| 29,5| UserRequest.cc(73) valid: \
Validated. Auth::UserRequest '0x30c4be0'.<br>2016/07/15 19:53:47.717 kid1| \
29,9| UserRequest.cc(63) authenticated: user not fully authenticated.<br>2016/07/15 \
19:53:47.717 kid1| 29,9| UserRequest.cc(225) authenticate: auth state negotiate none. \
Received blob: 'Negotiate \
TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKAFopAAAADw=='<br>2016/07/15 \
19:53:47.717 kid1| 29,9| UserRequest.cc(53) valid: Validating Auth::UserRequest \
'0x30c4be0'.<br>2016/07/15 19:53:47.717 kid1| 29,5| UserRequest.cc(73) valid: \
Validated. Auth::UserRequest '0x30c4be0'.<br>2016/07/15 19:53:47.717 kid1| \
29,9| UserRequest.cc(63) authenticated: user not fully authenticated.<br>2016/07/15 \
19:53:47.717 kid1| 29,9| UserRequest.cc(53) valid: Validating Auth::UserRequest \
'0x30c4be0'.<br>2016/07/15 19:53:47.717 kid1| 29,5| UserRequest.cc(73) valid: \
Validated. Auth::UserRequest '0x30c4be0'.<br>2016/07/15 19:53:47.717 kid1| \
29,9| UserRequest.cc(46) start: 0x30c4be0<br>2016/07/15 19:53:47.717 kid1| 29,8| \
UserRequest.cc(134) startHelperLookup: credentials state is \
'2'<br>negotiate_kerberos_auth.cc(610): pid=5236 :2016/07/15 19:53:47| \
negotiate_kerberos_auth: DEBUG: Got 'YR \
TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKAFopAAAADw==' from squid (length: \
59).<br>negotiate_kerberos_auth.cc(663): pid=5236 :2016/07/15 19:53:47| \
negotiate_kerberos_auth: DEBUG: Decode \
'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKAFopAAAADw==' (decoded length: \
40).<br>negotiate_kerberos_auth.cc(673): pid=5236 :2016/07/15 19:53:47| \
negotiate_kerberos_auth: WARNING: received type 1 NTLM token<br>2016/07/15 \
19:53:47.717 kid1| 29,8| UserRequest.cc(266) HandleReply: helper: \
'0x30c5698/0x30c5698' sent us reply={result=BH, notes={message: received type \
1 NTLM token; }}<br>2016/07/15 19:53:47.717 kid1| 29,6| UserRequest.cc(175) \
releaseAuthServer: releasing Negotiate auth server '0x30c5698'<br>2016/07/15 \
19:53:47.717 kid1| ERROR: Negotiate Authentication validating user. Result: \
{result=BH, notes={message: received type 1 NTLM token; }}<br>2016/07/15 19:53:47.718 \
kid1| 29,9| UserRequest.cc(53) valid: Validating Auth::UserRequest \
'0x30c4be0'.<br>2016/07/15 19:53:47.718 kid1| 29,5| UserRequest.cc(73) valid: \
Validated. Auth::UserRequest '0x30c4be0'.<br>2016/07/15 19:53:47.718 kid1| \
29,9| UserRequest.cc(53) valid: Validating Auth::UserRequest \
'0x30c4be0'.<br>2016/07/15 19:53:47.718 kid1| 29,5| UserRequest.cc(73) valid: \
Validated. Auth::UserRequest '0x30c4be0'.<br>2016/07/15 19:53:47.718 kid1| \
29,9| UserRequest.cc(63) authenticated: user not fully authenticated.<br>2016/07/15 \
19:53:47.718 kid1| 29,9| UserRequest.cc(328) authenticate: header Negotiate \
TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKAFopAAAADw==.<br>2016/07/15 19:53:47.718 \
kid1| 29,9| UserRequest.cc(53) valid: Validating Auth::UserRequest \
'0x30c4be0'.<br>2016/07/15 19:53:47.718 kid1| 29,5| UserRequest.cc(73) valid: \
Validated. Auth::UserRequest '0x30c4be0'.<br>2016/07/15 19:53:47.718 kid1| \
29,9| UserRequest.cc(63) authenticated: user not fully authenticated.<br>2016/07/15 \
19:53:47.718 kid1| 29,9| UserRequest.cc(256) authenticate: auth state negotiate \
failed. Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKAFopAAAADw==<br>2016/07/15 \
19:53:47.718 kid1| 29,9| UserRequest.cc(53) valid: Validating Auth::UserRequest \
'0x30c4be0'.<br>2016/07/15 19:53:47.718 kid1| 29,5| UserRequest.cc(73) valid: \
Validated. Auth::UserRequest '0x30c4be0'.<br>2016/07/15 19:53:47.718 kid1| \
29,9| UserRequest.cc(63) authenticated: user not fully authenticated.<br>2016/07/15 \
19:53:47.718 kid1| 29,9| UserRequest.cc(487) addReplyAuthHeader: headertype:46 \
authuser:NULL<br>2016/07/15 19:53:47.718 kid1| 29,9| Config.cc(188) fixHeader: \
Sending type:46 header: 'Negotiate'<br>2016/07/15 19:53:47.743 kid1| 29,9| \
UserRequest.cc(487) addReplyAuthHeader: headertype:46 authuser:NULL<br>2016/07/15 \
19:53:47.743 kid1| 29,9| Config.cc(188) fixHeader: Sending type:46 header: \
'Negotiate'<br>2016/07/15 19:53:47.754 kid1| 29,9| UserRequest.cc(487) \
addReplyAuthHeader: headertype:46 authuser:NULL<br>2016/07/15 19:53:47.754 kid1| \
29,9| Config.cc(188) fixHeader: Sending type:46 header: \
'Negotiate'<br><br><br></div><div>Thanks in advance!<br></div></div>-- \
<br><div class="gmail_signature" data-smartmail="gmail_signature"><div \
dir="ltr"><div><div dir="ltr">--<br>Sergio Belkin<br>LPIC-2 Certified - <a \
href="http://www.lpi.org" \
target="_blank">http://www.lpi.org</a></div></div></div></div> </div></div>
[Attachment #6 (text/plain)]
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic