Discussion:
[squid-users] Problem with kerb/ntlm authentication
Yanier Salazar Sanchez
2018-09-14 17:56:34 UTC
Permalink
Sorry for my bad english.



This is the scenario



I have ubuntu 18.04.01 (with las update) with squid 4.2-2, samba and winbind
4.7.6, AD on Windows Server 2012 R2/2016 with the las update, Client with
windows 10 1709 with the las update, firefox 60.2.0esr, google chrome
61.0.3163.79, firefox quantum 62.0 and internet explorer



I using this guide
https://blog.it-kb.ru/2014/06/16/forward-proxy-squid-3-3-on-ubuntu-server-14
-04-lts-part-1-install-os-on-hyper-v-generation-2-vm/ (Only to where
kerberos and NTLM are configured)



I joined the proxy to the active directory



All the commands seem to work correctly



I run this command

klist

Ticket cache: FILE:/tmp/krb5cc_0

Default principal: HTTP//srv-squid-***@MIRED.LAN
<mailto:HTTP//srv-squid-***@MIRED.LAN>

Valid starting Expires Service principal

09/13/2018 16:29:48 09/14/2018 02:29:48 krbtgt/***@MIRED.LAN

09/13/2018 16:55:57 09/14/2018 02:29:48
host/srv-squid-***@MIRED.LAN
<mailto:host/srv-squid-***@MIRED.LAN>

09/13/2018 16:56:13 09/14/2018 02:29:48 host/srv-***@MIRED.LAN
<mailto:host/srv-***@MIRED.LAN>



I run this command

kinit squidtest

password for ***@MIRED.LAN <mailto:***@MIRED.LAN> :



I create a proxy.keytab in my windows server 2012 r2 with this command

ktpass -princ HTTP/srv-squid-***@MIRED.LAN -mapuser
MIRED\squidtest -pass password -crypto All -ptype KRB5_NT_PRINCIPAL -out
d:\proxy.keytab

proxy.keytab permission

rw-r-r root proxy proxy.keytab





My krb5.conf file



[libdefaults]

default_realm = MIRED.LAN

dns_lookup_kdc = yes

dns_lookup_kdc = no

ticket_lifetime = 24h

default_keytab_name = /etc/squid/proxy.keytab

[realms]

MIRED.LAN = {

kdc = srv-dc.mired.lan

admin_server = srv-dc.mired.lan

default_domain = mired.lan

}

[domain_relam]

mired.lan = MIRED.LAN

.mired.lan = MIRED.LAN









I run this command

klist -k /etc/squid/proxy.keytab

Keytab name: FILE/etc/squid/proxy.keytab

KVNO Principal

6 HTTP/srv-squid-***@MIRED.LAN
<mailto:HTTP/srv-squid-***@MIRED.LAN>

6 HTTP/srv-squid-***@MIRED.LAN
<mailto:HTTP/srv-squid-***@MIRED.LAN>

6 HTTP/srv-squid-***@MIRED.LAN
<mailto:HTTP/srv-squid-***@MIRED.LAN>

6 HTTP/srv-squid-***@MIRED.LAN
<mailto:HTTP/srv-squid-***@MIRED.LAN>

6 HTTP/srv-squid-***@MIRED.LAN
<mailto:HTTP/srv-squid-***@MIRED.LAN>



I run this command

wbinfo -authenticate=squidtest%mypassword

Plaintest password athentication succeded

Challenge/response password authentication succeded



I run this command

wbinfo -krb5auth=squidtest%mypassword

Plaintest kerberos password athentication for [squidtest:mypassword]
succeded (requesting cctype: FILE) credential were put in; FILE/tmp/krbcc_0



I run this command

wbinfo -g (List all groups in AD)

I run this command

wbinfo -u (List all users in AD)



I run this command

/usr/lib/squid/negotiate_kerberos_auth_test srv-squid-krb.mired.lan

Token: YIICSAYGRKw... blabla /B8VWAxn29WaG/j





The squid.conf it's basic configuration only with



auth_program negotiate program /usr/lib/squid/negotiate_wrapper_auth -d
-ntlm /usr/bin/ntlm_auth -diagnostics -helper-protocol=2.5-ntlmssp
-domain=mired -kerberos /usr/lib/squid/negotiate_kerberos_auth -d -r -s
HTTP//srv-squid-***@mired.lan
<mailto:HTTP//srv-squid-***@mired.lan>

auth_program negotiate children 10

auth_program negotiate keep_alive off



auth_param ntlm program /usr/bin/ntlm_auth --diagnostics
-helper-protocol=squid-2.5-ntlmssp

auth_param ntlm children 10

auth_param ntlm keep_alive off



acl red src 192.168.0.0/24

acl auth proxy_auth REQUIRED



and

http_access allow red auth





But the problem is that Kerberos don't work. Only NTLM.

cache.log

2018/09/14 06:25:02| negotiate_wrapper: Starting version 1.0.1

2018/09/14 06:25:02| negotiate_wrapper: NTLM command: /usr/bin/ntlm_auth
--diagnostics --helper-protocol=squid-2.5-ntlmssp

2018/09/14 06:25:02| negotiate_wrapper: Kerberos command:
/usr/lib/squid/negotiate_kerberos_auth -d -r -s
HTTP/srv-squid-***@MIRED.LAN

negotiate_kerberos_auth.cc(487): pid=10816 :2018/09/14 06:25:02|
negotiate_kerberos_auth: INFO: Starting version 3.1.0sq

negotiate_kerberos_auth.cc(546): pid=10816 :2018/09/14 06:25:02|
negotiate_kerberos_auth: INFO: Setting keytab to /etc/squid/proxy.keytab

negotiate_kerberos_auth.cc(570): pid=10816 :2018/09/14 06:25:02|
negotiate_kerberos_auth: INFO: Changed keytab to
MEMORY:negotiate_kerberos_auth_10816

2018/09/14 13:39:18| negotiate_wrapper: Return 'TT
TlRMTVNTUAACAAAADgAOADgAAAAVgonigQb5TAh6RigAAAAAAAAAAJwAnABGAAAABgEAAAAAAA9F
AEwARQBDAEMAQQBWAAIADgBFAEwARQBDAEMAQQBWAAEAGgBTAFIAVgAtAFMAUQBVAEkARAAtAEsA
UgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQBk
AC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUABwAIALqX2txRTNQBAAAAAA==

'

2018/09/14 13:39:18.197 kid1| 29,4| UserRequest.cc(311) HandleReply: Need to
challenge the client with a server token:
'TlRMTVNTUAACAAAADgAOADgAAAAVgonigQb5TAh6RigAAAAAAAAAAJwAnABGAAAABgEAAAAAAA9
FAEwARQBDAEMAQQBWAAIADgBFAEwARQBDAEMAQQBWAAEAGgBTAFIAVgAtAFMAUQBVAEkARAAtAEs
AUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQB
kAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUABwAIALqX2txRTNQBAAAAAA=
='

2018/09/14 13:39:18.197 kid1| 29,2| UserRequest.cc(203) authenticate: need
to challenge client
'TlRMTVNTUAACAAAADgAOADgAAAAVgonigQb5TAh6RigAAAAAAAAAAJwAnABGAAAABgEAAAAAAA9
FAEwARQBDAEMAQQBWAAIADgBFAEwARQBDAEMAQQBWAAEAGgBTAFIAVgAtAFMAUQBVAEkARAAtAEs
AUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQB
kAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUABwAIALqX2txRTNQBAAAAAA=
='!

2018/09/14 13:39:18| negotiate_wrapper: Return 'TT
TlRMTVNTUAACAAAADgAOADgAAAAVgonig5b0rgxfAqwAAAAAAAAAAJwAnABGAAAABgEAAAAAAA9F
AEwARQBDAEMAQQBWAAIADgBFAEwARQBDAEMAQQBWAAEAGgBTAFIAVgAtAFMAUQBVAEkARAAtAEsA
UgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQBk
AC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUABwAIAD5e29xRTNQBAAAAAA==

'

2018/09/14 13:39:18.202 kid1| 29,4| UserRequest.cc(311) HandleReply: Need to
challenge the client with a server token:
'TlRMTVNTUAACAAAADgAOADgAAAAVgonig5b0rgxfAqwAAAAAAAAAAJwAnABGAAAABgEAAAAAAA9
FAEwARQBDAEMAQQBWAAIADgBFAEwARQBDAEMAQQBWAAEAGgBTAFIAVgAtAFMAUQBVAEkARAAtAEs
AUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQB
kAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUABwAIAD5e29xRTNQBAAAAAA=
='

2018/09/14 13:39:18.202 kid1| 29,2| UserRequest.cc(203) authenticate: need
to challenge client
'TlRMTVNTUAACAAAADgAOADgAAAAVgonig5b0rgxfAqwAAAAAAAAAAJwAnABGAAAABgEAAAAAAA9
FAEwARQBDAEMAQQBWAAIADgBFAEwARQBDAEMAQQBWAAEAGgBTAFIAVgAtAFMAUQBVAEkARAAtAEs
AUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQB
kAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUABwAIAD5e29xRTNQBAAAAAA=
='!

2018/09/14 13:39:18| negotiate_wrapper: Return 'TT
TlRMTVNTUAACAAAADgAOADgAAAAVgoni/IpqOarkGm0AAAAAAAAAAJwAnABGAAAABgEAAAAAAA9F
AEwARQBDAEMAQQBWAAIADgBFAEwARQBDAEMAQQBWAAEAGgBTAFIAVgAtAFMAUQBVAEkARAAtAEsA
UgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQBk
AC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUABwAIAF7Y3NxRTNQBAAAAAA==

'

2018/09/14 13:39:18.212 kid1| 29,4| UserRequest.cc(311) HandleReply: Need to
challenge the client with a server token:
'TlRMTVNTUAACAAAADgAOADgAAAAVgoni/IpqOarkGm0AAAAAAAAAAJwAnABGAAAABgEAAAAAAA9
FAEwARQBDAEMAQQBWAAIADgBFAEwARQBDAEMAQQBWAAEAGgBTAFIAVgAtAFMAUQBVAEkARAAtAEs
AUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQB
kAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUABwAIAF7Y3NxRTNQBAAAAAA=
='

2018/09/14 13:39:18.212 kid1| 29,2| UserRequest.cc(203) authenticate: need
to challenge client
'TlRMTVNTUAACAAAADgAOADgAAAAVgoni/IpqOarkGm0AAAAAAAAAAJwAnABGAAAABgEAAAAAAA9
FAEwARQBDAEMAQQBWAAIADgBFAEwARQBDAEMAQQBWAAEAGgBTAFIAVgAtAFMAUQBVAEkARAAtAEs
AUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQB
kAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUABwAIAF7Y3NxRTNQBAAAAAA=
='!

2018/09/14 13:39:18| negotiate_wrapper: Return 'TT
TlRMTVNTUAACAAAADgAOADgAAAAVgoniE4M9MFIcoxQAAAAAAAAAAJwAnABGAAAABgEAAAAAAA9F
AEwARQBDAEMAQQBWAAIADgBFAEwARQBDAEMAQQBWAAEAGgBTAFIAVgAtAFMAUQBVAEkARAAtAEsA
UgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQBk
AC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUABwAIAIoG3dxRTNQBAAAAAA==

'

2018/09/14 13:39:18.213 kid1| 29,4| UserRequest.cc(311) HandleReply: Need to
challenge the client with a server token:
'TlRMTVNTUAACAAAADgAOADgAAAAVgoniE4M9MFIcoxQAAAAAAAAAAJwAnABGAAAABgEAAAAAAA9
FAEwARQBDAEMAQQBWAAIADgBFAEwARQBDAEMAQQBWAAEAGgBTAFIAVgAtAFMAUQBVAEkARAAtAEs
AUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQB
kAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUABwAIAIoG3dxRTNQBAAAAAA=
='

2018/09/14 13:39:18.213 kid1| 29,2| UserRequest.cc(203) authenticate: need
to challenge client
'TlRMTVNTUAACAAAADgAOADgAAAAVgoniE4M9MFIcoxQAAAAAAAAAAJwAnABGAAAABgEAAAAAAA9
FAEwARQBDAEMAQQBWAAIADgBFAEwARQBDAEMAQQBWAAEAGgBTAFIAVgAtAFMAUQBVAEkARAAtAEs
AUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQB
kAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUABwAIAIoG3dxRTNQBAAAAAA=
='!

2018/09/14 13:39:18| negotiate_wrapper: Return 'TT
TlRMTVNTUAACAAAADgAOADgAAAAVgoniyKjYPBGi9DAAAAAAAAAAAJwAnABGAAAABgEAAAAAAA9F
AEwARQBDAEMAQQBWAAIADgBFAEwARQBDAEMAQQBWAAEAGgBTAFIAVgAtAFMAUQBVAEkARAAtAEsA
UgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQBk
AC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUABwAIADpT4NxRTNQBAAAAAA==

'

2018/09/14 13:39:18.234 kid1| 29,4| UserRequest.cc(311) HandleReply: Need to
challenge the client with a server token:
'TlRMTVNTUAACAAAADgAOADgAAAAVgoniyKjYPBGi9DAAAAAAAAAAAJwAnABGAAAABgEAAAAAAA9
FAEwARQBDAEMAQQBWAAIADgBFAEwARQBDAEMAQQBWAAEAGgBTAFIAVgAtAFMAUQBVAEkARAAtAEs
AUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQB
kAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUABwAIADpT4NxRTNQBAAAAAA=
='

2018/09/14 13:39:18.235 kid1| 29,2| UserRequest.cc(203) authenticate: need
to challenge client
'TlRMTVNTUAACAAAADgAOADgAAAAVgoniyKjYPBGi9DAAAAAAAAAAAJwAnABGAAAABgEAAAAAAA9
FAEwARQBDAEMAQQBWAAIADgBFAEwARQBDAEMAQQBWAAEAGgBTAFIAVgAtAFMAUQBVAEkARAAtAEs
AUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQB
kAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUABwAIADpT4NxRTNQBAAAAAA=
='!

2018/09/14 13:39:18| negotiate_wrapper: Got 'KK
TlRMTVNTUAADAAAAGAAYAIwAAABIAUgBpAAAAA4ADgBYAAAAEAAQAGYAAAAWABYAdgAAABAAEADs
AQAAFYKI4goAqz8AAAAPTClxtLRmctSfR7SLfnA2O0UATABFAEMAQwBBAFYAYwByAHkAcwB0AGEA
bABsAEMATABJAC0AUgBFAEQARQBTAC0AMQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD6IIRx8JJe
sRgbGAVoQxrwAQEAAAAAAABe2NzcUUzUATZJB+HrulrgAAAAAAIADgBFAEwARQBDAEMAQQBWAAEA
GgBTAFIAVgAtAFMAUQBVAEkARAAtAEsAUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBj
AHUAAwA4AHMAcgB2AC0AcwBxAHUAaQBkAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUA
LgBjAHUABwAIAF7Y3NxRTNQBBgAEAAIAAAAIADAAMAAAAAAAAAAAAAAAADAAANSO8haD472JTKKO
F8vBYpu8Z0WdTYbu7c7tqLmb/9ooCgAQAAAAAAAAAAAAAAAAAAAAAAAJACQASABUAFQAUAAvADEA
NwAyAC4AMQA5AC4AMgAyADQALgA0ADYAAAAAAAAAAAAAAAAAyh1ssj6oWg4B+eQjlqv2aA=='
from squid (length: 683).

2018/09/14 13:39:18| negotiate_wrapper: Decode
'TlRMTVNTUAADAAAAGAAYAIwAAABIAUgBpAAAAA4ADgBYAAAAEAAQAGYAAAAWABYAdgAAABAAEAD
sAQAAFYKI4goAqz8AAAAPTClxtLRmctSfR7SLfnA2O0UATABFAEMAQwBBAFYAYwByAHkAcwB0AGE
AbABsAEMATABJAC0AUgBFAEQARQBTAC0AMQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD6IIRx8JJ
esRgbGAVoQxrwAQEAAAAAAABe2NzcUUzUATZJB+HrulrgAAAAAAIADgBFAEwARQBDAEMAQQBWAAE
AGgBTAFIAVgAtAFMAUQBVAEkARAAtAEsAUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgB
jAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQBkAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGU
ALgBjAHUABwAIAF7Y3NxRTNQBBgAEAAIAAAAIADAAMAAAAAAAAAAAAAAAADAAANSO8haD472JTKK
OF8vBYpu8Z0WdTYbu7c7tqLmb/9ooCgAQAAAAAAAAAAAAAAAAAAAAAAAJACQASABUAFQAUAAvADE
ANwAyAC4AMQA5AC4AMgAyADQALgA0ADYAAAAAAAAAAAAAAAAAyh1ssj6oWg4B+eQjlqv2aA=='
(decoded length: 510).

2018/09/14 13:39:18| negotiate_wrapper: received type 3 NTLM token

2018/09/14 13:39:18| negotiate_wrapper: Return 'AF = crystall

'

2018/09/14 13:39:18.297 kid1| 29,4| UserRequest.cc(336) HandleReply:
authenticated user crystall

2018/09/14 13:39:18.297 kid1| 29,4| UserRequest.cc(355) HandleReply:
Successfully validated user via Negotiate. Username 'crystall'

2018/09/14 13:39:18.297 kid1| 29,2| User.cc(227) addIp: user 'crystall' has
been seen at a new IP address (192.168.0.2:53116)

2018/09/14 13:39:18| negotiate_wrapper: Got 'KK
TlRMTVNTUAADAAAAGAAYAIwAAABIAUgBpAAAAA4ADgBYAAAAEAAQAGYAAAAWABYAdgAAABAAEADs
AQAAFYKI4goAqz8AAAAPNdmk9QQok2ZtAJi07Aft0EUATABFAEMAQwBBAFYAYwByAHkAcwB0AGEA
bABsAEMATABJAC0AUgBFAEQARQBTAC0AMQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIdVVkN6Ul
IPyfEZl+tFbZAQEAAAAAAAA6U+DcUUzUAbDPblk1F39AAAAAAAIADgBFAEwARQBDAEMAQQBWAAEA
GgBTAFIAVgAtAFMAUQBVAEkARAAtAEsAUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBj
AHUAAwA4AHMAcgB2AC0AcwBxAHUAaQBkAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUA
LgBjAHUABwAIADpT4NxRTNQBBgAEAAIAAAAIADAAMAAAAAAAAAAAAAAAADAAANSO8haD472JTKKO
F8vBYpu8Z0WdTYbu7c7tqLmb/9ooCgAQAAAAAAAAAAAAAAAAAAAAAAAJACQASABUAFQAUAAvADEA
NwAyAC4AMQA5AC4AMgAyADQALgA0ADYAAAAAAAAAAAAAAAAASlVupH80E90xsICozM0MDw=='
from squid (length: 683).

2018/09/14 13:39:18| negotiate_wrapper: Decode
'TlRMTVNTUAADAAAAGAAYAIwAAABIAUgBpAAAAA4ADgBYAAAAEAAQAGYAAAAWABYAdgAAABAAEAD
sAQAAFYKI4goAqz8AAAAPNdmk9QQok2ZtAJi07Aft0EUATABFAEMAQwBBAFYAYwByAHkAcwB0AGE
AbABsAEMATABJAC0AUgBFAEQARQBTAC0AMQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIdVVkN6U
lIPyfEZl+tFbZAQEAAAAAAAA6U+DcUUzUAbDPblk1F39AAAAAAAIADgBFAEwARQBDAEMAQQBWAAE
AGgBTAFIAVgAtAFMAUQBVAEkARAAtAEsAUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgB
jAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQBkAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGU
ALgBjAHUABwAIADpT4NxRTNQBBgAEAAIAAAAIADAAMAAAAAAAAAAAAAAAADAAANSO8haD472JTKK
OF8vBYpu8Z0WdTYbu7c7tqLmb/9ooCgAQAAAAAAAAAAAAAAAAAAAAAAAJACQASABUAFQAUAAvADE
ANwAyAC4AMQA5AC4AMgAyADQALgA0ADYAAAAAAAAAAAAAAAAASlVupH80E90xsICozM0MDw=='
(decoded length: 510).

2018/09/14 13:39:18| negotiate_wrapper: received type 3 NTLM token

2018/09/14 13:39:18| negotiate_wrapper: Got 'KK
TlRMTVNTUAADAAAAGAAYAIwAAABIAUgBpAAAAA4ADgBYAAAAEAAQAGYAAAAWABYAdgAAABAAEADs
AQAAFYKI4goAqz8AAAAPktrvZwcp20ZMz2vUT1MqrEUATABFAEMAQwBBAFYAYwByAHkAcwB0AGEA
bABsAEMATABJAC0AUgBFAEQARQBTAC0AMQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC/ktNdTT5c
V4Jw+7d4icVSAQEAAAAAAAA+XtvcUUzUAQvLOUptjrxtAAAAAAIADgBFAEwARQBDAEMAQQBWAAEA
GgBTAFIAVgAtAFMAUQBVAEkARAAtAEsAUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBj
AHUAAwA4AHMAcgB2AC0AcwBxAHUAaQBkAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUA
LgBjAHUABwAIAD5e29xRTNQBBgAEAAIAAAAIADAAMAAAAAAAAAAAAAAAADAAANSO8haD472JTKKO
F8vBYpu8Z0WdTYbu7c7tqLmb/9ooCgAQAAAAAAAAAAAAAAAAAAAAAAAJACQASABUAFQAUAAvADEA
NwAyAC4AMQA5AC4AMgAyADQALgA0ADYAAAAAAAAAAAAAAAAAC9hZLo1JeXWlUlkutHco2Q=='
from squid (length: 683).

2018/09/14 13:39:18| negotiate_wrapper: Decode
'TlRMTVNTUAADAAAAGAAYAIwAAABIAUgBpAAAAA4ADgBYAAAAEAAQAGYAAAAWABYAdgAAABAAEAD
sAQAAFYKI4goAqz8AAAAPktrvZwcp20ZMz2vUT1MqrEUATABFAEMAQwBBAFYAYwByAHkAcwB0AGE
AbABsAEMATABJAC0AUgBFAEQARQBTAC0AMQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC/ktNdTT5
cV4Jw+7d4icVSAQEAAAAAAAA+XtvcUUzUAQvLOUptjrxtAAAAAAIADgBFAEwARQBDAEMAQQBWAAE
AGgBTAFIAVgAtAFMAUQBVAEkARAAtAEsAUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgB
jAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQBkAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGU
ALgBjAHUABwAIAD5e29xRTNQBBgAEAAIAAAAIADAAMAAAAAAAAAAAAAAAADAAANSO8haD472JTKK
OF8vBYpu8Z0WdTYbu7c7tqLmb/9ooCgAQAAAAAAAAAAAAAAAAAAAAAAAJACQASABUAFQAUAAvADE
ANwAyAC4AMQA5AC4AMgAyADQALgA0ADYAAAAAAAAAAAAAAAAAC9hZLo1JeXWlUlkutHco2Q=='
(decoded length: 510).

2018/09/14 13:39:18| negotiate_wrapper: received type 3 NTLM token

2018/09/14 13:39:18| negotiate_wrapper: Got 'KK
TlRMTVNTUAADAAAAGAAYAIwAAABIAUgBpAAAAA4ADgBYAAAAEAAQAGYAAAAWABYAdgAAABAAEADs
AQAAFYKI4goAqz8AAAAPcvqx2ByNCA8nHjzEmlCuRkUATABFAEMAQwBBAFYAYwByAHkAcwB0AGEA
bABsAEMATABJAC0AUgBFAEQARQBTAC0AMQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAV9wKDCHbA
PUCj0iTVPM9cAQEAAAAAAACKBt3cUUzUAQ3p911SxBpmAAAAAAIADgBFAEwARQBDAEMAQQBWAAEA
GgBTAFIAVgAtAFMAUQBVAEkARAAtAEsAUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBj
AHUAAwA4AHMAcgB2AC0AcwBxAHUAaQBkAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUA
LgBjAHUABwAIAIoG3dxRTNQBBgAEAAIAAAAIADAAMAAAAAAAAAAAAAAAADAAANSO8haD472JTKKO
F8vBYpu8Z0WdTYbu7c7tqLmb/9ooCgAQAAAAAAAAAAAAAAAAAAAAAAAJACQASABUAFQAUAAvADEA
NwAyAC4AMQA5AC4AMgAyADQALgA0ADYAAAAAAAAAAAAAAAAAWt0nSXk+Ix4DbAvzOrubNA=='
from squid (length: 683).

2018/09/14 13:39:18| negotiate_wrapper: Decode
'TlRMTVNTUAADAAAAGAAYAIwAAABIAUgBpAAAAA4ADgBYAAAAEAAQAGYAAAAWABYAdgAAABAAEAD
sAQAAFYKI4goAqz8AAAAPcvqx2ByNCA8nHjzEmlCuRkUATABFAEMAQwBBAFYAYwByAHkAcwB0AGE
AbABsAEMATABJAC0AUgBFAEQARQBTAC0AMQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAV9wKDCHb
APUCj0iTVPM9cAQEAAAAAAACKBt3cUUzUAQ3p911SxBpmAAAAAAIADgBFAEwARQBDAEMAQQBWAAE
AGgBTAFIAVgAtAFMAUQBVAEkARAAtAEsAUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgB
jAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQBkAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGU
ALgBjAHUABwAIAIoG3dxRTNQBBgAEAAIAAAAIADAAMAAAAAAAAAAAAAAAADAAANSO8haD472JTKK
OF8vBYpu8Z0WdTYbu7c7tqLmb/9ooCgAQAAAAAAAAAAAAAAAAAAAAAAAJACQASABUAFQAUAAvADE
ANwAyAC4AMQA5AC4AMgAyADQALgA0ADYAAAAAAAAAAAAAAAAAWt0nSXk+Ix4DbAvzOrubNA=='
(decoded length: 510).

2018/09/14 13:39:18| negotiate_wrapper: received type 3 NTLM token

2018/09/14 13:39:18| negotiate_wrapper: Got 'KK
TlRMTVNTUAADAAAAGAAYAIwAAABIAUgBpAAAAA4ADgBYAAAAEAAQAGYAAAAWABYAdgAAABAAEADs
AQAAFYKI4goAqz8AAAAPsug30D9/WWwwJJE0C5LgOUUATABFAEMAQwBBAFYAYwByAHkAcwB0AGEA
bABsAEMATABJAC0AUgBFAEQARQBTAC0AMQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABB9ekE7/+
TbqkYU6Gx64qAQEAAAAAAAC6l9rcUUzUAS71gyhoa7SHAAAAAAIADgBFAEwARQBDAEMAQQBWAAEA
GgBTAFIAVgAtAFMAUQBVAEkARAAtAEsAUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBj
AHUAAwA4AHMAcgB2AC0AcwBxAHUAaQBkAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUA
LgBjAHUABwAIALqX2txRTNQBBgAEAAIAAAAIADAAMAAAAAAAAAAAAAAAADAAANSO8haD472JTKKO
F8vBYpu8Z0WdTYbu7c7tqLmb/9ooCgAQAAAAAAAAAAAAAAAAAAAAAAAJACQASABUAFQAUAAvADEA
NwAyAC4AMQA5AC4AMgAyADQALgA0ADYAAAAAAAAAAAAAAAAA/6MII/C9uGEWH4s9EE+W/g=='
from squid (length: 683).

2018/09/14 13:39:18| negotiate_wrapper: Decode
'TlRMTVNTUAADAAAAGAAYAIwAAABIAUgBpAAAAA4ADgBYAAAAEAAQAGYAAAAWABYAdgAAABAAEAD
sAQAAFYKI4goAqz8AAAAPsug30D9/WWwwJJE0C5LgOUUATABFAEMAQwBBAFYAYwByAHkAcwB0AGE
AbABsAEMATABJAC0AUgBFAEQARQBTAC0AMQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABB9ekE7/
+TbqkYU6Gx64qAQEAAAAAAAC6l9rcUUzUAS71gyhoa7SHAAAAAAIADgBFAEwARQBDAEMAQQBWAAE
AGgBTAFIAVgAtAFMAUQBVAEkARAAtAEsAUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgB
jAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQBkAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGU
ALgBjAHUABwAIALqX2txRTNQBBgAEAAIAAAAIADAAMAAAAAAAAAAAAAAAADAAANSO8haD472JTKK
OF8vBYpu8Z0WdTYbu7c7tqLmb/9ooCgAQAAAAAAAAAAAAAAAAAAAAAAAJACQASABUAFQAUAAvADE
ANwAyAC4AMQA5AC4AMgAyADQALgA0ADYAAAAAAAAAAAAAAAAA/6MII/C9uGEWH4s9EE+W/g=='
(decoded length: 510).

2018/09/14 13:39:18| negotiate_wrapper: received type 3 NTLM token

2018/09/14 13:39:18| negotiate_wrapper: Return 'AF = crystall

'

2018/09/14 13:39:18.326 kid1| 29,4| UserRequest.cc(336) HandleReply:
authenticated user crystall

2018/09/14 13:39:18.326 kid1| 29,4| UserRequest.cc(355) HandleReply:
Successfully validated user via Negotiate. Username 'crystall'

2018/09/14 13:39:18| negotiate_wrapper: Return 'AF = crystall

'

2018/09/14 13:39:18.331 kid1| 29,4| UserRequest.cc(336) HandleReply:
authenticated user crystall

2018/09/14 13:39:18.331 kid1| 29,4| UserRequest.cc(355) HandleReply:
Successfully validated user via Negotiate. Username 'crystall'

2018/09/14 13:39:18| negotiate_wrapper: Return 'AF = crystall

'

2018/09/14 13:39:18.335 kid1| 29,4| UserRequest.cc(336) HandleReply:
authenticated user crystall

2018/09/14 13:39:18.335 kid1| 29,4| UserRequest.cc(355) HandleReply:
Successfully validated user via Negotiate. Username 'crystall'

2018/09/14 13:39:18| negotiate_wrapper: Return 'AF = crystall

'

2018/09/14 13:39:18.340 kid1| 29,4| UserRequest.cc(336) HandleReply:
authenticated user crystall

2018/09/14 13:39:18.340 kid1| 29,4| UserRequest.cc(355) HandleReply:
Successfully validated user via Negotiate. Username 'crystall'

2018/09/14 13:39:18.340 kid1| ICP is disabled! Cannot send ICP request to
peer.

2018/09/14 13:39:18.340 kid1| ICP is disabled! Cannot send ICP request to
peer.

2018/09/14 13:39:18.779 kid1| 29,4| UserRequest.cc(294) authenticate: No
Proxy-Auth header and no working alternative. Requesting auth header.

2018/09/14 13:39:18.782 kid1| 29,4| UserRequest.cc(354) authenticate: No
connection authentication type

2018/09/14 13:39:18| negotiate_wrapper: Got 'YR
TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKAKs/AAAADw==' from squid
(length: 59).

2018/09/14 13:39:18| negotiate_wrapper: Decode
'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKAKs/AAAADw==' (decoded length:
42).

2018/09/14 13:39:18| negotiate_wrapper: received type 1 NTLM token

2018/09/14 13:39:18| negotiate_wrapper: Return 'TT
TlRMTVNTUAACAAAADgAOADgAAAAVgoni6re6l3Xwbr4AAAAAAAAAAJwAnABGAAAABgEAAAAAAA9F
AEwARQBDAEMAQQBWAAIADgBFAEwARQBDAEMAQQBWAAEAGgBTAFIAVgAtAFMAUQBVAEkARAAtAEsA
UgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQBk
AC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUABwAIANJNNN1RTNQBAAAAAA==

'

2018/09/14 13:39:18.785 kid1| 29,4| UserRequest.cc(311) HandleReply: Need to
challenge the client with a server token:
'TlRMTVNTUAACAAAADgAOADgAAAAVgoni6re6l3Xwbr4AAAAAAAAAAJwAnABGAAAABgEAAAAAAA9
FAEwARQBDAEMAQQBWAAIADgBFAEwARQBDAEMAQQBWAAEAGgBTAFIAVgAtAFMAUQBVAEkARAAtAEs
AUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQB
kAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUABwAIANJNNN1RTNQBAAAAAA=
='

2018/09/14 13:39:18.785 kid1| 29,2| UserRequest.cc(203) authenticate: need
to challenge client
'TlRMTVNTUAACAAAADgAOADgAAAAVgoni6re6l3Xwbr4AAAAAAAAAAJwAnABGAAAABgEAAAAAAA9
FAEwARQBDAEMAQQBWAAIADgBFAEwARQBDAEMAQQBWAAEAGgBTAFIAVgAtAFMAUQBVAEkARAAtAEs
AUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQB
kAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUABwAIANJNNN1RTNQBAAAAAA=
='!

2018/09/14 13:39:18| negotiate_wrapper: Got 'KK
TlRMTVNTUAADAAAAGAAYAIwAAABIAUgBpAAAAA4ADgBYAAAAEAAQAGYAAAAWABYAdgAAABAAEADs
AQAAFYKI4goAqz8AAAAPZToO29GZi9mTSaZo7kC+uEUATABFAEMAQwBBAFYAYwByAHkAcwB0AGEA
bABsAEMATABJAC0AUgBFAEQARQBTAC0AMQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADMCXZljnEc
JGfczvMrEXsbAQEAAAAAAADSTTTdUUzUATkI4mevwzXdAAAAAAIADgBFAEwARQBDAEMAQQBWAAEA
GgBTAFIAVgAtAFMAUQBVAEkARAAtAEsAUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBj
AHUAAwA4AHMAcgB2AC0AcwBxAHUAaQBkAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUA
LgBjAHUABwAIANJNNN1RTNQBBgAEAAIAAAAIADAAMAAAAAAAAAAAAAAAADAAANSO8haD472JTKKO
F8vBYpu8Z0WdTYbu7c7tqLmb/9ooCgAQAAAAAAAAAAAAAAAAAAAAAAAJACQASABUAFQAUAAvADEA
NwAyAC4AMQA5AC4AMgAyADQALgA0ADYAAAAAAAAAAAAAAAAAxTDFbTI2R1oQS5sjProTRQ=='
from squid (length: 683).

2018/09/14 13:39:18| negotiate_wrapper: Decode
'TlRMTVNTUAADAAAAGAAYAIwAAABIAUgBpAAAAA4ADgBYAAAAEAAQAGYAAAAWABYAdgAAABAAEAD
sAQAAFYKI4goAqz8AAAAPZToO29GZi9mTSaZo7kC+uEUATABFAEMAQwBBAFYAYwByAHkAcwB0AGE
AbABsAEMATABJAC0AUgBFAEQARQBTAC0AMQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADMCXZljnE
cJGfczvMrEXsbAQEAAAAAAADSTTTdUUzUATkI4mevwzXdAAAAAAIADgBFAEwARQBDAEMAQQBWAAE
AGgBTAFIAVgAtAFMAUQBVAEkARAAtAEsAUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgB
jAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQBkAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGU
ALgBjAHUABwAIANJNNN1RTNQBBgAEAAIAAAAIADAAMAAAAAAAAAAAAAAAADAAANSO8haD472JTKK
OF8vBYpu8Z0WdTYbu7c7tqLmb/9ooCgAQAAAAAAAAAAAAAAAAAAAAAAAJACQASABUAFQAUAAvADE
ANwAyAC4AMQA5AC4AMgAyADQALgA0ADYAAAAAAAAAAAAAAAAAxTDFbTI2R1oQS5sjProTRQ=='
(decoded length: 510).

2018/09/14 13:39:18| negotiate_wrapper: received type 3 NTLM token

2018/09/14 13:39:18| negotiate_wrapper: Return 'AF = crystall





Access.log

1536946843.113 66541 192.168.0.2 TCP_TUNNEL/200 3806 CONNECT
www.facebook.com:443 crystall FIRSTUP_PARENT/PARENT_PROXY_IP



The question is, that only NTLM works, I've tried with Internet Explorer,
Google Chrome and Firefox. The other thing is that he never asks for
username and password, he uses the user credentials that he initiates
session to work (I do not know if this is the correct operation).

What could be happening?





Sorry for the long email.





Gretting Yanier
Yanier Salazar Sanchez
2018-09-14 18:51:51 UTC
Permalink
Sorry for my bad english.



This is the scenario



I have ubuntu 18.04.01 (with las update) with squid 4.2-2, samba and winbind
4.7.6, AD on Windows Server 2012 R2/2016 with the las update, Client with
windows 10 1709 with the las update, firefox 60.2.0esr, google chrome
61.0.3163.79, firefox quantum 62.0 and internet explorer



I using this guide
https://blog.it-kb.ru/2014/06/16/forward-proxy-squid-3-3-on-ubuntu-server-14
-04-lts-part-1-install-os-on-hyper-v-generation-2-vm/ (Only to where
kerberos and NTLM are configured)



I joined the proxy to the active directory



All the commands seem to work correctly



I run this command

klist

Ticket cache: FILE:/tmp/krb5cc_0

Default principal: HTTP//srv-squid-***@MIRED.LAN
<mailto:HTTP//srv-squid-***@MIRED.LAN>

Valid starting Expires Service principal

09/13/2018 16:29:48 09/14/2018 02:29:48 krbtgt/***@MIRED.LAN
<mailto:krbtgt/***@MIRED.LAN>

09/13/2018 16:55:57 09/14/2018 02:29:48
host/srv-squid-***@MIRED.LAN
<mailto:host/srv-squid-***@MIRED.LAN>

09/13/2018 16:56:13 09/14/2018 02:29:48 host/srv-***@MIRED.LAN
<mailto:host/srv-***@MIRED.LAN>



I run this command

kinit squidtest

password for ***@MIRED.LAN <mailto:***@MIRED.LAN> :



I create a proxy.keytab in my windows server 2012 r2 with this command

ktpass -princ HTTP/srv-squid-***@MIRED.LAN
<mailto:HTTP/srv-squid-***@MIRED.LAN> -mapuser MIRED\squidtest
-pass password -crypto All -ptype KRB5_NT_PRINCIPAL -out d:\proxy.keytab

proxy.keytab permission

rw-r-r root proxy proxy.keytab





My krb5.conf file



[libdefaults]

default_realm = MIRED.LAN

dns_lookup_kdc = yes

dns_lookup_kdc = no

ticket_lifetime = 24h

default_keytab_name = /etc/squid/proxy.keytab

[realms]

MIRED.LAN = {

kdc = srv-dc.mired.lan

admin_server = srv-dc.mired.lan

default_domain = mired.lan

}

[domain_relam]

mired.lan = MIRED.LAN

.mired.lan = MIRED.LAN









I run this command

klist -k /etc/squid/proxy.keytab

Keytab name: FILE/etc/squid/proxy.keytab

KVNO Principal

6 HTTP/srv-squid-***@MIRED.LAN
<mailto:HTTP/srv-squid-***@MIRED.LAN>

6 HTTP/srv-squid-***@MIRED.LAN
<mailto:HTTP/srv-squid-***@MIRED.LAN>

6 HTTP/srv-squid-***@MIRED.LAN
<mailto:HTTP/srv-squid-***@MIRED.LAN>

6 HTTP/srv-squid-***@MIRED.LAN
<mailto:HTTP/srv-squid-***@MIRED.LAN>

6 HTTP/srv-squid-***@MIRED.LAN
<mailto:HTTP/srv-squid-***@MIRED.LAN>



I run this command

wbinfo -authenticate=squidtest%mypassword

Plaintest password athentication succeded

Challenge/response password authentication succeded



I run this command

wbinfo -krb5auth=squidtest%mypassword

Plaintest kerberos password athentication for [squidtest:mypassword]
succeded (requesting cctype: FILE) credential were put in; FILE/tmp/krbcc_0



I run this command

wbinfo -g (List all groups in AD)

I run this command

wbinfo -u (List all users in AD)



I run this command

/usr/lib/squid/negotiate_kerberos_auth_test srv-squid-krb.mired.lan

Token: YIICSAYGRKw... blabla /B8VWAxn29WaG/j





The squid.conf it's basic configuration only with



auth_program negotiate program /usr/lib/squid/negotiate_wrapper_auth -d
-ntlm /usr/bin/ntlm_auth -diagnostics -helper-protocol=2.5-ntlmssp
-domain=mired -kerberos /usr/lib/squid/negotiate_kerberos_auth -d -r -s
HTTP//srv-squid-***@mired.lan
<mailto:HTTP//srv-squid-***@mired.lan>

auth_program negotiate children 10

auth_program negotiate keep_alive off



this lines are comment because in cache.log show the folloing messages
cache.log

username must be specified!

Usage: [OPTION]

--helper-protocol=

#auth_param ntlm program /usr/bin/ntlm_auth --diagnostics
-helper-protocol=squid-2.5-ntlmssp

#auth_param ntlm children 10

#auth_param ntlm keep_alive off



acl red src 192.168.0.0/24

acl auth proxy_auth REQUIRED



and

http_access allow red auth



if I run this commando on console

/usr/bin/ntlm_auth -help-protocol=squid-2.5-basic -username=user
-password=password

NT_STATUS_OK: The operation completed successfully (0x0)

/usr/bin/ntlm_auth -help-protocol=squid-2.5-ntlmssp -username=user
-password=password

NT_STATUS_OK: The operation completed successfully (0x0)

But if I run /usr/bin/ntlm_auth -help-protocol=squid-2.5-ntlmssp

The answer is username must be specified





But the problem is that Kerberos don't work. Only NTLM.

cache.log

2018/09/14 06:25:02| negotiate_wrapper: Starting version 1.0.1

2018/09/14 06:25:02| negotiate_wrapper: NTLM command: /usr/bin/ntlm_auth
--diagnostics --helper-protocol=squid-2.5-ntlmssp

2018/09/14 06:25:02| negotiate_wrapper: Kerberos command:
/usr/lib/squid/negotiate_kerberos_auth -d -r -s
HTTP/srv-squid-***@MIRED.LAN
<mailto:HTTP/srv-squid-***@MIRED.LAN>

negotiate_kerberos_auth.cc(487): pid=10816 :2018/09/14 06:25:02|
negotiate_kerberos_auth: INFO: Starting version 3.1.0sq

negotiate_kerberos_auth.cc(546): pid=10816 :2018/09/14 06:25:02|
negotiate_kerberos_auth: INFO: Setting keytab to /etc/squid/proxy.keytab

negotiate_kerberos_auth.cc(570): pid=10816 :2018/09/14 06:25:02|
negotiate_kerberos_auth: INFO: Changed keytab to
MEMORY:negotiate_kerberos_auth_10816

2018/09/14 13:39:18| negotiate_wrapper: Return 'TT
TlRMTVNTUAACAAAADgAOADgAAAAVgonigQb5TAh6RigAAAAAAAAAAJwAnABGAAAABgEAAAAAAA9F
AEwARQBDAEMAQQBWAAIADgBFAEwARQBDAEMAQQBWAAEAGgBTAFIAVgAtAFMAUQBVAEkARAAtAEsA
UgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQBk
AC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUABwAIALqX2txRTNQBAAAAAA==

'

2018/09/14 13:39:18.197 kid1| 29,4| UserRequest.cc(311) HandleReply: Need to
challenge the client with a server token:
'TlRMTVNTUAACAAAADgAOADgAAAAVgonigQb5TAh6RigAAAAAAAAAAJwAnABGAAAABgEAAAAAAA9
FAEwARQBDAEMAQQBWAAIADgBFAEwARQBDAEMAQQBWAAEAGgBTAFIAVgAtAFMAUQBVAEkARAAtAEs
AUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQB
kAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUABwAIALqX2txRTNQBAAAAAA=
='

2018/09/14 13:39:18.197 kid1| 29,2| UserRequest.cc(203) authenticate: need
to challenge client
'TlRMTVNTUAACAAAADgAOADgAAAAVgonigQb5TAh6RigAAAAAAAAAAJwAnABGAAAABgEAAAAAAA9
FAEwARQBDAEMAQQBWAAIADgBFAEwARQBDAEMAQQBWAAEAGgBTAFIAVgAtAFMAUQBVAEkARAAtAEs
AUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQB
kAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUABwAIALqX2txRTNQBAAAAAA=
='!

2018/09/14 13:39:18| negotiate_wrapper: Return 'TT
TlRMTVNTUAACAAAADgAOADgAAAAVgonig5b0rgxfAqwAAAAAAAAAAJwAnABGAAAABgEAAAAAAA9F
AEwARQBDAEMAQQBWAAIADgBFAEwARQBDAEMAQQBWAAEAGgBTAFIAVgAtAFMAUQBVAEkARAAtAEsA
UgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQBk
AC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUABwAIAD5e29xRTNQBAAAAAA==

'

2018/09/14 13:39:18.202 kid1| 29,4| UserRequest.cc(311) HandleReply: Need to
challenge the client with a server token:
'TlRMTVNTUAACAAAADgAOADgAAAAVgonig5b0rgxfAqwAAAAAAAAAAJwAnABGAAAABgEAAAAAAA9
FAEwARQBDAEMAQQBWAAIADgBFAEwARQBDAEMAQQBWAAEAGgBTAFIAVgAtAFMAUQBVAEkARAAtAEs
AUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQB
kAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUABwAIAD5e29xRTNQBAAAAAA=
='

2018/09/14 13:39:18.202 kid1| 29,2| UserRequest.cc(203) authenticate: need
to challenge client
'TlRMTVNTUAACAAAADgAOADgAAAAVgonig5b0rgxfAqwAAAAAAAAAAJwAnABGAAAABgEAAAAAAA9
FAEwARQBDAEMAQQBWAAIADgBFAEwARQBDAEMAQQBWAAEAGgBTAFIAVgAtAFMAUQBVAEkARAAtAEs
AUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQB
kAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUABwAIAD5e29xRTNQBAAAAAA=
='!

2018/09/14 13:39:18| negotiate_wrapper: Return 'TT
TlRMTVNTUAACAAAADgAOADgAAAAVgoni/IpqOarkGm0AAAAAAAAAAJwAnABGAAAABgEAAAAAAA9F
AEwARQBDAEMAQQBWAAIADgBFAEwARQBDAEMAQQBWAAEAGgBTAFIAVgAtAFMAUQBVAEkARAAtAEsA
UgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQBk
AC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUABwAIAF7Y3NxRTNQBAAAAAA==

'

2018/09/14 13:39:18.212 kid1| 29,4| UserRequest.cc(311) HandleReply: Need to
challenge the client with a server token:
'TlRMTVNTUAACAAAADgAOADgAAAAVgoni/IpqOarkGm0AAAAAAAAAAJwAnABGAAAABgEAAAAAAA9
FAEwARQBDAEMAQQBWAAIADgBFAEwARQBDAEMAQQBWAAEAGgBTAFIAVgAtAFMAUQBVAEkARAAtAEs
AUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQB
kAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUABwAIAF7Y3NxRTNQBAAAAAA=
='

2018/09/14 13:39:18.212 kid1| 29,2| UserRequest.cc(203) authenticate: need
to challenge client
'TlRMTVNTUAACAAAADgAOADgAAAAVgoni/IpqOarkGm0AAAAAAAAAAJwAnABGAAAABgEAAAAAAA9
FAEwARQBDAEMAQQBWAAIADgBFAEwARQBDAEMAQQBWAAEAGgBTAFIAVgAtAFMAUQBVAEkARAAtAEs
AUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQB
kAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUABwAIAF7Y3NxRTNQBAAAAAA=
='!

2018/09/14 13:39:18| negotiate_wrapper: Return 'TT
TlRMTVNTUAACAAAADgAOADgAAAAVgoniE4M9MFIcoxQAAAAAAAAAAJwAnABGAAAABgEAAAAAAA9F
AEwARQBDAEMAQQBWAAIADgBFAEwARQBDAEMAQQBWAAEAGgBTAFIAVgAtAFMAUQBVAEkARAAtAEsA
UgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQBk
AC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUABwAIAIoG3dxRTNQBAAAAAA==

'

2018/09/14 13:39:18.213 kid1| 29,4| UserRequest.cc(311) HandleReply: Need to
challenge the client with a server token:
'TlRMTVNTUAACAAAADgAOADgAAAAVgoniE4M9MFIcoxQAAAAAAAAAAJwAnABGAAAABgEAAAAAAA9
FAEwARQBDAEMAQQBWAAIADgBFAEwARQBDAEMAQQBWAAEAGgBTAFIAVgAtAFMAUQBVAEkARAAtAEs
AUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQB
kAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUABwAIAIoG3dxRTNQBAAAAAA=
='

2018/09/14 13:39:18.213 kid1| 29,2| UserRequest.cc(203) authenticate: need
to challenge client
'TlRMTVNTUAACAAAADgAOADgAAAAVgoniE4M9MFIcoxQAAAAAAAAAAJwAnABGAAAABgEAAAAAAA9
FAEwARQBDAEMAQQBWAAIADgBFAEwARQBDAEMAQQBWAAEAGgBTAFIAVgAtAFMAUQBVAEkARAAtAEs
AUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQB
kAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUABwAIAIoG3dxRTNQBAAAAAA=
='!

2018/09/14 13:39:18| negotiate_wrapper: Return 'TT
TlRMTVNTUAACAAAADgAOADgAAAAVgoniyKjYPBGi9DAAAAAAAAAAAJwAnABGAAAABgEAAAAAAA9F
AEwARQBDAEMAQQBWAAIADgBFAEwARQBDAEMAQQBWAAEAGgBTAFIAVgAtAFMAUQBVAEkARAAtAEsA
UgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQBk
AC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUABwAIADpT4NxRTNQBAAAAAA==

'

2018/09/14 13:39:18.234 kid1| 29,4| UserRequest.cc(311) HandleReply: Need to
challenge the client with a server token:
'TlRMTVNTUAACAAAADgAOADgAAAAVgoniyKjYPBGi9DAAAAAAAAAAAJwAnABGAAAABgEAAAAAAA9
FAEwARQBDAEMAQQBWAAIADgBFAEwARQBDAEMAQQBWAAEAGgBTAFIAVgAtAFMAUQBVAEkARAAtAEs
AUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQB
kAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUABwAIADpT4NxRTNQBAAAAAA=
='

2018/09/14 13:39:18.235 kid1| 29,2| UserRequest.cc(203) authenticate: need
to challenge client
'TlRMTVNTUAACAAAADgAOADgAAAAVgoniyKjYPBGi9DAAAAAAAAAAAJwAnABGAAAABgEAAAAAAA9
FAEwARQBDAEMAQQBWAAIADgBFAEwARQBDAEMAQQBWAAEAGgBTAFIAVgAtAFMAUQBVAEkARAAtAEs
AUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQB
kAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUABwAIADpT4NxRTNQBAAAAAA=
='!

2018/09/14 13:39:18| negotiate_wrapper: Got 'KK
TlRMTVNTUAADAAAAGAAYAIwAAABIAUgBpAAAAA4ADgBYAAAAEAAQAGYAAAAWABYAdgAAABAAEADs
AQAAFYKI4goAqz8AAAAPTClxtLRmctSfR7SLfnA2O0UATABFAEMAQwBBAFYAYwByAHkAcwB0AGEA
bABsAEMATABJAC0AUgBFAEQARQBTAC0AMQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD6IIRx8JJe
sRgbGAVoQxrwAQEAAAAAAABe2NzcUUzUATZJB+HrulrgAAAAAAIADgBFAEwARQBDAEMAQQBWAAEA
GgBTAFIAVgAtAFMAUQBVAEkARAAtAEsAUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBj
AHUAAwA4AHMAcgB2AC0AcwBxAHUAaQBkAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUA
LgBjAHUABwAIAF7Y3NxRTNQBBgAEAAIAAAAIADAAMAAAAAAAAAAAAAAAADAAANSO8haD472JTKKO
F8vBYpu8Z0WdTYbu7c7tqLmb/9ooCgAQAAAAAAAAAAAAAAAAAAAAAAAJACQASABUAFQAUAAvADEA
NwAyAC4AMQA5AC4AMgAyADQALgA0ADYAAAAAAAAAAAAAAAAAyh1ssj6oWg4B+eQjlqv2aA=='
from squid (length: 683).

2018/09/14 13:39:18| negotiate_wrapper: Decode
'TlRMTVNTUAADAAAAGAAYAIwAAABIAUgBpAAAAA4ADgBYAAAAEAAQAGYAAAAWABYAdgAAABAAEAD
sAQAAFYKI4goAqz8AAAAPTClxtLRmctSfR7SLfnA2O0UATABFAEMAQwBBAFYAYwByAHkAcwB0AGE
AbABsAEMATABJAC0AUgBFAEQARQBTAC0AMQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD6IIRx8JJ
esRgbGAVoQxrwAQEAAAAAAABe2NzcUUzUATZJB+HrulrgAAAAAAIADgBFAEwARQBDAEMAQQBWAAE
AGgBTAFIAVgAtAFMAUQBVAEkARAAtAEsAUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgB
jAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQBkAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGU
ALgBjAHUABwAIAF7Y3NxRTNQBBgAEAAIAAAAIADAAMAAAAAAAAAAAAAAAADAAANSO8haD472JTKK
OF8vBYpu8Z0WdTYbu7c7tqLmb/9ooCgAQAAAAAAAAAAAAAAAAAAAAAAAJACQASABUAFQAUAAvADE
ANwAyAC4AMQA5AC4AMgAyADQALgA0ADYAAAAAAAAAAAAAAAAAyh1ssj6oWg4B+eQjlqv2aA=='
(decoded length: 510).

2018/09/14 13:39:18| negotiate_wrapper: received type 3 NTLM token

2018/09/14 13:39:18| negotiate_wrapper: Return 'AF = crystall

'

2018/09/14 13:39:18.297 kid1| 29,4| UserRequest.cc(336) HandleReply:
authenticated user crystall

2018/09/14 13:39:18.297 kid1| 29,4| UserRequest.cc(355) HandleReply:
Successfully validated user via Negotiate. Username 'crystall'

2018/09/14 13:39:18.297 kid1| 29,2| User.cc(227) addIp: user 'crystall' has
been seen at a new IP address (192.168.0.2:53116)

2018/09/14 13:39:18| negotiate_wrapper: Got 'KK
TlRMTVNTUAADAAAAGAAYAIwAAABIAUgBpAAAAA4ADgBYAAAAEAAQAGYAAAAWABYAdgAAABAAEADs
AQAAFYKI4goAqz8AAAAPNdmk9QQok2ZtAJi07Aft0EUATABFAEMAQwBBAFYAYwByAHkAcwB0AGEA
bABsAEMATABJAC0AUgBFAEQARQBTAC0AMQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIdVVkN6Ul
IPyfEZl+tFbZAQEAAAAAAAA6U+DcUUzUAbDPblk1F39AAAAAAAIADgBFAEwARQBDAEMAQQBWAAEA
GgBTAFIAVgAtAFMAUQBVAEkARAAtAEsAUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBj
AHUAAwA4AHMAcgB2AC0AcwBxAHUAaQBkAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUA
LgBjAHUABwAIADpT4NxRTNQBBgAEAAIAAAAIADAAMAAAAAAAAAAAAAAAADAAANSO8haD472JTKKO
F8vBYpu8Z0WdTYbu7c7tqLmb/9ooCgAQAAAAAAAAAAAAAAAAAAAAAAAJACQASABUAFQAUAAvADEA
NwAyAC4AMQA5AC4AMgAyADQALgA0ADYAAAAAAAAAAAAAAAAASlVupH80E90xsICozM0MDw=='
from squid (length: 683).

2018/09/14 13:39:18| negotiate_wrapper: Decode
'TlRMTVNTUAADAAAAGAAYAIwAAABIAUgBpAAAAA4ADgBYAAAAEAAQAGYAAAAWABYAdgAAABAAEAD
sAQAAFYKI4goAqz8AAAAPNdmk9QQok2ZtAJi07Aft0EUATABFAEMAQwBBAFYAYwByAHkAcwB0AGE
AbABsAEMATABJAC0AUgBFAEQARQBTAC0AMQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIdVVkN6U
lIPyfEZl+tFbZAQEAAAAAAAA6U+DcUUzUAbDPblk1F39AAAAAAAIADgBFAEwARQBDAEMAQQBWAAE
AGgBTAFIAVgAtAFMAUQBVAEkARAAtAEsAUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgB
jAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQBkAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGU
ALgBjAHUABwAIADpT4NxRTNQBBgAEAAIAAAAIADAAMAAAAAAAAAAAAAAAADAAANSO8haD472JTKK
OF8vBYpu8Z0WdTYbu7c7tqLmb/9ooCgAQAAAAAAAAAAAAAAAAAAAAAAAJACQASABUAFQAUAAvADE
ANwAyAC4AMQA5AC4AMgAyADQALgA0ADYAAAAAAAAAAAAAAAAASlVupH80E90xsICozM0MDw=='
(decoded length: 510).

2018/09/14 13:39:18| negotiate_wrapper: received type 3 NTLM token

2018/09/14 13:39:18| negotiate_wrapper: Got 'KK
TlRMTVNTUAADAAAAGAAYAIwAAABIAUgBpAAAAA4ADgBYAAAAEAAQAGYAAAAWABYAdgAAABAAEADs
AQAAFYKI4goAqz8AAAAPktrvZwcp20ZMz2vUT1MqrEUATABFAEMAQwBBAFYAYwByAHkAcwB0AGEA
bABsAEMATABJAC0AUgBFAEQARQBTAC0AMQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC/ktNdTT5c
V4Jw+7d4icVSAQEAAAAAAAA+XtvcUUzUAQvLOUptjrxtAAAAAAIADgBFAEwARQBDAEMAQQBWAAEA
GgBTAFIAVgAtAFMAUQBVAEkARAAtAEsAUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBj
AHUAAwA4AHMAcgB2AC0AcwBxAHUAaQBkAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUA
LgBjAHUABwAIAD5e29xRTNQBBgAEAAIAAAAIADAAMAAAAAAAAAAAAAAAADAAANSO8haD472JTKKO
F8vBYpu8Z0WdTYbu7c7tqLmb/9ooCgAQAAAAAAAAAAAAAAAAAAAAAAAJACQASABUAFQAUAAvADEA
NwAyAC4AMQA5AC4AMgAyADQALgA0ADYAAAAAAAAAAAAAAAAAC9hZLo1JeXWlUlkutHco2Q=='
from squid (length: 683).

2018/09/14 13:39:18| negotiate_wrapper: Decode
'TlRMTVNTUAADAAAAGAAYAIwAAABIAUgBpAAAAA4ADgBYAAAAEAAQAGYAAAAWABYAdgAAABAAEAD
sAQAAFYKI4goAqz8AAAAPktrvZwcp20ZMz2vUT1MqrEUATABFAEMAQwBBAFYAYwByAHkAcwB0AGE
AbABsAEMATABJAC0AUgBFAEQARQBTAC0AMQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC/ktNdTT5
cV4Jw+7d4icVSAQEAAAAAAAA+XtvcUUzUAQvLOUptjrxtAAAAAAIADgBFAEwARQBDAEMAQQBWAAE
AGgBTAFIAVgAtAFMAUQBVAEkARAAtAEsAUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgB
jAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQBkAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGU
ALgBjAHUABwAIAD5e29xRTNQBBgAEAAIAAAAIADAAMAAAAAAAAAAAAAAAADAAANSO8haD472JTKK
OF8vBYpu8Z0WdTYbu7c7tqLmb/9ooCgAQAAAAAAAAAAAAAAAAAAAAAAAJACQASABUAFQAUAAvADE
ANwAyAC4AMQA5AC4AMgAyADQALgA0ADYAAAAAAAAAAAAAAAAAC9hZLo1JeXWlUlkutHco2Q=='
(decoded length: 510).

2018/09/14 13:39:18| negotiate_wrapper: received type 3 NTLM token

2018/09/14 13:39:18| negotiate_wrapper: Got 'KK
TlRMTVNTUAADAAAAGAAYAIwAAABIAUgBpAAAAA4ADgBYAAAAEAAQAGYAAAAWABYAdgAAABAAEADs
AQAAFYKI4goAqz8AAAAPcvqx2ByNCA8nHjzEmlCuRkUATABFAEMAQwBBAFYAYwByAHkAcwB0AGEA
bABsAEMATABJAC0AUgBFAEQARQBTAC0AMQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAV9wKDCHbA
PUCj0iTVPM9cAQEAAAAAAACKBt3cUUzUAQ3p911SxBpmAAAAAAIADgBFAEwARQBDAEMAQQBWAAEA
GgBTAFIAVgAtAFMAUQBVAEkARAAtAEsAUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBj
AHUAAwA4AHMAcgB2AC0AcwBxAHUAaQBkAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUA
LgBjAHUABwAIAIoG3dxRTNQBBgAEAAIAAAAIADAAMAAAAAAAAAAAAAAAADAAANSO8haD472JTKKO
F8vBYpu8Z0WdTYbu7c7tqLmb/9ooCgAQAAAAAAAAAAAAAAAAAAAAAAAJACQASABUAFQAUAAvADEA
NwAyAC4AMQA5AC4AMgAyADQALgA0ADYAAAAAAAAAAAAAAAAAWt0nSXk+Ix4DbAvzOrubNA=='
from squid (length: 683).

2018/09/14 13:39:18| negotiate_wrapper: Decode
'TlRMTVNTUAADAAAAGAAYAIwAAABIAUgBpAAAAA4ADgBYAAAAEAAQAGYAAAAWABYAdgAAABAAEAD
sAQAAFYKI4goAqz8AAAAPcvqx2ByNCA8nHjzEmlCuRkUATABFAEMAQwBBAFYAYwByAHkAcwB0AGE
AbABsAEMATABJAC0AUgBFAEQARQBTAC0AMQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAV9wKDCHb
APUCj0iTVPM9cAQEAAAAAAACKBt3cUUzUAQ3p911SxBpmAAAAAAIADgBFAEwARQBDAEMAQQBWAAE
AGgBTAFIAVgAtAFMAUQBVAEkARAAtAEsAUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgB
jAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQBkAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGU
ALgBjAHUABwAIAIoG3dxRTNQBBgAEAAIAAAAIADAAMAAAAAAAAAAAAAAAADAAANSO8haD472JTKK
OF8vBYpu8Z0WdTYbu7c7tqLmb/9ooCgAQAAAAAAAAAAAAAAAAAAAAAAAJACQASABUAFQAUAAvADE
ANwAyAC4AMQA5AC4AMgAyADQALgA0ADYAAAAAAAAAAAAAAAAAWt0nSXk+Ix4DbAvzOrubNA=='
(decoded length: 510).

2018/09/14 13:39:18| negotiate_wrapper: received type 3 NTLM token

2018/09/14 13:39:18| negotiate_wrapper: Got 'KK
TlRMTVNTUAADAAAAGAAYAIwAAABIAUgBpAAAAA4ADgBYAAAAEAAQAGYAAAAWABYAdgAAABAAEADs
AQAAFYKI4goAqz8AAAAPsug30D9/WWwwJJE0C5LgOUUATABFAEMAQwBBAFYAYwByAHkAcwB0AGEA
bABsAEMATABJAC0AUgBFAEQARQBTAC0AMQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABB9ekE7/+
TbqkYU6Gx64qAQEAAAAAAAC6l9rcUUzUAS71gyhoa7SHAAAAAAIADgBFAEwARQBDAEMAQQBWAAEA
GgBTAFIAVgAtAFMAUQBVAEkARAAtAEsAUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBj
AHUAAwA4AHMAcgB2AC0AcwBxAHUAaQBkAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUA
LgBjAHUABwAIALqX2txRTNQBBgAEAAIAAAAIADAAMAAAAAAAAAAAAAAAADAAANSO8haD472JTKKO
F8vBYpu8Z0WdTYbu7c7tqLmb/9ooCgAQAAAAAAAAAAAAAAAAAAAAAAAJACQASABUAFQAUAAvADEA
NwAyAC4AMQA5AC4AMgAyADQALgA0ADYAAAAAAAAAAAAAAAAA/6MII/C9uGEWH4s9EE+W/g=='
from squid (length: 683).

2018/09/14 13:39:18| negotiate_wrapper: Decode
'TlRMTVNTUAADAAAAGAAYAIwAAABIAUgBpAAAAA4ADgBYAAAAEAAQAGYAAAAWABYAdgAAABAAEAD
sAQAAFYKI4goAqz8AAAAPsug30D9/WWwwJJE0C5LgOUUATABFAEMAQwBBAFYAYwByAHkAcwB0AGE
AbABsAEMATABJAC0AUgBFAEQARQBTAC0AMQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABB9ekE7/
+TbqkYU6Gx64qAQEAAAAAAAC6l9rcUUzUAS71gyhoa7SHAAAAAAIADgBFAEwARQBDAEMAQQBWAAE
AGgBTAFIAVgAtAFMAUQBVAEkARAAtAEsAUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgB
jAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQBkAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGU
ALgBjAHUABwAIALqX2txRTNQBBgAEAAIAAAAIADAAMAAAAAAAAAAAAAAAADAAANSO8haD472JTKK
OF8vBYpu8Z0WdTYbu7c7tqLmb/9ooCgAQAAAAAAAAAAAAAAAAAAAAAAAJACQASABUAFQAUAAvADE
ANwAyAC4AMQA5AC4AMgAyADQALgA0ADYAAAAAAAAAAAAAAAAA/6MII/C9uGEWH4s9EE+W/g=='
(decoded length: 510).

2018/09/14 13:39:18| negotiate_wrapper: received type 3 NTLM token

2018/09/14 13:39:18| negotiate_wrapper: Return 'AF = crystall

'

2018/09/14 13:39:18.326 kid1| 29,4| UserRequest.cc(336) HandleReply:
authenticated user crystall

2018/09/14 13:39:18.326 kid1| 29,4| UserRequest.cc(355) HandleReply:
Successfully validated user via Negotiate. Username 'crystall'

2018/09/14 13:39:18| negotiate_wrapper: Return 'AF = crystall

'

2018/09/14 13:39:18.331 kid1| 29,4| UserRequest.cc(336) HandleReply:
authenticated user crystall

2018/09/14 13:39:18.331 kid1| 29,4| UserRequest.cc(355) HandleReply:
Successfully validated user via Negotiate. Username 'crystall'

2018/09/14 13:39:18| negotiate_wrapper: Return 'AF = crystall

'

2018/09/14 13:39:18.335 kid1| 29,4| UserRequest.cc(336) HandleReply:
authenticated user crystall

2018/09/14 13:39:18.335 kid1| 29,4| UserRequest.cc(355) HandleReply:
Successfully validated user via Negotiate. Username 'crystall'

2018/09/14 13:39:18| negotiate_wrapper: Return 'AF = crystall

'

2018/09/14 13:39:18.340 kid1| 29,4| UserRequest.cc(336) HandleReply:
authenticated user crystall

2018/09/14 13:39:18.340 kid1| 29,4| UserRequest.cc(355) HandleReply:
Successfully validated user via Negotiate. Username 'crystall'

2018/09/14 13:39:18.340 kid1| ICP is disabled! Cannot send ICP request to
peer.

2018/09/14 13:39:18.340 kid1| ICP is disabled! Cannot send ICP request to
peer.

2018/09/14 13:39:18.779 kid1| 29,4| UserRequest.cc(294) authenticate: No
Proxy-Auth header and no working alternative. Requesting auth header.

2018/09/14 13:39:18.782 kid1| 29,4| UserRequest.cc(354) authenticate: No
connection authentication type

2018/09/14 13:39:18| negotiate_wrapper: Got 'YR
TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKAKs/AAAADw==' from squid
(length: 59).

2018/09/14 13:39:18| negotiate_wrapper: Decode
'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKAKs/AAAADw==' (decoded length:
42).

2018/09/14 13:39:18| negotiate_wrapper: received type 1 NTLM token

2018/09/14 13:39:18| negotiate_wrapper: Return 'TT
TlRMTVNTUAACAAAADgAOADgAAAAVgoni6re6l3Xwbr4AAAAAAAAAAJwAnABGAAAABgEAAAAAAA9F
AEwARQBDAEMAQQBWAAIADgBFAEwARQBDAEMAQQBWAAEAGgBTAFIAVgAtAFMAUQBVAEkARAAtAEsA
UgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQBk
AC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUABwAIANJNNN1RTNQBAAAAAA==

'

2018/09/14 13:39:18.785 kid1| 29,4| UserRequest.cc(311) HandleReply: Need to
challenge the client with a server token:
'TlRMTVNTUAACAAAADgAOADgAAAAVgoni6re6l3Xwbr4AAAAAAAAAAJwAnABGAAAABgEAAAAAAA9
FAEwARQBDAEMAQQBWAAIADgBFAEwARQBDAEMAQQBWAAEAGgBTAFIAVgAtAFMAUQBVAEkARAAtAEs
AUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQB
kAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUABwAIANJNNN1RTNQBAAAAAA=
='

2018/09/14 13:39:18.785 kid1| 29,2| UserRequest.cc(203) authenticate: need
to challenge client
'TlRMTVNTUAACAAAADgAOADgAAAAVgoni6re6l3Xwbr4AAAAAAAAAAJwAnABGAAAABgEAAAAAAA9
FAEwARQBDAEMAQQBWAAIADgBFAEwARQBDAEMAQQBWAAEAGgBTAFIAVgAtAFMAUQBVAEkARAAtAEs
AUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQB
kAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUABwAIANJNNN1RTNQBAAAAAA=
='!

2018/09/14 13:39:18| negotiate_wrapper: Got 'KK
TlRMTVNTUAADAAAAGAAYAIwAAABIAUgBpAAAAA4ADgBYAAAAEAAQAGYAAAAWABYAdgAAABAAEADs
AQAAFYKI4goAqz8AAAAPZToO29GZi9mTSaZo7kC+uEUATABFAEMAQwBBAFYAYwByAHkAcwB0AGEA
bABsAEMATABJAC0AUgBFAEQARQBTAC0AMQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADMCXZljnEc
JGfczvMrEXsbAQEAAAAAAADSTTTdUUzUATkI4mevwzXdAAAAAAIADgBFAEwARQBDAEMAQQBWAAEA
GgBTAFIAVgAtAFMAUQBVAEkARAAtAEsAUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBj
AHUAAwA4AHMAcgB2AC0AcwBxAHUAaQBkAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUA
LgBjAHUABwAIANJNNN1RTNQBBgAEAAIAAAAIADAAMAAAAAAAAAAAAAAAADAAANSO8haD472JTKKO
F8vBYpu8Z0WdTYbu7c7tqLmb/9ooCgAQAAAAAAAAAAAAAAAAAAAAAAAJACQASABUAFQAUAAvADEA
NwAyAC4AMQA5AC4AMgAyADQALgA0ADYAAAAAAAAAAAAAAAAAxTDFbTI2R1oQS5sjProTRQ=='
from squid (length: 683).

2018/09/14 13:39:18| negotiate_wrapper: Decode
'TlRMTVNTUAADAAAAGAAYAIwAAABIAUgBpAAAAA4ADgBYAAAAEAAQAGYAAAAWABYAdgAAABAAEAD
sAQAAFYKI4goAqz8AAAAPZToO29GZi9mTSaZo7kC+uEUATABFAEMAQwBBAFYAYwByAHkAcwB0AGE
AbABsAEMATABJAC0AUgBFAEQARQBTAC0AMQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADMCXZljnE
cJGfczvMrEXsbAQEAAAAAAADSTTTdUUzUATkI4mevwzXdAAAAAAIADgBFAEwARQBDAEMAQQBWAAE
AGgBTAFIAVgAtAFMAUQBVAEkARAAtAEsAUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgB
jAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQBkAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGU
ALgBjAHUABwAIANJNNN1RTNQBBgAEAAIAAAAIADAAMAAAAAAAAAAAAAAAADAAANSO8haD472JTKK
OF8vBYpu8Z0WdTYbu7c7tqLmb/9ooCgAQAAAAAAAAAAAAAAAAAAAAAAAJACQASABUAFQAUAAvADE
ANwAyAC4AMQA5AC4AMgAyADQALgA0ADYAAAAAAAAAAAAAAAAAxTDFbTI2R1oQS5sjProTRQ=='
(decoded length: 510).

2018/09/14 13:39:18| negotiate_wrapper: received type 3 NTLM token

2018/09/14 13:39:18| negotiate_wrapper: Return 'AF = crystall





Access.log

1536946843.113 66541 192.168.0.2 TCP_TUNNEL/200 3806 CONNECT
www.facebook.com:443 <http://www.facebook.com:443> crystall
FIRSTUP_PARENT/PARENT_PROXY_IP



The question is, that only NTLM works, I've tried with Internet Explorer,
Google Chrome and Firefox. The other thing is that he never asks for
username and password, he uses the user credentials that he initiates
session to work (I do not know if this is the correct operation).

What could be happening?





Sorry for the long email.





Gretting Yanier
Yanier Salazar Sanchez
2018-09-18 13:26:05 UTC
Permalink
I already fixed the problem that caused NTLM authentication to work only.

Greetings yanier





Ing. Yanier Salazar Sánchez

Administrador de Red

Empresa Eléctrica Ciego de Avila

Teléfonos: (33) 228613 ext 305









From: squid-users <squid-users-***@lists.squid-cache.org> On Behalf Of
Yanier Salazar Sanchez
Sent: Friday, September 14, 2018 13:57
To: squid-***@lists.squid-cache.org
Subject: [squid-users] Problem with kerb/ntlm authentication



Sorry for my bad english.



This is the scenario



I have ubuntu 18.04.01 (with las update) with squid 4.2-2, samba and winbind
4.7.6, AD on Windows Server 2012 R2/2016 with the las update, Client with
windows 10 1709 with the las update, firefox 60.2.0esr, google chrome
61.0.3163.79, firefox quantum 62.0 and internet explorer



I using this guide
https://blog.it-kb.ru/2014/06/16/forward-proxy-squid-3-3-on-ubuntu-server-14
-04-lts-part-1-install-os-on-hyper-v-generation-2-vm/ (Only to where
kerberos and NTLM are configured)



I joined the proxy to the active directory



All the commands seem to work correctly



I run this command

klist

Ticket cache: FILE:/tmp/krb5cc_0

Default principal: HTTP//srv-squid-***@MIRED.LAN
<mailto:HTTP//srv-squid-***@MIRED.LAN>

Valid starting Expires Service principal

09/13/2018 16:29:48 09/14/2018 02:29:48 krbtgt/***@MIRED.LAN
<mailto:krbtgt/***@MIRED.LAN>

09/13/2018 16:55:57 09/14/2018 02:29:48
host/srv-squid-***@MIRED.LAN
<mailto:host/srv-squid-***@MIRED.LAN>

09/13/2018 16:56:13 09/14/2018 02:29:48 host/srv-***@MIRED.LAN
<mailto:host/srv-***@MIRED.LAN>



I run this command

kinit squidtest

password for ***@MIRED.LAN <mailto:***@MIRED.LAN> :



I create a proxy.keytab in my windows server 2012 r2 with this command

ktpass -princ HTTP/srv-squid-***@MIRED.LAN
<mailto:HTTP/srv-squid-***@MIRED.LAN> -mapuser MIRED\squidtest
-pass password -crypto All -ptype KRB5_NT_PRINCIPAL -out d:\proxy.keytab

proxy.keytab permission

rw-r—r root proxy proxy.keytab





My krb5.conf file



[libdefaults]

default_realm = MIRED.LAN

dns_lookup_kdc = yes

dns_lookup_kdc = no

ticket_lifetime = 24h

default_keytab_name = /etc/squid/proxy.keytab

[realms]

MIRED.LAN = {

kdc = srv-dc.mired.lan

admin_server = srv-dc.mired.lan

default_domain = mired.lan

}

[domain_relam]

mired.lan = MIRED.LAN

.mired.lan = MIRED.LAN









I run this command

klist –k /etc/squid/proxy.keytab

Keytab name: FILE/etc/squid/proxy.keytab

KVNO Principal

6 HTTP/srv-squid-***@MIRED.LAN
<mailto:HTTP/srv-squid-***@MIRED.LAN>

6 HTTP/srv-squid-***@MIRED.LAN
<mailto:HTTP/srv-squid-***@MIRED.LAN>

6 HTTP/srv-squid-***@MIRED.LAN
<mailto:HTTP/srv-squid-***@MIRED.LAN>

6 HTTP/srv-squid-***@MIRED.LAN
<mailto:HTTP/srv-squid-***@MIRED.LAN>

6 HTTP/srv-squid-***@MIRED.LAN
<mailto:HTTP/srv-squid-***@MIRED.LAN>



I run this command

wbinfo –authenticate=squidtest%mypassword

Plaintest password athentication succeded

Challenge/response password authentication succeded



I run this command

wbinfo –krb5auth=squidtest%mypassword

Plaintest kerberos password athentication for [squidtest:mypassword]
succeded (requesting cctype: FILE) credential were put in; FILE/tmp/krbcc_0



I run this command

wbinfo –g (List all groups in AD)

I run this command

wbinfo –u (List all users in AD)



I run this command

/usr/lib/squid/negotiate_kerberos_auth_test srv-squid-krb.mired.lan

Token: YIICSAYGRKw….. blabla /B8VWAxn29WaG/j





The squid.conf it’s basic configuration only with



auth_program negotiate program /usr/lib/squid/negotiate_wrapper_auth –d
–ntlm /usr/bin/ntlm_auth –diagnostics –helper-protocol=2.5-ntlmssp
–domain=mired –kerberos /usr/lib/squid/negotiate_kerberos_auth –d –r –s
HTTP//srv-squid-***@mired.lan
<mailto:HTTP//srv-squid-***@mired.lan>

auth_program negotiate children 10

auth_program negotiate keep_alive off



auth_param ntlm program /usr/bin/ntlm_auth --diagnostics
–helper-protocol=squid-2.5-ntlmssp

auth_param ntlm children 10

auth_param ntlm keep_alive off



acl red src 192.168.0.0/24

acl auth proxy_auth REQUIRED



and

http_access allow red auth





But the problem is that Kerberos don’t work. Only NTLM.

cache.log

2018/09/14 06:25:02| negotiate_wrapper: Starting version 1.0.1

2018/09/14 06:25:02| negotiate_wrapper: NTLM command: /usr/bin/ntlm_auth
--diagnostics --helper-protocol=squid-2.5-ntlmssp

2018/09/14 06:25:02| negotiate_wrapper: Kerberos command:
/usr/lib/squid/negotiate_kerberos_auth -d -r -s
HTTP/srv-squid-***@MIRED.LAN
<mailto:HTTP/srv-squid-***@MIRED.LAN>

negotiate_kerberos_auth.cc(487): pid=10816 :2018/09/14 06:25:02|
negotiate_kerberos_auth: INFO: Starting version 3.1.0sq

negotiate_kerberos_auth.cc(546): pid=10816 :2018/09/14 06:25:02|
negotiate_kerberos_auth: INFO: Setting keytab to /etc/squid/proxy.keytab

negotiate_kerberos_auth.cc(570): pid=10816 :2018/09/14 06:25:02|
negotiate_kerberos_auth: INFO: Changed keytab to
MEMORY:negotiate_kerberos_auth_10816

2018/09/14 13:39:18| negotiate_wrapper: Return 'TT
TlRMTVNTUAACAAAADgAOADgAAAAVgonigQb5TAh6RigAAAAAAAAAAJwAnABGAAAABgEAAAAAAA9F
AEwARQBDAEMAQQBWAAIADgBFAEwARQBDAEMAQQBWAAEAGgBTAFIAVgAtAFMAUQBVAEkARAAtAEsA
UgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQBk
AC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUABwAIALqX2txRTNQBAAAAAA==

'

2018/09/14 13:39:18.197 kid1| 29,4| UserRequest.cc(311) HandleReply: Need to
challenge the client with a server token:
'TlRMTVNTUAACAAAADgAOADgAAAAVgonigQb5TAh6RigAAAAAAAAAAJwAnABGAAAABgEAAAAAAA9
FAEwARQBDAEMAQQBWAAIADgBFAEwARQBDAEMAQQBWAAEAGgBTAFIAVgAtAFMAUQBVAEkARAAtAEs
AUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQB
kAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUABwAIALqX2txRTNQBAAAAAA=
='

2018/09/14 13:39:18.197 kid1| 29,2| UserRequest.cc(203) authenticate: need
to challenge client
'TlRMTVNTUAACAAAADgAOADgAAAAVgonigQb5TAh6RigAAAAAAAAAAJwAnABGAAAABgEAAAAAAA9
FAEwARQBDAEMAQQBWAAIADgBFAEwARQBDAEMAQQBWAAEAGgBTAFIAVgAtAFMAUQBVAEkARAAtAEs
AUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQB
kAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUABwAIALqX2txRTNQBAAAAAA=
='!

2018/09/14 13:39:18| negotiate_wrapper: Return 'TT
TlRMTVNTUAACAAAADgAOADgAAAAVgonig5b0rgxfAqwAAAAAAAAAAJwAnABGAAAABgEAAAAAAA9F
AEwARQBDAEMAQQBWAAIADgBFAEwARQBDAEMAQQBWAAEAGgBTAFIAVgAtAFMAUQBVAEkARAAtAEsA
UgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQBk
AC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUABwAIAD5e29xRTNQBAAAAAA==

'

2018/09/14 13:39:18.202 kid1| 29,4| UserRequest.cc(311) HandleReply: Need to
challenge the client with a server token:
'TlRMTVNTUAACAAAADgAOADgAAAAVgonig5b0rgxfAqwAAAAAAAAAAJwAnABGAAAABgEAAAAAAA9
FAEwARQBDAEMAQQBWAAIADgBFAEwARQBDAEMAQQBWAAEAGgBTAFIAVgAtAFMAUQBVAEkARAAtAEs
AUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQB
kAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUABwAIAD5e29xRTNQBAAAAAA=
='

2018/09/14 13:39:18.202 kid1| 29,2| UserRequest.cc(203) authenticate: need
to challenge client
'TlRMTVNTUAACAAAADgAOADgAAAAVgonig5b0rgxfAqwAAAAAAAAAAJwAnABGAAAABgEAAAAAAA9
FAEwARQBDAEMAQQBWAAIADgBFAEwARQBDAEMAQQBWAAEAGgBTAFIAVgAtAFMAUQBVAEkARAAtAEs
AUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQB
kAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUABwAIAD5e29xRTNQBAAAAAA=
='!

2018/09/14 13:39:18| negotiate_wrapper: Return 'TT
TlRMTVNTUAACAAAADgAOADgAAAAVgoni/IpqOarkGm0AAAAAAAAAAJwAnABGAAAABgEAAAAAAA9F
AEwARQBDAEMAQQBWAAIADgBFAEwARQBDAEMAQQBWAAEAGgBTAFIAVgAtAFMAUQBVAEkARAAtAEsA
UgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQBk
AC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUABwAIAF7Y3NxRTNQBAAAAAA==

'

2018/09/14 13:39:18.212 kid1| 29,4| UserRequest.cc(311) HandleReply: Need to
challenge the client with a server token:
'TlRMTVNTUAACAAAADgAOADgAAAAVgoni/IpqOarkGm0AAAAAAAAAAJwAnABGAAAABgEAAAAAAA9
FAEwARQBDAEMAQQBWAAIADgBFAEwARQBDAEMAQQBWAAEAGgBTAFIAVgAtAFMAUQBVAEkARAAtAEs
AUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQB
kAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUABwAIAF7Y3NxRTNQBAAAAAA=
='

2018/09/14 13:39:18.212 kid1| 29,2| UserRequest.cc(203) authenticate: need
to challenge client
'TlRMTVNTUAACAAAADgAOADgAAAAVgoni/IpqOarkGm0AAAAAAAAAAJwAnABGAAAABgEAAAAAAA9
FAEwARQBDAEMAQQBWAAIADgBFAEwARQBDAEMAQQBWAAEAGgBTAFIAVgAtAFMAUQBVAEkARAAtAEs
AUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQB
kAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUABwAIAF7Y3NxRTNQBAAAAAA=
='!

2018/09/14 13:39:18| negotiate_wrapper: Return 'TT
TlRMTVNTUAACAAAADgAOADgAAAAVgoniE4M9MFIcoxQAAAAAAAAAAJwAnABGAAAABgEAAAAAAA9F
AEwARQBDAEMAQQBWAAIADgBFAEwARQBDAEMAQQBWAAEAGgBTAFIAVgAtAFMAUQBVAEkARAAtAEsA
UgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQBk
AC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUABwAIAIoG3dxRTNQBAAAAAA==

'

2018/09/14 13:39:18.213 kid1| 29,4| UserRequest.cc(311) HandleReply: Need to
challenge the client with a server token:
'TlRMTVNTUAACAAAADgAOADgAAAAVgoniE4M9MFIcoxQAAAAAAAAAAJwAnABGAAAABgEAAAAAAA9
FAEwARQBDAEMAQQBWAAIADgBFAEwARQBDAEMAQQBWAAEAGgBTAFIAVgAtAFMAUQBVAEkARAAtAEs
AUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQB
kAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUABwAIAIoG3dxRTNQBAAAAAA=
='

2018/09/14 13:39:18.213 kid1| 29,2| UserRequest.cc(203) authenticate: need
to challenge client
'TlRMTVNTUAACAAAADgAOADgAAAAVgoniE4M9MFIcoxQAAAAAAAAAAJwAnABGAAAABgEAAAAAAA9
FAEwARQBDAEMAQQBWAAIADgBFAEwARQBDAEMAQQBWAAEAGgBTAFIAVgAtAFMAUQBVAEkARAAtAEs
AUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQB
kAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUABwAIAIoG3dxRTNQBAAAAAA=
='!

2018/09/14 13:39:18| negotiate_wrapper: Return 'TT
TlRMTVNTUAACAAAADgAOADgAAAAVgoniyKjYPBGi9DAAAAAAAAAAAJwAnABGAAAABgEAAAAAAA9F
AEwARQBDAEMAQQBWAAIADgBFAEwARQBDAEMAQQBWAAEAGgBTAFIAVgAtAFMAUQBVAEkARAAtAEsA
UgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQBk
AC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUABwAIADpT4NxRTNQBAAAAAA==

'

2018/09/14 13:39:18.234 kid1| 29,4| UserRequest.cc(311) HandleReply: Need to
challenge the client with a server token:
'TlRMTVNTUAACAAAADgAOADgAAAAVgoniyKjYPBGi9DAAAAAAAAAAAJwAnABGAAAABgEAAAAAAA9
FAEwARQBDAEMAQQBWAAIADgBFAEwARQBDAEMAQQBWAAEAGgBTAFIAVgAtAFMAUQBVAEkARAAtAEs
AUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQB
kAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUABwAIADpT4NxRTNQBAAAAAA=
='

2018/09/14 13:39:18.235 kid1| 29,2| UserRequest.cc(203) authenticate: need
to challenge client
'TlRMTVNTUAACAAAADgAOADgAAAAVgoniyKjYPBGi9DAAAAAAAAAAAJwAnABGAAAABgEAAAAAAA9
FAEwARQBDAEMAQQBWAAIADgBFAEwARQBDAEMAQQBWAAEAGgBTAFIAVgAtAFMAUQBVAEkARAAtAEs
AUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQB
kAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUABwAIADpT4NxRTNQBAAAAAA=
='!

2018/09/14 13:39:18| negotiate_wrapper: Got 'KK
TlRMTVNTUAADAAAAGAAYAIwAAABIAUgBpAAAAA4ADgBYAAAAEAAQAGYAAAAWABYAdgAAABAAEADs
AQAAFYKI4goAqz8AAAAPTClxtLRmctSfR7SLfnA2O0UATABFAEMAQwBBAFYAYwByAHkAcwB0AGEA
bABsAEMATABJAC0AUgBFAEQARQBTAC0AMQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD6IIRx8JJe
sRgbGAVoQxrwAQEAAAAAAABe2NzcUUzUATZJB+HrulrgAAAAAAIADgBFAEwARQBDAEMAQQBWAAEA
GgBTAFIAVgAtAFMAUQBVAEkARAAtAEsAUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBj
AHUAAwA4AHMAcgB2AC0AcwBxAHUAaQBkAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUA
LgBjAHUABwAIAF7Y3NxRTNQBBgAEAAIAAAAIADAAMAAAAAAAAAAAAAAAADAAANSO8haD472JTKKO
F8vBYpu8Z0WdTYbu7c7tqLmb/9ooCgAQAAAAAAAAAAAAAAAAAAAAAAAJACQASABUAFQAUAAvADEA
NwAyAC4AMQA5AC4AMgAyADQALgA0ADYAAAAAAAAAAAAAAAAAyh1ssj6oWg4B+eQjlqv2aA=='
from squid (length: 683).

2018/09/14 13:39:18| negotiate_wrapper: Decode
'TlRMTVNTUAADAAAAGAAYAIwAAABIAUgBpAAAAA4ADgBYAAAAEAAQAGYAAAAWABYAdgAAABAAEAD
sAQAAFYKI4goAqz8AAAAPTClxtLRmctSfR7SLfnA2O0UATABFAEMAQwBBAFYAYwByAHkAcwB0AGE
AbABsAEMATABJAC0AUgBFAEQARQBTAC0AMQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD6IIRx8JJ
esRgbGAVoQxrwAQEAAAAAAABe2NzcUUzUATZJB+HrulrgAAAAAAIADgBFAEwARQBDAEMAQQBWAAE
AGgBTAFIAVgAtAFMAUQBVAEkARAAtAEsAUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgB
jAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQBkAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGU
ALgBjAHUABwAIAF7Y3NxRTNQBBgAEAAIAAAAIADAAMAAAAAAAAAAAAAAAADAAANSO8haD472JTKK
OF8vBYpu8Z0WdTYbu7c7tqLmb/9ooCgAQAAAAAAAAAAAAAAAAAAAAAAAJACQASABUAFQAUAAvADE
ANwAyAC4AMQA5AC4AMgAyADQALgA0ADYAAAAAAAAAAAAAAAAAyh1ssj6oWg4B+eQjlqv2aA=='
(decoded length: 510).

2018/09/14 13:39:18| negotiate_wrapper: received type 3 NTLM token

2018/09/14 13:39:18| negotiate_wrapper: Return 'AF = crystall

'

2018/09/14 13:39:18.297 kid1| 29,4| UserRequest.cc(336) HandleReply:
authenticated user crystall

2018/09/14 13:39:18.297 kid1| 29,4| UserRequest.cc(355) HandleReply:
Successfully validated user via Negotiate. Username 'crystall'

2018/09/14 13:39:18.297 kid1| 29,2| User.cc(227) addIp: user 'crystall' has
been seen at a new IP address (192.168.0.2:53116)

2018/09/14 13:39:18| negotiate_wrapper: Got 'KK
TlRMTVNTUAADAAAAGAAYAIwAAABIAUgBpAAAAA4ADgBYAAAAEAAQAGYAAAAWABYAdgAAABAAEADs
AQAAFYKI4goAqz8AAAAPNdmk9QQok2ZtAJi07Aft0EUATABFAEMAQwBBAFYAYwByAHkAcwB0AGEA
bABsAEMATABJAC0AUgBFAEQARQBTAC0AMQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIdVVkN6Ul
IPyfEZl+tFbZAQEAAAAAAAA6U+DcUUzUAbDPblk1F39AAAAAAAIADgBFAEwARQBDAEMAQQBWAAEA
GgBTAFIAVgAtAFMAUQBVAEkARAAtAEsAUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBj
AHUAAwA4AHMAcgB2AC0AcwBxAHUAaQBkAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUA
LgBjAHUABwAIADpT4NxRTNQBBgAEAAIAAAAIADAAMAAAAAAAAAAAAAAAADAAANSO8haD472JTKKO
F8vBYpu8Z0WdTYbu7c7tqLmb/9ooCgAQAAAAAAAAAAAAAAAAAAAAAAAJACQASABUAFQAUAAvADEA
NwAyAC4AMQA5AC4AMgAyADQALgA0ADYAAAAAAAAAAAAAAAAASlVupH80E90xsICozM0MDw=='
from squid (length: 683).

2018/09/14 13:39:18| negotiate_wrapper: Decode
'TlRMTVNTUAADAAAAGAAYAIwAAABIAUgBpAAAAA4ADgBYAAAAEAAQAGYAAAAWABYAdgAAABAAEAD
sAQAAFYKI4goAqz8AAAAPNdmk9QQok2ZtAJi07Aft0EUATABFAEMAQwBBAFYAYwByAHkAcwB0AGE
AbABsAEMATABJAC0AUgBFAEQARQBTAC0AMQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIdVVkN6U
lIPyfEZl+tFbZAQEAAAAAAAA6U+DcUUzUAbDPblk1F39AAAAAAAIADgBFAEwARQBDAEMAQQBWAAE
AGgBTAFIAVgAtAFMAUQBVAEkARAAtAEsAUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgB
jAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQBkAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGU
ALgBjAHUABwAIADpT4NxRTNQBBgAEAAIAAAAIADAAMAAAAAAAAAAAAAAAADAAANSO8haD472JTKK
OF8vBYpu8Z0WdTYbu7c7tqLmb/9ooCgAQAAAAAAAAAAAAAAAAAAAAAAAJACQASABUAFQAUAAvADE
ANwAyAC4AMQA5AC4AMgAyADQALgA0ADYAAAAAAAAAAAAAAAAASlVupH80E90xsICozM0MDw=='
(decoded length: 510).

2018/09/14 13:39:18| negotiate_wrapper: received type 3 NTLM token

2018/09/14 13:39:18| negotiate_wrapper: Got 'KK
TlRMTVNTUAADAAAAGAAYAIwAAABIAUgBpAAAAA4ADgBYAAAAEAAQAGYAAAAWABYAdgAAABAAEADs
AQAAFYKI4goAqz8AAAAPktrvZwcp20ZMz2vUT1MqrEUATABFAEMAQwBBAFYAYwByAHkAcwB0AGEA
bABsAEMATABJAC0AUgBFAEQARQBTAC0AMQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC/ktNdTT5c
V4Jw+7d4icVSAQEAAAAAAAA+XtvcUUzUAQvLOUptjrxtAAAAAAIADgBFAEwARQBDAEMAQQBWAAEA
GgBTAFIAVgAtAFMAUQBVAEkARAAtAEsAUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBj
AHUAAwA4AHMAcgB2AC0AcwBxAHUAaQBkAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUA
LgBjAHUABwAIAD5e29xRTNQBBgAEAAIAAAAIADAAMAAAAAAAAAAAAAAAADAAANSO8haD472JTKKO
F8vBYpu8Z0WdTYbu7c7tqLmb/9ooCgAQAAAAAAAAAAAAAAAAAAAAAAAJACQASABUAFQAUAAvADEA
NwAyAC4AMQA5AC4AMgAyADQALgA0ADYAAAAAAAAAAAAAAAAAC9hZLo1JeXWlUlkutHco2Q=='
from squid (length: 683).

2018/09/14 13:39:18| negotiate_wrapper: Decode
'TlRMTVNTUAADAAAAGAAYAIwAAABIAUgBpAAAAA4ADgBYAAAAEAAQAGYAAAAWABYAdgAAABAAEAD
sAQAAFYKI4goAqz8AAAAPktrvZwcp20ZMz2vUT1MqrEUATABFAEMAQwBBAFYAYwByAHkAcwB0AGE
AbABsAEMATABJAC0AUgBFAEQARQBTAC0AMQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC/ktNdTT5
cV4Jw+7d4icVSAQEAAAAAAAA+XtvcUUzUAQvLOUptjrxtAAAAAAIADgBFAEwARQBDAEMAQQBWAAE
AGgBTAFIAVgAtAFMAUQBVAEkARAAtAEsAUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgB
jAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQBkAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGU
ALgBjAHUABwAIAD5e29xRTNQBBgAEAAIAAAAIADAAMAAAAAAAAAAAAAAAADAAANSO8haD472JTKK
OF8vBYpu8Z0WdTYbu7c7tqLmb/9ooCgAQAAAAAAAAAAAAAAAAAAAAAAAJACQASABUAFQAUAAvADE
ANwAyAC4AMQA5AC4AMgAyADQALgA0ADYAAAAAAAAAAAAAAAAAC9hZLo1JeXWlUlkutHco2Q=='
(decoded length: 510).

2018/09/14 13:39:18| negotiate_wrapper: received type 3 NTLM token

2018/09/14 13:39:18| negotiate_wrapper: Got 'KK
TlRMTVNTUAADAAAAGAAYAIwAAABIAUgBpAAAAA4ADgBYAAAAEAAQAGYAAAAWABYAdgAAABAAEADs
AQAAFYKI4goAqz8AAAAPcvqx2ByNCA8nHjzEmlCuRkUATABFAEMAQwBBAFYAYwByAHkAcwB0AGEA
bABsAEMATABJAC0AUgBFAEQARQBTAC0AMQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAV9wKDCHbA
PUCj0iTVPM9cAQEAAAAAAACKBt3cUUzUAQ3p911SxBpmAAAAAAIADgBFAEwARQBDAEMAQQBWAAEA
GgBTAFIAVgAtAFMAUQBVAEkARAAtAEsAUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBj
AHUAAwA4AHMAcgB2AC0AcwBxAHUAaQBkAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUA
LgBjAHUABwAIAIoG3dxRTNQBBgAEAAIAAAAIADAAMAAAAAAAAAAAAAAAADAAANSO8haD472JTKKO
F8vBYpu8Z0WdTYbu7c7tqLmb/9ooCgAQAAAAAAAAAAAAAAAAAAAAAAAJACQASABUAFQAUAAvADEA
NwAyAC4AMQA5AC4AMgAyADQALgA0ADYAAAAAAAAAAAAAAAAAWt0nSXk+Ix4DbAvzOrubNA=='
from squid (length: 683).

2018/09/14 13:39:18| negotiate_wrapper: Decode
'TlRMTVNTUAADAAAAGAAYAIwAAABIAUgBpAAAAA4ADgBYAAAAEAAQAGYAAAAWABYAdgAAABAAEAD
sAQAAFYKI4goAqz8AAAAPcvqx2ByNCA8nHjzEmlCuRkUATABFAEMAQwBBAFYAYwByAHkAcwB0AGE
AbABsAEMATABJAC0AUgBFAEQARQBTAC0AMQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAV9wKDCHb
APUCj0iTVPM9cAQEAAAAAAACKBt3cUUzUAQ3p911SxBpmAAAAAAIADgBFAEwARQBDAEMAQQBWAAE
AGgBTAFIAVgAtAFMAUQBVAEkARAAtAEsAUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgB
jAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQBkAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGU
ALgBjAHUABwAIAIoG3dxRTNQBBgAEAAIAAAAIADAAMAAAAAAAAAAAAAAAADAAANSO8haD472JTKK
OF8vBYpu8Z0WdTYbu7c7tqLmb/9ooCgAQAAAAAAAAAAAAAAAAAAAAAAAJACQASABUAFQAUAAvADE
ANwAyAC4AMQA5AC4AMgAyADQALgA0ADYAAAAAAAAAAAAAAAAAWt0nSXk+Ix4DbAvzOrubNA=='
(decoded length: 510).

2018/09/14 13:39:18| negotiate_wrapper: received type 3 NTLM token

2018/09/14 13:39:18| negotiate_wrapper: Got 'KK
TlRMTVNTUAADAAAAGAAYAIwAAABIAUgBpAAAAA4ADgBYAAAAEAAQAGYAAAAWABYAdgAAABAAEADs
AQAAFYKI4goAqz8AAAAPsug30D9/WWwwJJE0C5LgOUUATABFAEMAQwBBAFYAYwByAHkAcwB0AGEA
bABsAEMATABJAC0AUgBFAEQARQBTAC0AMQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABB9ekE7/+
TbqkYU6Gx64qAQEAAAAAAAC6l9rcUUzUAS71gyhoa7SHAAAAAAIADgBFAEwARQBDAEMAQQBWAAEA
GgBTAFIAVgAtAFMAUQBVAEkARAAtAEsAUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBj
AHUAAwA4AHMAcgB2AC0AcwBxAHUAaQBkAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUA
LgBjAHUABwAIALqX2txRTNQBBgAEAAIAAAAIADAAMAAAAAAAAAAAAAAAADAAANSO8haD472JTKKO
F8vBYpu8Z0WdTYbu7c7tqLmb/9ooCgAQAAAAAAAAAAAAAAAAAAAAAAAJACQASABUAFQAUAAvADEA
NwAyAC4AMQA5AC4AMgAyADQALgA0ADYAAAAAAAAAAAAAAAAA/6MII/C9uGEWH4s9EE+W/g=='
from squid (length: 683).

2018/09/14 13:39:18| negotiate_wrapper: Decode
'TlRMTVNTUAADAAAAGAAYAIwAAABIAUgBpAAAAA4ADgBYAAAAEAAQAGYAAAAWABYAdgAAABAAEAD
sAQAAFYKI4goAqz8AAAAPsug30D9/WWwwJJE0C5LgOUUATABFAEMAQwBBAFYAYwByAHkAcwB0AGE
AbABsAEMATABJAC0AUgBFAEQARQBTAC0AMQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABB9ekE7/
+TbqkYU6Gx64qAQEAAAAAAAC6l9rcUUzUAS71gyhoa7SHAAAAAAIADgBFAEwARQBDAEMAQQBWAAE
AGgBTAFIAVgAtAFMAUQBVAEkARAAtAEsAUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgB
jAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQBkAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGU
ALgBjAHUABwAIALqX2txRTNQBBgAEAAIAAAAIADAAMAAAAAAAAAAAAAAAADAAANSO8haD472JTKK
OF8vBYpu8Z0WdTYbu7c7tqLmb/9ooCgAQAAAAAAAAAAAAAAAAAAAAAAAJACQASABUAFQAUAAvADE
ANwAyAC4AMQA5AC4AMgAyADQALgA0ADYAAAAAAAAAAAAAAAAA/6MII/C9uGEWH4s9EE+W/g=='
(decoded length: 510).

2018/09/14 13:39:18| negotiate_wrapper: received type 3 NTLM token

2018/09/14 13:39:18| negotiate_wrapper: Return 'AF = crystall

'

2018/09/14 13:39:18.326 kid1| 29,4| UserRequest.cc(336) HandleReply:
authenticated user crystall

2018/09/14 13:39:18.326 kid1| 29,4| UserRequest.cc(355) HandleReply:
Successfully validated user via Negotiate. Username 'crystall'

2018/09/14 13:39:18| negotiate_wrapper: Return 'AF = crystall

'

2018/09/14 13:39:18.331 kid1| 29,4| UserRequest.cc(336) HandleReply:
authenticated user crystall

2018/09/14 13:39:18.331 kid1| 29,4| UserRequest.cc(355) HandleReply:
Successfully validated user via Negotiate. Username 'crystall'

2018/09/14 13:39:18| negotiate_wrapper: Return 'AF = crystall

'

2018/09/14 13:39:18.335 kid1| 29,4| UserRequest.cc(336) HandleReply:
authenticated user crystall

2018/09/14 13:39:18.335 kid1| 29,4| UserRequest.cc(355) HandleReply:
Successfully validated user via Negotiate. Username 'crystall'

2018/09/14 13:39:18| negotiate_wrapper: Return 'AF = crystall

'

2018/09/14 13:39:18.340 kid1| 29,4| UserRequest.cc(336) HandleReply:
authenticated user crystall

2018/09/14 13:39:18.340 kid1| 29,4| UserRequest.cc(355) HandleReply:
Successfully validated user via Negotiate. Username 'crystall'

2018/09/14 13:39:18.340 kid1| ICP is disabled! Cannot send ICP request to
peer.

2018/09/14 13:39:18.340 kid1| ICP is disabled! Cannot send ICP request to
peer.

2018/09/14 13:39:18.779 kid1| 29,4| UserRequest.cc(294) authenticate: No
Proxy-Auth header and no working alternative. Requesting auth header.

2018/09/14 13:39:18.782 kid1| 29,4| UserRequest.cc(354) authenticate: No
connection authentication type

2018/09/14 13:39:18| negotiate_wrapper: Got 'YR
TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKAKs/AAAADw==' from squid
(length: 59).

2018/09/14 13:39:18| negotiate_wrapper: Decode
'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKAKs/AAAADw==' (decoded length:
42).

2018/09/14 13:39:18| negotiate_wrapper: received type 1 NTLM token

2018/09/14 13:39:18| negotiate_wrapper: Return 'TT
TlRMTVNTUAACAAAADgAOADgAAAAVgoni6re6l3Xwbr4AAAAAAAAAAJwAnABGAAAABgEAAAAAAA9F
AEwARQBDAEMAQQBWAAIADgBFAEwARQBDAEMAQQBWAAEAGgBTAFIAVgAtAFMAUQBVAEkARAAtAEsA
UgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQBk
AC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUABwAIANJNNN1RTNQBAAAAAA==

'

2018/09/14 13:39:18.785 kid1| 29,4| UserRequest.cc(311) HandleReply: Need to
challenge the client with a server token:
'TlRMTVNTUAACAAAADgAOADgAAAAVgoni6re6l3Xwbr4AAAAAAAAAAJwAnABGAAAABgEAAAAAAA9
FAEwARQBDAEMAQQBWAAIADgBFAEwARQBDAEMAQQBWAAEAGgBTAFIAVgAtAFMAUQBVAEkARAAtAEs
AUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQB
kAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUABwAIANJNNN1RTNQBAAAAAA=
='

2018/09/14 13:39:18.785 kid1| 29,2| UserRequest.cc(203) authenticate: need
to challenge client
'TlRMTVNTUAACAAAADgAOADgAAAAVgoni6re6l3Xwbr4AAAAAAAAAAJwAnABGAAAABgEAAAAAAA9
FAEwARQBDAEMAQQBWAAIADgBFAEwARQBDAEMAQQBWAAEAGgBTAFIAVgAtAFMAUQBVAEkARAAtAEs
AUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQB
kAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUABwAIANJNNN1RTNQBAAAAAA=
='!

2018/09/14 13:39:18| negotiate_wrapper: Got 'KK
TlRMTVNTUAADAAAAGAAYAIwAAABIAUgBpAAAAA4ADgBYAAAAEAAQAGYAAAAWABYAdgAAABAAEADs
AQAAFYKI4goAqz8AAAAPZToO29GZi9mTSaZo7kC+uEUATABFAEMAQwBBAFYAYwByAHkAcwB0AGEA
bABsAEMATABJAC0AUgBFAEQARQBTAC0AMQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADMCXZljnEc
JGfczvMrEXsbAQEAAAAAAADSTTTdUUzUATkI4mevwzXdAAAAAAIADgBFAEwARQBDAEMAQQBWAAEA
GgBTAFIAVgAtAFMAUQBVAEkARAAtAEsAUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBj
AHUAAwA4AHMAcgB2AC0AcwBxAHUAaQBkAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUA
LgBjAHUABwAIANJNNN1RTNQBBgAEAAIAAAAIADAAMAAAAAAAAAAAAAAAADAAANSO8haD472JTKKO
F8vBYpu8Z0WdTYbu7c7tqLmb/9ooCgAQAAAAAAAAAAAAAAAAAAAAAAAJACQASABUAFQAUAAvADEA
NwAyAC4AMQA5AC4AMgAyADQALgA0ADYAAAAAAAAAAAAAAAAAxTDFbTI2R1oQS5sjProTRQ=='
from squid (length: 683).

2018/09/14 13:39:18| negotiate_wrapper: Decode
'TlRMTVNTUAADAAAAGAAYAIwAAABIAUgBpAAAAA4ADgBYAAAAEAAQAGYAAAAWABYAdgAAABAAEAD
sAQAAFYKI4goAqz8AAAAPZToO29GZi9mTSaZo7kC+uEUATABFAEMAQwBBAFYAYwByAHkAcwB0AGE
AbABsAEMATABJAC0AUgBFAEQARQBTAC0AMQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADMCXZljnE
cJGfczvMrEXsbAQEAAAAAAADSTTTdUUzUATkI4mevwzXdAAAAAAIADgBFAEwARQBDAEMAQQBWAAE
AGgBTAFIAVgAtAFMAUQBVAEkARAAtAEsAUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgB
jAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQBkAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGU
ALgBjAHUABwAIANJNNN1RTNQBBgAEAAIAAAAIADAAMAAAAAAAAAAAAAAAADAAANSO8haD472JTKK
OF8vBYpu8Z0WdTYbu7c7tqLmb/9ooCgAQAAAAAAAAAAAAAAAAAAAAAAAJACQASABUAFQAUAAvADE
ANwAyAC4AMQA5AC4AMgAyADQALgA0ADYAAAAAAAAAAAAAAAAAxTDFbTI2R1oQS5sjProTRQ=='
(decoded length: 510).

2018/09/14 13:39:18| negotiate_wrapper: received type 3 NTLM token

2018/09/14 13:39:18| negotiate_wrapper: Return 'AF = crystall





Access.log

1536946843.113 66541 192.168.0.2 TCP_TUNNEL/200 3806 CONNECT
www.facebook.com:443 <http://www.facebook.com:443> crystall
FIRSTUP_PARENT/PARENT_PROXY_IP



The question is, that only NTLM works, I've tried with Internet Explorer,
Google Chrome and Firefox. The other thing is that he never asks for
username and password, he uses the user credentials that he initiates
session to work (I do not know if this is the correct operation).

What could be happening?





Sorry for the long email.





Gretting Yanier

Continue reading on narkive:
Search results for '[squid-users] Problem with kerb/ntlm authentication' (Questions and Answers)
5
replies
Why does outlook 2007 keep asking for a password when connected to exchange?
started 2010-08-30 23:34:44 UTC
computer networking
Loading...