[squid-users] Re: Negotiate on 3.2.1 from Markus Moeller on 2012-08-18 (squid-users)

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Sat, 18 Aug 2012 13:30:59 +0100

Hi Paul,

Does squid running user have read access to the keytab ? Did you use
export KRB5_KTNAME to point to the keytab in the startup script ? What is
the hostname of your squid host ? Did you get a minor code message ?

Check also my page for some further hints
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos

Markus

"Paul Carew" <beavatronix_at_gmail.com> wrote in message
news:CAPHJSn3cN0uj3fsM1mD0iKkS4CTavBHQMu7ya=W8OJsp_twuGg_at_mail.gmail.com...
> Hi!
>
> I'm following the guide here
> http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory
> ...to get Negotiate authentication working with Squid 3.2.1. NTLM
> works fine but I when using Negotiate I am getting this in my
> cache.log...
>
> 2012/08/17 17:31:01 kid1| ERROR: Negotiate Authentication validating
> user. Error returned 'BH gss_accept_sec_context() failed: Unspecified
> GSS failure. Minor code may provide more information. '
>
> "kinit -V -kt /etc/squid/HTTP.keytab HTTP/proxy01.domain.local"
> produces...
>
> Using default cache: /tmp/krb5cc_0
> Using principal: HTTP/proxy01.domain.local_at_DOMAIN.LOCAL
> Using keytab: /etc/squid/HTTP.keytab
> kinit: Preauthentication failed while getting initial credentials
>
> "klist -ekt /etc/squid/HTTP.keytab" produces...
>
> Keytab name: WRFILE:/etc/squid/HTTP.keytab
> KVNO Timestamp Principal
> ---- ----------------- --------------------------------------------------------
> 2 08/17/12 17:18:03 proxy01-h$@DOMAIN.LOCAL (arcfour-hmac)
> 2 08/17/12 17:18:04 proxy01-h$@DOMAIN.LOCAL (aes128-cts-hmac-sha1-96)
> 2 08/17/12 17:18:04 proxy01-h$@DOMAIN.LOCAL (aes256-cts-hmac-sha1-96)
> 2 08/17/12 17:18:04 HTTP/proxy01.domain.local_at_DOMAIN.LOCAL
> (arcfour-hmac)
> 2 08/17/12 17:18:04 HTTP/proxy01.domain.local_at_DOMAIN.LOCAL
> (aes128-cts-hmac-sha1-96)
> 2 08/17/12 17:18:04 HTTP/proxy01.domain.local_at_DOMAIN.LOCAL
> (aes256-cts-hmac-sha1-96)
> 3 08/17/12 17:18:57 proxy01-h$@DOMAIN.LOCAL (arcfour-hmac)
> 3 08/17/12 17:18:57 proxy01-h$@DOMAIN.LOCAL (aes128-cts-hmac-sha1-96)
> 2 08/17/12 17:18:04 host/proxy01.domain.local_at_DOMAIN.LOCAL
> (arcfour-hmac)
> 3 08/17/12 17:18:57 proxy01-h$@DOMAIN.LOCAL (aes256-cts-hmac-sha1-96)
> 2 08/17/12 17:18:04 host/proxy01.domain.local_at_DOMAIN.LOCAL
> (aes128-cts-hmac-sha1-96)
> 2 08/17/12 17:18:04 host/proxy01.domain.local_at_DOMAIN.LOCAL
> (aes256-cts-hmac-sha1-96)
>
> auth_params are...
>
> auth_param negotiate program /usr/lib/squid/negotiate_kerb_auth
> auth_param negotiate children 30 startup=10 idle=5
> auth_param negotiate keep_alive on
>
> Can anyone help? I'm guessing I've not done something rather important?
>
> Thank you.
>
> Paul
>
Received on Sat Aug 18 2012 - 12:31:43 MDT

This archive was generated by hypermail 2.2.0 : Sat Aug 18 2012 - 12:00:03 MDT