Re: [squid-users] Re: Negotiate on 3.2.1

Hi Markus

Thanks for responding. The squid effective user can read the keytab
and I've got the export line in the squid init script. If I check
/proc/<pid>/environ for the main squid process I can see KRB5_KTNAME
is set correctly. DNS hostname is proxy01.domain.local but
--computer-name used in msktutil is proxy01-h.

I have been playing with it since I wrote the original email and as
long as I don't "Reset Account" for the proxy01-h computer account in
AD everything works, mskutil --auto-update correctly checks the age of
the password on the computer account and negotiate authentication
works in Squid.

...as an aside, we use a commercial product to monitor internet access
which operates off of the url_rewrite_program directive.
Unfortunately, it expects the authenticated user to be returned in the
format "DOMAIN\Username" where as negotiate_kerb_auth returns
"Username_at_DOMAIN". Is there any way to alter the format of the
returned username?

Thanks again

Paul

On 18 August 2012 13:30, Markus Moeller <huaraz_at_moeller.plus.com> wrote:
> Hi Paul,
>
> Does squid running user have read access to the keytab ? Did you use
> export KRB5_KTNAME to point to the keytab in the startup script ? What is
> the hostname of your squid host ? Did you get a minor code message ?
>
> Check also my page for some further hints
> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
>
> Markus
>
>
> "Paul Carew" <beavatronix_at_gmail.com> wrote in message
> news:CAPHJSn3cN0uj3fsM1mD0iKkS4CTavBHQMu7ya=W8OJsp_twuGg_at_mail.gmail.com...
>
>> Hi!
>>
>> I'm following the guide here
>>
>> http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory
>> ...to get Negotiate authentication working with Squid 3.2.1. NTLM
>> works fine but I when using Negotiate I am getting this in my
>> cache.log...
>>
>> 2012/08/17 17:31:01 kid1| ERROR: Negotiate Authentication validating
>> user. Error returned 'BH gss_accept_sec_context() failed: Unspecified
>> GSS failure. Minor code may provide more information. '
>>
>> "kinit -V -kt /etc/squid/HTTP.keytab HTTP/proxy01.domain.local"
>> produces...
>>
>> Using default cache: /tmp/krb5cc_0
>> Using principal: HTTP/proxy01.domain.local_at_DOMAIN.LOCAL
>> Using keytab: /etc/squid/HTTP.keytab
>> kinit: Preauthentication failed while getting initial credentials
>>
>> "klist -ekt /etc/squid/HTTP.keytab" produces...
>>
>> Keytab name: WRFILE:/etc/squid/HTTP.keytab
>> KVNO Timestamp Principal
>> ---- -----------------
>> --------------------------------------------------------
>> 2 08/17/12 17:18:03 proxy01-h$@DOMAIN.LOCAL (arcfour-hmac)
>> 2 08/17/12 17:18:04 proxy01-h$@DOMAIN.LOCAL (aes128-cts-hmac-sha1-96)
>> 2 08/17/12 17:18:04 proxy01-h$@DOMAIN.LOCAL (aes256-cts-hmac-sha1-96)
>> 2 08/17/12 17:18:04 HTTP/proxy01.domain.local_at_DOMAIN.LOCAL
>> (arcfour-hmac)
>> 2 08/17/12 17:18:04 HTTP/proxy01.domain.local_at_DOMAIN.LOCAL
>> (aes128-cts-hmac-sha1-96)
>> 2 08/17/12 17:18:04 HTTP/proxy01.domain.local_at_DOMAIN.LOCAL
>> (aes256-cts-hmac-sha1-96)
>> 3 08/17/12 17:18:57 proxy01-h$@DOMAIN.LOCAL (arcfour-hmac)
>> 3 08/17/12 17:18:57 proxy01-h$@DOMAIN.LOCAL (aes128-cts-hmac-sha1-96)
>> 2 08/17/12 17:18:04 host/proxy01.domain.local_at_DOMAIN.LOCAL
>> (arcfour-hmac)
>> 3 08/17/12 17:18:57 proxy01-h$@DOMAIN.LOCAL (aes256-cts-hmac-sha1-96)
>> 2 08/17/12 17:18:04 host/proxy01.domain.local_at_DOMAIN.LOCAL
>> (aes128-cts-hmac-sha1-96)
>> 2 08/17/12 17:18:04 host/proxy01.domain.local_at_DOMAIN.LOCAL
>> (aes256-cts-hmac-sha1-96)
>>
>> auth_params are...
>>
>> auth_param negotiate program /usr/lib/squid/negotiate_kerb_auth
>> auth_param negotiate children 30 startup=10 idle=5
>> auth_param negotiate keep_alive on
>>
>> Can anyone help? I'm guessing I've not done something rather important?
>>
>> Thank you.
>>
>> Paul
>>
>
>
Received on Sat Aug 18 2012 - 13:24:42 MDT