Hi Paul.
A account reset means the password or key of this accounts changes and
the extracted key in the keytab will get out of sync. So don't reset the
account in AD, but only autoupdate from msktutil. Also don't share a samba
account with squid as samba daemons als reset the account from time to time.
Unfortunately the user_at_DOMAIN is the Kerberos format and NTDOMAIN\user the
Netbios format and thers is no obvious 1-2-1 mapping between both.
Markus
"Paul Carew" <beavatronix_at_gmail.com> wrote in message
news:CAPHJSn16A-QCu2wmsaQUEFN89RxhJTBx-xwSyRUByzvDW3AoyA_at_mail.gmail.com...
> Hi Markus
>
> Thanks for responding. The squid effective user can read the keytab
> and I've got the export line in the squid init script. If I check
> /proc/<pid>/environ for the main squid process I can see KRB5_KTNAME
> is set correctly. DNS hostname is proxy01.domain.local but
> --computer-name used in msktutil is proxy01-h.
>
> I have been playing with it since I wrote the original email and as
> long as I don't "Reset Account" for the proxy01-h computer account in
> AD everything works, mskutil --auto-update correctly checks the age of
> the password on the computer account and negotiate authentication
> works in Squid.
>
> ...as an aside, we use a commercial product to monitor internet access
> which operates off of the url_rewrite_program directive.
> Unfortunately, it expects the authenticated user to be returned in the
> format "DOMAIN\Username" where as negotiate_kerb_auth returns
> "Username_at_DOMAIN". Is there any way to alter the format of the
> returned username?
>
> Thanks again
>
> Paul
>
>
> On 18 August 2012 13:30, Markus Moeller <huaraz_at_moeller.plus.com> wrote:
>> Hi Paul,
>>
>> Does squid running user have read access to the keytab ? Did you use
>> export KRB5_KTNAME to point to the keytab in the startup script ? What
>> is
>> the hostname of your squid host ? Did you get a minor code message ?
>>
>> Check also my page for some further hints
>> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
>>
>> Markus
>>
>>
>> "Paul Carew" <beavatronix_at_gmail.com> wrote in message
>> news:CAPHJSn3cN0uj3fsM1mD0iKkS4CTavBHQMu7ya=W8OJsp_twuGg_at_mail.gmail.com...
>>
>>> Hi!
>>>
>>> I'm following the guide here
>>>
>>> http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory
>>> ...to get Negotiate authentication working with Squid 3.2.1. NTLM
>>> works fine but I when using Negotiate I am getting this in my
>>> cache.log...
>>>
>>> 2012/08/17 17:31:01 kid1| ERROR: Negotiate Authentication validating
>>> user. Error returned 'BH gss_accept_sec_context() failed: Unspecified
>>> GSS failure. Minor code may provide more information. '
>>>
>>> "kinit -V -kt /etc/squid/HTTP.keytab HTTP/proxy01.domain.local"
>>> produces...
>>>
>>> Using default cache: /tmp/krb5cc_0
>>> Using principal: HTTP/proxy01.domain.local_at_DOMAIN.LOCAL
>>> Using keytab: /etc/squid/HTTP.keytab
>>> kinit: Preauthentication failed while getting initial credentials
>>>
>>> "klist -ekt /etc/squid/HTTP.keytab" produces...
>>>
>>> Keytab name: WRFILE:/etc/squid/HTTP.keytab
>>> KVNO Timestamp Principal
>>> ---- -----------------
>>> --------------------------------------------------------
>>> 2 08/17/12 17:18:03 proxy01-h$@DOMAIN.LOCAL (arcfour-hmac)
>>> 2 08/17/12 17:18:04 proxy01-h$@DOMAIN.LOCAL (aes128-cts-hmac-sha1-96)
>>> 2 08/17/12 17:18:04 proxy01-h$@DOMAIN.LOCAL (aes256-cts-hmac-sha1-96)
>>> 2 08/17/12 17:18:04 HTTP/proxy01.domain.local_at_DOMAIN.LOCAL
>>> (arcfour-hmac)
>>> 2 08/17/12 17:18:04 HTTP/proxy01.domain.local_at_DOMAIN.LOCAL
>>> (aes128-cts-hmac-sha1-96)
>>> 2 08/17/12 17:18:04 HTTP/proxy01.domain.local_at_DOMAIN.LOCAL
>>> (aes256-cts-hmac-sha1-96)
>>> 3 08/17/12 17:18:57 proxy01-h$@DOMAIN.LOCAL (arcfour-hmac)
>>> 3 08/17/12 17:18:57 proxy01-h$@DOMAIN.LOCAL (aes128-cts-hmac-sha1-96)
>>> 2 08/17/12 17:18:04 host/proxy01.domain.local_at_DOMAIN.LOCAL
>>> (arcfour-hmac)
>>> 3 08/17/12 17:18:57 proxy01-h$@DOMAIN.LOCAL (aes256-cts-hmac-sha1-96)
>>> 2 08/17/12 17:18:04 host/proxy01.domain.local_at_DOMAIN.LOCAL
>>> (aes128-cts-hmac-sha1-96)
>>> 2 08/17/12 17:18:04 host/proxy01.domain.local_at_DOMAIN.LOCAL
>>> (aes256-cts-hmac-sha1-96)
>>>
>>> auth_params are...
>>>
>>> auth_param negotiate program /usr/lib/squid/negotiate_kerb_auth
>>> auth_param negotiate children 30 startup=10 idle=5
>>> auth_param negotiate keep_alive on
>>>
>>> Can anyone help? I'm guessing I've not done something rather important?
>>>
>>> Thank you.
>>>
>>> Paul
>>>
>>
>>
>
Received on Sat Aug 18 2012 - 19:58:40 MDT
This archive was generated by hypermail 2.2.0 : Sun Aug 19 2012 - 12:00:03 MDT