BTW If you download the cvs source from sourceforge at
http://squidkerbauth.cvs.sourceforge.net/squidkerbauth you can use
./configure and it should check everything for Mac
Markus
"Alex Morken" <IT@xxxxxxxxxxxxx> wrote in message
news:AF122EC2-1BC7-4D1D-BF61-678C38EBA750@xxxxxxxxxxxxxxxx
Hello,
This is the first time I have posted on this list, so hello to everyone.
I have been trying to get squid_kerb_auth to work on Mac OS X 10.4.11 and
I cannot seem to figure out the reason it fails.
Here are the options I had set for the configure part of squid:
Squid Cache: Version 2.7.STABLE2
configure options: '--enable-auth=basic negotiate' '--enable-basic-
auth-helpers=LDAP' '--enable-negotiate-auth-helpers=squid_kerb_auth'
'--enable-esternal-acl-helpers=ldap_group' '--prefix=/usr/local/
squid-2.7'
Everything compiles nicely and produces no errors.
I set up and tested my kerberos configuration per below:
Set up a local keytab for squid - HTTP/host.domain.com@xxxxxxxxxx
Tested it by issuing the following command and it worked correctly:
`kinit -k -t /etc/squid/squid.keytab HTTP/host.domain.com@xxxxxxxxx`
Set and exported KRB5_KTNAME pointing to the local keytab. I wrote a
bash script that does this and I have also tried to set the environmental
variable in the current shell and run it from there. Both work as
expected.
I added authentication to squid.conf
auth_param negotiate program /usr/libexec/squid_kerb_auth -d -s HTTP/
host.domain.com@xxxxxxxxx
I then started squid and it looks like everything is starting correctly.
But it is still not dealing with kerberos correctly.
I downloaded and compiled squid_kerb_auth by hand as I had found someone
else on this list that was running into a problem similar to mine. I
recompiled squid_kerb_auth with a few different options as mentioned in
the thread. They are listed below.
Compiled by hand:
gcc -o squid_kerb_auth -DHAVE_SPNEGO -D__LITTLE_ENDIAN__ -Ispnegohelp
squid_kerb_auth.c base64.c spnegohelp/derparse.c spnegohelp/ spnego.c
spnegohelp/spnegohelp.c spnegohelp/spnegoparse.c -
lgssapi_krb5 -lkrb5 -lcom_err
root# ./squid_kerb_auth -d
2008/06/03 13:37:59| squid_kerb_auth: Starting version 1.0.1
username@xxxxxxxxx
2008/06/03 13:38:01| squid_kerb_auth: Got 'username' from squid (length:
15).
2008/06/03 13:38:01| squid_kerb_auth: gss_accept_sec_context() failed: A
token was invalid. Token header is malformed or corruptBH
gss_accept_sec_context() failed: A token was invalid. Token header is
malformed or corrupt
Results from just using ./configure and no options specified:
host:/tmp/kerb/squid_kerb_auth root# ./squid_kerb_auth -d -s HTTP/
host.domain.com@xxxxxxxxx
2008/06/03 13:47:38| squid_kerb_auth: Starting version 1.0.1
username@xxxxxxxxx
2008/06/03 13:47:39| squid_kerb_auth: Got 'username@xxxxxxxxx' from squid
(length: 15).
2008/06/03 13:47:39| squid_kerb_auth: parseNegTokenInit failed with
rc=108
2008/06/03 13:47:39| squid_kerb_auth: Token is possibly a GSSAPI token
2008/06/03 13:47:39| squid_kerb_auth: gss_accept_sec_context() failed: A
token was invalid. Token header is malformed or corruptBH
gss_accept_sec_context() failed: A token was invalid. Token header is
malformed or corrupt
I have also tried all combinations of -DHAVE_SPNEGO, - D__LITTLE_ENDIAN__
and -D__BIG_ENDIAN__. All have failed in similar ways.
So the obvious questions are - what am I doing wrong? am I using
squid_kerb_auth correctly from the command line (can I use it all that
way)? Is there anywhere I can look for more verbose logs from squid? I
have been running squid with -d 9 -N options and it doesn't error to the
logs or to the screen in any sort of verbose way (the way I would expect
it to work). Any help would be much appreciated and I would be happy to
provide any information you request!
Thank you,
Alex Morken
