Search squid archive

Re: Re: Re: Re: Re: squid_kerb_auth on mac os x

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I have done the following:

1. created a key on the KDC with the following command:
ktpass -princ HTTP/squidtest.hdq.xyz.com@xxxxxxxxxxx -pass password
-mapuser squidtest -out c:\temp\squidtest.HTTP.keytab

2. Setup the /etc/krb5.conf for our domain and realm.

3. I then copied the key to the linux box, set the permissions so it
is read only by squid, and ran the kutil command:
ktutil: rkt /opt/squid/etc/squidtest.HTTP.keytab
ktutil: wkt /etc/krb5.keytab
ktutil: q

4. I ran the kinit command and it seemed not to error:
kinit -k -t /opt/squid/etc/squidtest.HTTP.keytab HTTP/squidtest.hdq.xyz.com

5. Output from the klist is as follows:
klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: HTTP/squidtest.hdq.xyz.com@xxxxxxxxxxx

Valid starting     Expires            Service principal
07/11/08 19:08:55  07/12/08 05:08:55  krbtgt/HDQ.XYZ.COM@xxxxxxxxxxx
        renew until 07/12/08 05:08:55


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

6. I created a token with the squid_kerb_auth_test.c program and
authenticated with it:
[root@squidtest tmp]# /opt/squid/libexec/squid_kerb_auth -d -i -s
HTTP/squidtest.hdq.xyz.com </tmp/kir1864.token
2008/07/11 19:13:31| squid_kerb_auth: Got 'YR
YIIP1QYJKoZIhvcSAQICAQBugg/EMIIPwKADAgEFoQMCAQ6iBwMFAAAAAACjgg74YYI.............................................................................................................................................pfdL/itMByBZYZshBJQgRViHFQgCsPdrJGRE4ePTRwS25ejLg=='
from squid (length: 5415).
AF AA== kir1864@xxxxxxxxxxx
2008/07/11 19:13:31| squid_kerb_auth: AF AA== kir1864@xxxxxxxxxxx
2008/07/11 19:13:31| squid_kerb_auth: User kir1864@xxxxxxxxxxx authenticated

7. I recompiled squid_kerb_auth with the -DHAVE_SPNEGO:
gcc -o squid_kerb_auth -DHAVE_SPNEGO -D__LITTLE_ENDIAN__ -Ispnegohelp
squid_kerb_auth.c base64.c spnegohelp/derparse.c  spnegohelp/spnego.c
spnegohelp/spnegohelp.c  spnegohelp/spnegoparse.c -lgssapi_krb5 -lkrb5
-lcom_err

8. Added this to my squid startup script and restarted squid, note I
have the auth_param in my squid.conf also below:
/etc/init.d/squid:export KRB5_KTNAME=FILE:/opt/squid/etc/squidtest.HTTP.keytab
/etc/squid.conf:auth_param negotiate program
/opt/squid/libexec/squid_kerb_auth -d 9
/etc/squid.conf:auth_param negotiate children 1
/etc/squid.conf:auth_param negotiate keep_alive on

9. When I authenticate with IE 6, it goes to the basic authentication,
even with the "Enable Integrated Windows Authentication" checked, I
think I found that there is no way to do proxy kerberos authentication
with IE 6, if someone know differently let me know how.  With IE 7 I
do get the following in the cache.log:
2008/07/11 17:55:12| squid_kerb_auth: Got 'YR
YIIQHwYGKwYBBQUCoIIQEzCCEA+gJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKK..............................................................................................................................................bfhfphT7/Qu6CVQNdsKIK5Neq/ULSjfWmDdhxag4ZFDH6/V9/EJnNoNS/BQPwIqEgyzK5+nkg'
from squid (length: 5511).
2008/07/11 17:55:12| squid_kerb_auth: gss_accept_sec_context() failed:
A token was invalid. Mechanism is incorrect

Can anyone help with this problem?

Thank you,
Brian Kirk
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux