Hi again, I've found my error myself. Using this howto from Guido: http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos works great at my site (with defining my environment hosts, users and pass)! My caveat for not working was: _I used a too short name for the principal or hostname_ !!! First I tried the hostname squid-HTTP as Guido described in his example and this worked. Then I wanted to use my hostname: squid.domain.com and this arised an error. After being completly confused I wrote the hostname like squidproxy.domain.com without any expectation for success - but I got convinced. Squid authentication against Active Directory on Windows 2008 DCs work now! This must be a bug or anything else on the new domain controller because the same 'msktutil' command worked on AD 2003. I hope I could help some other people and maybe you can insert this caveat in your Wiki. Andrew Am Montag, 24. August 2009 13:55:23 schrieb Mrvka Andreas: > Hi list, > > I want to use this brilliant software squid but do you know what I missing? > > I have working AD authentication on my SLES11 system > - kinit -k -t HTTP.keytab HTTP/squid.fqdn.com works > - login via ssh works with pam_krb5 > - joining to my domain also worked as a charm > > At this stage I believe, I've set up krb5.conf correctly. > > So I compiled Squid 3.1.0.13. > configure options: > '--prefix=/usr/local/squid-3.1' > '--enable-auth=basic,ntlm,negotiate' > '--enable-basic-auth-helpers=SMB getpwnam multi-domain-NTLM' > '--enable-ntlm-auth-helpers=smb_lm no_check' > '--enable-negotiate-auth-helpers=squid_kerb_auth' > --with-squid=/install/squid-3.1.0.13 > --enable-ltdl-convenience > > Next I inserted these lines into squid.conf > auth_param negotiate program squid_kerb_auth -d 99 -s HTTP/squid.fqdn.com > auth_param negotiate children 15 > auth_param negotiate keep_alive on > > > Starting squid again worked fine, so didn't get any error at boot time and > -- ps -ef -- shows me > > squid 28944 27915 0 12:51 pts/0 00:00:00 ./squid -N -d 20 -f > ../etc/squid.conf > squid 28945 28944 0 12:51 ? 00:00:00 (squid_kerb_auth) -d 99 -s > HTTP/squid.fqdn.com > squid 28946 28944 0 12:51 ? 00:00:00 (squid_kerb_auth) -d 99 -s > HTTP/squid.fqdn.com > > > > On my windows PC I configured proxy using manual setting to the FQDN of > squid. > > The result is - in cache.log I find > 2009/08/24 12:58:13| squid_kerb_auth: Got 'YR YIIFzAYGKwYBBQUCoIIFwDCCBby > ... [...] > from squid (length: 1987). > 2009/08/24 12:58:13| squid_kerb_auth: Decode 'YIIFzAYGKwYBBQ [...] > (decoded length: 1488) > 2009/08/24 13:21:19| squid_kerb_auth: gss_accept_sec_context() failed: > Unspecified GSS failure. Minor code may provide more information. Key > table entry not found > 2009/08/24 13:21:19| authenticateNegotiateHandleReply: Error validating > user via Negotiate. Error returned 'BH gss_accept_sec_context() failed: > Unspecified GSS failure. Minor code may provide more information. Key > table entry not found' > > I created my HTTP.keytab as it was described somewhere. > Logged on windows DC - used ktpass and mapped the service principal to a > windows user. After that I copied this file to linux squid. > > > I also tried to configure in squid.conf to use squid_kerb_auth -s > HTTP/squid.fqdn.com@REALM > > But this didn't work either. > > I think there is something small missing but I can't figure it out. > > Please can anybody help me? > I hope, my detailed explanation will help others too to configure their > systems. > > With best regards > Andrew >
