I added some comments to the wiki.
Thank you
Markus
"Mrvka Andreas" <mrv@xxxxxx> wrote in message
news:200908251055.04159.mrv@xxxxxxxxx
Hi again,
I've found my error myself.
Using this howto from Guido:
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
works great at my site (with defining my environment hosts, users and
pass)!
My caveat for not working was:
_I used a too short name for the principal or hostname_ !!!
First I tried the hostname squid-HTTP as Guido described in his example
and
this worked.
Then I wanted to use my hostname: squid.domain.com and this arised an
error.
After being completly confused I wrote the hostname like
squidproxy.domain.com
without any expectation for success - but I got convinced.
Squid authentication against Active Directory on Windows 2008 DCs work
now!
This must be a bug or anything else on the new domain controller because
the
same 'msktutil' command worked on AD 2003.
I hope I could help some other people and maybe you can insert this caveat
in
your Wiki.
Andrew
Am Montag, 24. August 2009 13:55:23 schrieb Mrvka Andreas:
Hi list,
I want to use this brilliant software squid but do you know what I
missing?
I have working AD authentication on my SLES11 system
- kinit -k -t HTTP.keytab HTTP/squid.fqdn.com works
- login via ssh works with pam_krb5
- joining to my domain also worked as a charm
At this stage I believe, I've set up krb5.conf correctly.
So I compiled Squid 3.1.0.13.
configure options:
'--prefix=/usr/local/squid-3.1'
'--enable-auth=basic,ntlm,negotiate'
'--enable-basic-auth-helpers=SMB getpwnam multi-domain-NTLM'
'--enable-ntlm-auth-helpers=smb_lm no_check'
'--enable-negotiate-auth-helpers=squid_kerb_auth'
--with-squid=/install/squid-3.1.0.13
--enable-ltdl-convenience
Next I inserted these lines into squid.conf
auth_param negotiate program squid_kerb_auth -d 99 -s HTTP/squid.fqdn.com
auth_param negotiate children 15
auth_param negotiate keep_alive on
Starting squid again worked fine, so didn't get any error at boot time
and
-- ps -ef -- shows me
squid 28944 27915 0 12:51 pts/0 00:00:00 ./squid -N -d 20 -f
../etc/squid.conf
squid 28945 28944 0 12:51 ? 00:00:00 (squid_kerb_auth) -d
99 -s
HTTP/squid.fqdn.com
squid 28946 28944 0 12:51 ? 00:00:00 (squid_kerb_auth) -d
99 -s
HTTP/squid.fqdn.com
On my windows PC I configured proxy using manual setting to the FQDN of
squid.
The result is - in cache.log I find
2009/08/24 12:58:13| squid_kerb_auth: Got 'YR YIIFzAYGKwYBBQUCoIIFwDCCBby
... [...]
from squid (length: 1987).
2009/08/24 12:58:13| squid_kerb_auth: Decode 'YIIFzAYGKwYBBQ [...]
(decoded length: 1488)
2009/08/24 13:21:19| squid_kerb_auth: gss_accept_sec_context() failed:
Unspecified GSS failure. Minor code may provide more information. Key
table entry not found
2009/08/24 13:21:19| authenticateNegotiateHandleReply: Error validating
user via Negotiate. Error returned 'BH gss_accept_sec_context() failed:
Unspecified GSS failure. Minor code may provide more information. Key
table entry not found'
I created my HTTP.keytab as it was described somewhere.
Logged on windows DC - used ktpass and mapped the service principal to a
windows user. After that I copied this file to linux squid.
I also tried to configure in squid.conf to use squid_kerb_auth -s
HTTP/squid.fqdn.com@REALM
But this didn't work either.
I think there is something small missing but I can't figure it out.
Please can anybody help me?
I hope, my detailed explanation will help others too to configure their
systems.
With best regards
Andrew
