hm... i can tell you what I did. first I tried ktpass too as you describe. But nevertheless to use exactly the same as in the wiki I finally used msktutil to proceed. I run an SLES 11 Server and had to download SLES 11 SDK iso to compile msktutil successfully. My way was: - configure /etc/krb5.conf correctly (realm, ad-server, etc.) - join AD domain with an user with permissions - kinit thisADuser@xxxxxxxxxxxx - ./msktutil -c -s HTTP/squidproxy.mydomain.com -h squidproxy.mydomain.com -k /usr/local/squid-3.1/etc/HTTP.keytab --computer-name squidproxy --upn HTTP/squidproxy.mydomain.com --server DC.mydomain.com --verbose --delegation --description "Proxy Server" - configure squid.conf to use auth_param negotiate path_to_squidkerbauth <no parameters!!> And it worked. I never used squid_kerb_auth_test as I didn't know how to use it :-) Bye Andrew Am Mittwoch, 26. August 2009 12:28:15 schrieben Sie: > On Wed, Aug 26, 2009 at 11:06 AM, Mrvka Andreas<mrv@xxxxxx> wrote: > > hi, > > > > if you have made the wiki[...]/Kerberos guide through then you are close > > to the goal. > > I hope so anyway :-) > > > it seems that your problem is only configuration error on client side. > > I am not so sure anymore. I tried to use the squid_kerb_auth_test > utility, but it still gives me errors on the tokens (see below for > listings). I may add that I compiled both squid3.0 and squid_kerb_auth > 1.0.5. I used squid_kerb_auth_test with both squid_kerb_auth from the > squid_kerb_auth1.0.5 package and the squid3.0 package. I get errors in > both cases (though not the same, but that may simply be that one is > older). > > I am using a windows server 2003 R2 corporate with SP2, in case there > may be an issue with a SP or something. > > Last thing I can think of is the way I created the keytab (but > kerberos seems to like it this way) : > ktpass -out squidproxy.krb5.keytab -pass Password1 -princ > HTTP/squidproxy.ad.simia.fr@xxxxxxxxxxx -mapuser host_squid -ptype > KRB5_NT_SRV_HST -crypto DES-CBC-MD5 (could have used RC4-HMAC, but I > had problems before when I put in place unix authentication on > AD/kerberos). > > > since squid_kerb_auth is a MUST to configure the fqdn name of squid in > > the IE settings. > > I did it this way ... :-/ > > > at my place IE 7, IE 8 and FF 3.5 works great with squid_kerb_auth. > > Hope I can make it work also. > > > Thanks, > > Jeremy > > Squid_kerb_auth_test : > ############ > squidproxy:~/squid/squid_kerb_auth-1.0.5# kdestroy > squidproxy:~/squid/squid_kerb_auth-1.0.5# kinit jems@xxxxxxxxxxx > jems@xxxxxxxxxxx's Password: > squidproxy:~/squid/squid_kerb_auth-1.0.5# > /root/squid/squid_kerb_auth-1.0.5/squid_kerb_auth_test > squidproxy.ad.simia.fr | /usr/local/libexec/squid_kerb_auth -d -s > HTTP/squidproxy.ad.simia.fr > 2009/08/26 12:17:10| squid_kerb_auth: Got 'Token: > YIIE8QYGKwYBBQUCoIIE5TCCBOGgDTALBgkqhkiG9xIBAgKiggTOBIIEymCCBMYGCSqGSIb3EgE > CAgEAboIEtTCCBLGgAwIBBaEDAgEOogcDBQAAAAAAo4IDqWGCA6UwggOhoAMCAQWhDRsLQUQuU0 > lNSUEuRlKiKTAnoAMCAQGhIDAeGwRIVFRQGxZzcXVpZHByb3h5LmFkLnNpbWlhLmZyo4IDXjCCA > 1qgAwIBA6EDAgEKooIDTASCA0jVFrJW9Hmfkrhd3LmVf3ZLpeqR/87YM7hkqbk75EMhcX+Mb/ci > G5h6kuFl7fBKzW/prfmOPmYzAPVc4HdnLchdkXCQNsxe/IrCT/DwkB1pSopcr7N9zqnJ6xN8UR/ > Zd8vfUnhmoNI4/lQ2pg04GJTv8UFXi3UKVmH7aHENQGB6pLaeoFe6inhK+/c7/9O1m5GHsmNbua > wNH3N48gEiFYkfOHVqyAQukuGWLpJHyvVUBS3XTuAj2LhqxqZJzuiyOkUIReb7NU4ZuWVO7oZvp > 7+AIbCcaikdxU2nsnVrM9EypGpcUzdy3SBd+eqdGIuctW/+pZ0gAtu7/JCmgNpoaJGZH90dnp33 > 9/LUIg3nGI8+MoPPhTaE4iWLp6smi/rB/tzpiKYDz8Rr0MIdB5rs0jRr3Kjeg0gcaLsMIaKA2t8 > ZmFAWUXPq8GQaX57e8DGBTKNut9lzhCsDEV8zhzAIdKmrs6XJm5Vq1GjCbchTUSoRaZhd663S47 > kjTpxKA9eyTWYkWdExGrvz9fUYRq6QPIv6wmbU9HwkZZTsJ2YH5JrJPAPK2icuQkSCTXiMKBHc4 > KLMgZ3MFciWAKPBXETwVhDtEy2jeIYfkR4+Imzg9l8qC8qIUOYVQx0PYywS2gcn53FT5JgA6N7C > I5jk6jOu7/lf5QrGR33cwk01Qh9AnGQ4pZw3beWZKN1ezZsJlHr6Ucrn63XiDhv8UAsBDdNeuT8 > pN0RjXpmt7S0xRmi7Ql4SMyljSiCplhQkOPRnM+VOqPvMcfLP/et7f6xCVMY+9mxLcR9dvl19m4 > +24EM0Hk59ndlUJD0+xsEYygp3sB6obAhg1IHv6Dn7AwKI56zju3i/H6WyAfGx6lqiDX1sv+oqd > Djf0slTAlYpm9DNtTx2KSWmGbRlbKx4/DfxtXCjte5ltbttYOiGBcFtePQK2Z0PpTvdgXqPPfq0 > 5juN6dDsabDGuz9KyKWyga2RXssxCaIWcU2CDRY75nru6IivHR6HrEUrhj4VLXuMIfzAdw/FPcV > 4qd+XDqhWON9yc+HiqjfXPTUq8JcHYq9+rSk/4IlkmW/WqgJuvFaQHLicev5KWYw7J+Z/sGfCOb > XG/e6OlQMcHNIR0JRvMjukge4wgeugAwIBA6KB4wSB4IcbergiZ7uvt8Z9Y1TM62ZQM0pFTFhi8 > ll0riYdLXVnJI0KHNU1PGg+It5iDIlCJcBJWbAtgDfLfO6N00xEnIpxwZdDo3ZdNF/+eImBHsDp > GWx7ZuEygw9R0kKUQozz+bi6JvjN6MUsvquriLecvTcfvLyViZEXdIcBmgRq1fphwambQaRsGi6 > Ubahd6Q1P6YYNg3Hk2+RzsgaFw/1gOKCoka3VGyLZndVsFv0MS2EXyyb04iXXu37uCkt2py4ou1 > lGaMS2hTpHfqz2TyMUfPM0cHF8O9iHtc9UuAEVsiXk' from squid (length: 1699). > 2009/08/26 12:17:10| squid_kerb_auth: gss_accept_sec_context() failed: > A token was invalid. unknown mech-code 0 for mech unknown > NA gss_accept_sec_context() failed: A token was invalid. unknown > mech-code 0 for mech unknown > ############## > > squid log trying from windows box : > ############## > 2009/08/26 12:23:30.633| authenticateValidateUser: Auth_user_request was > NULL! 2009/08/26 12:23:30.633| authenticateAuthenticate: broken auth or no > proxy_auth header. Requesting auth header. > 2009/08/26 12:23:30.941| authenticateAuthenticate: no connection > authentication type > 2009/08/26 12:23:30.942| AuthUser::AuthUser: Initialised auth_user > '0x9b0e640' with refcount '0'. > 2009/08/26 12:23:30.942| AuthUserRequest::AuthUserRequest: initialised > request 0x9b12418 > 2009/08/26 12:23:30.954| authenticateValidateUser: Validated Auth_user > request '0x9b12418'. > 2009/08/26 12:23:30.955| authenticateValidateUser: Validated Auth_user > request '0x9b12418'. > 2009/08/26 12:23:30.955| authenticateValidateUser: Validated Auth_user > request '0x9b12418'. > 2009/08/26 12:23:30.956| authenticateValidateUser: Validated Auth_user > request '0x9b12418'. > 2009/08/26 12:23:30.957| authenticateNegotiateHandleReply: Error > validating user via Negotiate. Error returned 'BH received type 1 NTLM > token' > 2009/08/26 12:23:30.957| authenticateValidateUser: Validated Auth_user > request '0x9b12418'. > 2009/08/26 12:23:30.958| authenticateValidateUser: Validated Auth_user > request '0x9b12418'. > 2009/08/26 12:23:30.958| authenticateValidateUser: Validated Auth_user > request '0x9b12418'. > 2009/08/26 12:23:30.959| authenticateValidateUser: Validated Auth_user > request '0x9b12418'. > 2009/08/26 12:23:30.960| authenticateValidateUser: Validated Auth_user > request '0x9b12418'. > 2009/08/26 12:23:30.961| AuthUserRequest::~AuthUserRequest: freeing > request 0x9b12418 > 2009/08/26 12:23:32.123| authenticateValidateUser: Auth_user_request was > NULL! 2009/08/26 12:23:32.124| authenticateAuthenticate: broken auth or no > proxy_auth header. Requesting auth header. > 2009/08/26 12:23:32.395| authenticateAuthenticate: no connection > authentication type > 2009/08/26 12:23:32.395| AuthUser::AuthUser: Initialised auth_user > '0x9b0e688' with refcount '0'. > 2009/08/26 12:23:32.396| AuthUserRequest::AuthUserRequest: initialised > request 0x9b12418 > 2009/08/26 12:23:32.396| authenticateValidateUser: Validated Auth_user > request '0x9b12418'. > 2009/08/26 12:23:32.397| authenticateValidateUser: Validated Auth_user > request '0x9b12418'. > 2009/08/26 12:23:32.397| authenticateValidateUser: Validated Auth_user > request '0x9b12418'. > 2009/08/26 12:23:32.398| authenticateValidateUser: Validated Auth_user > request '0x9b12418'. > 2009/08/26 12:23:32.399| authenticateNegotiateHandleReply: Error > validating user via Negotiate. Error returned 'BH received type 1 NTLM > token' > 2009/08/26 12:23:32.399| authenticateValidateUser: Validated Auth_user > request '0x9b12418'. > 2009/08/26 12:23:32.400| authenticateValidateUser: Validated Auth_user > request '0x9b12418'. > 2009/08/26 12:23:32.400| authenticateValidateUser: Validated Auth_user > request '0x9b12418'. > 2009/08/26 12:23:32.401| authenticateValidateUser: Validated Auth_user > request '0x9b12418'. > 2009/08/26 12:23:32.401| authenticateValidateUser: Validated Auth_user > request '0x9b12418'. > 2009/08/26 12:23:32.403| AuthUserRequest::~AuthUserRequest: freeing > request 0x9b12418 > ############## >
