Did you set the environment variable KRB5_KTNAME correctly to
FILE:/etc/squid/HTTP.keytab in the squid statup file ? Does the squid
process have read permissions on the keytab ?
Can you squid_kerb_auth with one child and use strace against it to check
for any access errors ?
Markus
"Andrew M Stemen" <andrew@xxxxxxxxxxxxxxxxx> wrote in message
news:1259081966.2255.1346836135@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I'm working on a new squid installation, where squid users need to be
authenticated to Active Directory via Kerberos. I've read several
configuration examples and I can't remember how many how-to guides, but
I must be overlooking something simple.
I'm running squid 3.0STABLE18 on CentOS 5.4 in a Hyper-V environment.
The KDC/AD server is Windows 2008 R2 (we have many 08R2 servers, and one
2003). I've tried IE8 and Firefox Windows XP Pro, and IE8 on Server
2008, as clients.
Problem: Whenever trying to use the proxy, the browser prompts the user
for authentication three times, and then returns a "ERROR: Cache Access
Denied." message. The following appears in cache.log:
2009/11/24 11:34:04| squid_kerb_auth: Got '[...block stripped by
AMS...]' from squid (length: 2195).
2009/11/24 11:34:04| squid_kerb_auth: gss_accept_sec_context() failed:
Unspecified GSS failure. Minor code may provide more information.
Unknown code krb5 236
==========================================
Begin krb5.conf
==========================================
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = CORE.CO.FAIRFIELD.OH.US
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
default_tgs_enctypes = rc4-hmac
default_tkt_enctypes = rc4-hmac
permitted_enctypes = rc4-hmac
# permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac
[realms]
CORE.CO.FAIRFIELD.OH.US = {
kdc = 10.10.0.17:88
admin_server = 10.10.0.17:749
default_domain = core.co.fairfield.oh.us
}
[domain_realm]
.core.co.fairfield.oh.us = CORE.CO.FAIRFIELD.OH.US
core.co.fairfield.oh.us = CORE.CO.FAIRFIELD.OH.US
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
==========================================
Begin squid.conf
==========================================
http_port 3128
auth_param negotiate program /opt/squid-3.0/sbin/squid_kerb_auth -d
auth_param negotiate children 10
auth_param negotiate keep_alive on
#acl all src all
acl AUTHENTICATED proxy_auth REQUIRED
acl localnet src 172.17.3.0/24
#http_access allow localnet
http_access allow AUTHENTICATED
#http_access allow all
cache_dir ufs /var/cache/squid-3.0 100 16 256
access_log /var/log/squid-3.0/access.log squid
cache_log /var/log/squid-3.0/cache.log
cache_store_log /var/log/squid-3.0/store.log
pid_filename /var/run/squid-3.0.pid
cache_effective_user squid
cache_effective_group squid
coredump_dir /var/cache/squid-3.0
==========================================
Begin kinit
==========================================
[root@ddoc-svr-ix01 ~]# kinit -V -k -t /etc/squid/HTTP.keytab
HTTP/ddoc-svr-ix01.core.co.fairfield.oh.us
Authenticated to Kerberos v5
[root@ddoc-svr-ix01 ~]#
==========================================
End Examples
==========================================
So.... I'm lost. Does anyone have any suggestions as to what I might be
overlooking or doing incorrectly?
Thanks!
---
Andrew Michael Stemen
andrew@xxxxxxxxxxxxxxxxx