Search squid archive

Re: Kerberos / AD Authentication: Unknown code krb5 236

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Did you set the environment variable KRB5_KTNAME correctly to FILE:/etc/squid/HTTP.keytab in the squid statup file ? Does the squid process have read permissions on the keytab ?

Can you squid_kerb_auth with one child and use strace against it to check for any access errors ?

Markus


"Andrew M Stemen" <andrew@xxxxxxxxxxxxxxxxx> wrote in message news:1259081966.2255.1346836135@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I'm working on a new squid installation, where squid users need to be
authenticated to Active Directory via Kerberos. I've read several
configuration examples and I can't remember how many how-to guides, but
I must be overlooking something simple.

I'm running squid 3.0STABLE18 on CentOS 5.4 in a Hyper-V environment.
The KDC/AD server is Windows 2008 R2 (we have many 08R2 servers, and one
2003). I've tried IE8 and Firefox Windows XP Pro, and IE8 on Server
2008, as clients.

Problem: Whenever trying to use the proxy, the browser prompts the user
for authentication three times, and then returns a "ERROR: Cache Access
Denied." message. The following appears in cache.log:

2009/11/24 11:34:04| squid_kerb_auth: Got '[...block stripped by
AMS...]' from squid (length: 2195).
2009/11/24 11:34:04| squid_kerb_auth: gss_accept_sec_context() failed:
Unspecified GSS failure.  Minor code may provide more information.
Unknown code krb5 236

==========================================
Begin krb5.conf
==========================================

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = CORE.CO.FAIRFIELD.OH.US
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h

default_tgs_enctypes = rc4-hmac
default_tkt_enctypes = rc4-hmac
permitted_enctypes = rc4-hmac
# permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac

[realms]
CORE.CO.FAIRFIELD.OH.US = {
 kdc = 10.10.0.17:88
 admin_server = 10.10.0.17:749
 default_domain = core.co.fairfield.oh.us
}

[domain_realm]
.core.co.fairfield.oh.us = CORE.CO.FAIRFIELD.OH.US
core.co.fairfield.oh.us = CORE.CO.FAIRFIELD.OH.US

[appdefaults]
pam = {
  debug = false
  ticket_lifetime = 36000
  renew_lifetime = 36000
  forwardable = true
  krb4_convert = false
}

==========================================
Begin squid.conf
==========================================

http_port 3128

auth_param negotiate program /opt/squid-3.0/sbin/squid_kerb_auth -d
auth_param negotiate children 10
auth_param negotiate keep_alive on

#acl all src all
acl AUTHENTICATED proxy_auth REQUIRED
acl localnet src 172.17.3.0/24

#http_access allow localnet
http_access allow AUTHENTICATED
#http_access allow all

cache_dir ufs /var/cache/squid-3.0 100 16 256
access_log /var/log/squid-3.0/access.log squid
cache_log /var/log/squid-3.0/cache.log
cache_store_log /var/log/squid-3.0/store.log
pid_filename /var/run/squid-3.0.pid
cache_effective_user squid
cache_effective_group squid
coredump_dir /var/cache/squid-3.0

==========================================
Begin kinit
==========================================

[root@ddoc-svr-ix01 ~]# kinit -V -k -t /etc/squid/HTTP.keytab
HTTP/ddoc-svr-ix01.core.co.fairfield.oh.us
Authenticated to Kerberos v5
[root@ddoc-svr-ix01 ~]#

==========================================
End Examples
==========================================

So.... I'm lost. Does anyone have any suggestions as to what I might be
overlooking or doing incorrectly?

Thanks!

---
Andrew Michael Stemen
andrew@xxxxxxxxxxxxxxxxx




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux