Search squid archive

RE: Re: Re: squid_kerb_auth (parseNegTokenInit failed with rc=102)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Markus/Henrik,

Below is the information for your reference. Now even the authentication portion is not working at all for any single client. Tried hard recreating SPN using different accounts etc. but with no success. please help


1.-----------------------Output of cache.log----------------------------------
2010/06/30 15:56:34| storeDirWriteCleanLogs: Starting...
2010/06/30 15:56:34| Finished. Wrote 0 entries.
2010/06/30 15:56:34| Took 0.0 seconds ( 0.0 entries/sec).
2010/06/30 15:56:34| logfileRotate: /var/logs/inst1store.log
2010/06/30 15:56:34| logfileRotate (stdio): /var/logs/inst1store.log
2010/06/30 15:56:34| logfileRotate: /var/logs/inst1access.log
2010/06/30 15:56:34| logfileRotate (stdio): /var/logs/inst1access.log
2010/06/30 15:56:34| helperStatefulOpenServers: Starting 10 'squid_kerb_auth' processes
2010/06/30 15:56:34| helperOpenServers: Starting 5 'squid_kerb_ldap' processes
2010/06/30 15:56:34| helperOpenServers: Starting 5 'squid_kerb_ldap' processes
2010/06/30 15:56:34| squid_kerb_ldap: Starting version 1.2.1
2010/06/30 15:56:34| squid_kerb_ldap: Group list INETGRLHR1@xxxxxxxxxxxxxxxxxx
2010/06/30 15:56:34| squid_kerb_ldap: Group INETGRLHR1 Domain MAILSERVER.v.local
2010/06/30 15:56:34| squid_kerb_ldap: Netbios list NULL
2010/06/30 15:56:34| squid_kerb_ldap: No netbios names defined.
2010/06/30 15:56:34| squid_kerb_ldap: Starting version 1.2.1
2010/06/30 15:56:34| squid_kerb_ldap: Group list INETGRLHR1@xxxxxxxxxxxxxxxxxx
2010/06/30 15:56:34| squid_kerb_ldap: Group INETGRLHR1 Domain MAILSERVER.v.local
2010/06/30 15:56:34| squid_kerb_ldap: Netbios list NULL
2010/06/30 15:56:34| squid_kerb_ldap: No netbios names defined.
2010/06/30 15:56:34| squid_kerb_ldap: Starting version 1.2.1
2010/06/30 15:56:34| squid_kerb_ldap: Group list INETGRLHR1@xxxxxxxxxxxxxxxxxx
2010/06/30 15:56:34| squid_kerb_ldap: Group INETGRLHR1 Domain MAILSERVER.v.local
2010/06/30 15:56:34| squid_kerb_ldap: Netbios list NULL
2010/06/30 15:56:34| squid_kerb_ldap: No netbios names defined.
2010/06/30 15:56:34| squid_kerb_ldap: Starting version 1.2.1
2010/06/30 15:56:34| squid_kerb_ldap: Group list INETGRLHR1@xxxxxxxxxxxxxxxxxx
2010/06/30 15:56:34| squid_kerb_ldap: Group INETGRLHR1 Domain MAILSERVER.v.local
2010/06/30 15:56:34| squid_kerb_ldap: Netbios list NULL
2010/06/30 15:56:34| squid_kerb_ldap: No netbios names defined.
2010/06/30 15:56:34| squid_kerb_ldap: Starting version 1.2.1
2010/06/30 15:56:34| squid_kerb_ldap: Group list INETGRLHR1@xxxxxxxxxxxxxxxxxx
2010/06/30 15:56:34| squid_kerb_ldap: Group INETGRLHR1 Domain MAILSERVER.v.local
2010/06/30 15:56:34| squid_kerb_ldap: Netbios list NULL
2010/06/30 15:56:34| squid_kerb_ldap: No netbios names defined.
2010/06/30 15:56:34| squid_kerb_ldap: Starting version 1.2.1
2010/06/30 15:56:34| squid_kerb_ldap: Group list INETGRLHR2@xxxxxxxxxxxxxxxxxx
2010/06/30 15:56:34| squid_kerb_ldap: Group INETGRLHR2 Domain MAILSERVER.v.local
2010/06/30 15:56:34| squid_kerb_ldap: Netbios list NULL
2010/06/30 15:56:34| squid_kerb_ldap: No netbios names defined.
2010/06/30 15:56:34| squid_kerb_ldap: Starting version 1.2.1
2010/06/30 15:56:34| squid_kerb_ldap: Group list INETGRLHR2@xxxxxxxxxxxxxxxxxx
2010/06/30 15:56:34| squid_kerb_ldap: Group INETGRLHR2 Domain MAILSERVER.v.local
2010/06/30 15:56:34| squid_kerb_ldap: Netbios list NULL
2010/06/30 15:56:34| squid_kerb_ldap: No netbios names defined.
2010/06/30 15:56:34| helperOpenServers: Starting 5 'squid_kerb_ldap' processes
2010/06/30 15:56:34| squid_kerb_ldap: Starting version 1.2.1
2010/06/30 15:56:34| squid_kerb_ldap: Group list INETGRLHR2@xxxxxxxxxxxxxxxxxx
2010/06/30 15:56:34| squid_kerb_ldap: Group INETGRLHR2 Domain MAILSERVER.v.local
2010/06/30 15:56:34| squid_kerb_ldap: Netbios list NULL
2010/06/30 15:56:34| squid_kerb_ldap: No netbios names defined.
2010/06/30 15:56:34| squid_kerb_ldap: Starting version 1.2.1
2010/06/30 15:56:34| squid_kerb_ldap: Group list INETGRLHR2@xxxxxxxxxxxxxxxxxx
2010/06/30 15:56:34| squid_kerb_ldap: Group INETGRLHR2 Domain MAILSERVER.v.local
2010/06/30 15:56:34| squid_kerb_ldap: Netbios list NULL
2010/06/30 15:56:34| squid_kerb_ldap: No netbios names defined.
2010/06/30 15:56:34| squid_kerb_ldap: Starting version 1.2.1
2010/06/30 15:56:34| squid_kerb_ldap: Group list INETGRLHR3@xxxxxxxxxxxxxxxxxx
2010/06/30 15:56:34| squid_kerb_ldap: Group INETGRLHR3 Domain MAILSERVER.v.local
2010/06/30 15:56:34| squid_kerb_ldap: Netbios list NULL
2010/06/30 15:56:34| squid_kerb_ldap: No netbios names defined.
2010/06/30 15:56:34| squid_kerb_ldap: Starting version 1.2.1
2010/06/30 15:56:34| squid_kerb_ldap: Group list INETGRLHR2@xxxxxxxxxxxxxxxxxx
2010/06/30 15:56:34| squid_kerb_ldap: Group INETGRLHR2 Domain MAILSERVER.v.local
2010/06/30 15:56:34| squid_kerb_ldap: Netbios list NULL
2010/06/30 15:56:34| squid_kerb_ldap: No netbios names defined.
2010/06/30 15:56:34| squid_kerb_ldap: Starting version 1.2.1
2010/06/30 15:56:34| squid_kerb_ldap: Group list INETGRLHR3@xxxxxxxxxxxxxxxxxx
2010/06/30 15:56:34| squid_kerb_ldap: Starting version 1.2.1
2010/06/30 15:56:34| squid_kerb_ldap: Group INETGRLHR3 Domain MAILSERVER.v.local
2010/06/30 15:56:34| squid_kerb_ldap: Group list INETGRLHR3@xxxxxxxxxxxxxxxxxx
2010/06/30 15:56:34| squid_kerb_ldap: Netbios list NULL
2010/06/30 15:56:34| squid_kerb_ldap: Group INETGRLHR3 Domain MAILSERVER.v.local
2010/06/30 15:56:34| squid_kerb_ldap: Netbios list NULL
2010/06/30 15:56:34| squid_kerb_ldap: No netbios names defined.
2010/06/30 15:56:34| squid_kerb_ldap: No netbios names defined.
2010/06/30 15:56:34| squid_kerb_ldap: Starting version 1.2.1
2010/06/30 15:56:34| squid_kerb_ldap: Group list INETGRLHR3@xxxxxxxxxxxxxxxxxx
2010/06/30 15:56:34| squid_kerb_ldap: Group INETGRLHR3 Domain MAILSERVER.v.local
2010/06/30 15:56:34| squid_kerb_ldap: Netbios list NULL
2010/06/30 15:56:34| squid_kerb_ldap: No netbios names defined.
2010/06/30 15:56:34| squid_kerb_ldap: Starting version 1.2.1
2010/06/30 15:56:34| squid_kerb_ldap: Group list INETGRLHR3@xxxxxxxxxxxxxxxxxx
2010/06/30 15:56:34| squid_kerb_ldap: Group INETGRLHR3 Domain MAILSERVER.v.local
2010/06/30 15:56:34| squid_kerb_ldap: Netbios list NULL
2010/06/30 15:56:34| squid_kerb_ldap: No netbios names defined.
2010/06/30 15:56:39| squid_kerb_auth: Got 'YR YIIFXwYGKwYBBQUCoIIFUzCCBU+gJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBSUEggUhYIIFHQYJKoZIhvcSAQICAQBuggUMMIIFCKADAgEFoQMCAQ6iBwMFACAAAACjggQlYYIEITCCBB2gAwIBBaEXGxVNQUlMU0VSVkVSLk1DQi5DT00uUEuiMjAwoAMCAQKhKTAnGwRIVFRQGx9zcXVpZGxocjEubWFpbHNlcnZlci5tY2IuY29tLnBro4IDxzCCA8OgAwIBF6EDAgECooIDtQSCA7E6xFAU7tV+87z/uGC3I2o/u8IWx1hZr4ZoH/ePUXC6NcjhSFxnzR5f5shMtNH6rycrqToIYceyfJc9PqEt7o2mvi7Q6yEYEidruuEJBHEbOWpDtR928ej30EABy2p5bktDEY6/BvATUkCkXgzpytnCwkVPLwF8CYsyrjSTk8tAjqz7HZYQeV5M3l8MHxj6aJdEAAcSPjJKUQaipWt7/5HXAGyte6uQea18n+kmv6yEuXHc8uLQeX1Quh9QHQsfvueJrFccLkAsNK+GcpfYeTT71tJk4Jxrk0RPBDbEhCl35uU2G+f8tQkNxKieRfUIWGwrEktk8Wt6tDYk19bYR7oYR/e+A3qKtc4563iEnocJgFJnFkX2PTM9Q+357tFpUqp4SxcErpuxQXOjzmGMsUBFZaWCVG8IKitgN5QKYHFXqUwaUrXEKvnc4EDOvsqZ5H/hsKHJJGR6sY0isToBBHHPic1R/bnsf2DfTw2ptftMKaRX3gXKBahSVHKOx9eN2kgMYbRS2bHHXYPvXl/JVKF6NsnQRmC24StCY2NfdADc/1vhtGPpl2vaFM6HdMaaNwjiWubZ9//DXgYKJtjP+jKla+KB3w/Xuz3yZPvDzSmBFmlfSnO0bpc841oiz1hX17bwzq3Pvbjg6M8VzDfP7WFGhxtxUcNxh/Rzjxc1RjGVlDzX4M4EoQGycSw/OzowBOlrn4xUaNQzjPOgezEL04StbEMxcKltN1xHTSYs9mcpa8g3rXRds6Z02qASW5p24wDSnkJfa3TWzIZipYO3n5yoog+jhqy8iOsbnyD4G08FYXwwXZHmI3E/F8wqGThpqpxjSC8WTzAr8swup0NjgZSb8NY2XVxixbqxYDaP6NdvMEZfGL+NLyynlyjWy+ke5/tDxJvEVKjqqrsyl47TtLEgxH9MhMJKm2QRgRvWJaMkvxni37BA1ouKDwfSRQs+D9SRVjTPnq4TxmQl79hEUyhtT4EZgtSqTqnPYbQevrox3fEjHq/7QLwaP2EOepINWdmo8pSerSPhvij4L7wdqKe9e5VAMoOXrSdQI1wbUVLyp/w8eosRMvs5sgZMZ4fNX4k7sd4Txj95/s52eoMERzBGEApk0ZQd2Q8trcDHamjK7AFBkHeFgqXEciDRlqgFaWrhpINXXKMdSgSbgv1UKzqGYcAqCM5rgLDbWsXQHt2eXxCUq27dGHgSvJIVD3cEsGPoF70/EirvxzhR0AIRxaR9aJ/EKeYHS8OVPoUm86vxgKGkgckwgcagAwIBF6KBvgSBu9MVxum4R6bwUDB+yGLvvr3rqAWJ90mScdcAHPEoLHR/piuUGdmxDDV5UfBShsmKtEwEWcIWbfVhBuAIL27otPGGZI6cy3wT4aNgfwKRxvl5VySdfogDk2kjEkigmJQsSLkkYqAGVW40JNJWj/sd9EuIKrjTQetwBEHjpfHUrx8ccXKGslYR8WHcXYEbZNUMGObeATqls9aZKThYvnANhOaa0BRkKjJNx1C/NtZqazEFhY03ctEDKeIySXg=' from squid (length: 1843).
2010/06/30 15:56:39| squid_kerb_auth: parseNegTokenInit failed with rc=102
2010/06/30 15:56:39| squid_kerb_auth: gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information. No such file or directory
2010/06/30 15:56:39| squid_kerb_auth: User not authenticated
2010/06/30 15:56:42| squid_kerb_auth: Got 'YR YIIFXwYGKwYBBQUCoIIFUzCCBU+gJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBSUEggUhYIIFHQYJKoZIhvcSAQICAQBuggUMMIIFCKADAgEFoQMCAQ6iBwMFACAAAACjggQlYYIEITCCBB2gAwIBBaEXGxVNQUlMU0VSVkVSLk1DQi5DT00uUEuiMjAwoAMCAQKhKTAnGwRIVFRQGx9zcXVpZGxocjEubWFpbHNlcnZlci5tY2IuY29tLnBro4IDxzCCA8OgAwIBF6EDAgECooIDtQSCA7E6xFAU7tV+87z/uGC3I2o/u8IWx1hZr4ZoH/ePUXC6NcjhSFxnzR5f5shMtNH6rycrqToIYceyfJc9PqEt7o2mvi7Q6yEYEidruuEJBHEbOWpDtR928ej30EABy2p5bktDEY6/BvATUkCkXgzpytnCwkVPLwF8CYsyrjSTk8tAjqz7HZYQeV5M3l8MHxj6aJdEAAcSPjJKUQaipWt7/5HXAGyte6uQea18n+kmv6yEuXHc8uLQeX1Quh9QHQsfvueJrFccLkAsNK+GcpfYeTT71tJk4Jxrk0RPBDbEhCl35uU2G+f8tQkNxKieRfUIWGwrEktk8Wt6tDYk19bYR7oYR/e+A3qKtc4563iEnocJgFJnFkX2PTM9Q+357tFpUqp4SxcErpuxQXOjzmGMsUBFZaWCVG8IKitgN5QKYHFXqUwaUrXEKvnc4EDOvsqZ5H/hsKHJJGR6sY0isToBBHHPic1R/bnsf2DfTw2ptftMKaRX3gXKBahSVHKOx9eN2kgMYbRS2bHHXYPvXl/JVKF6NsnQRmC24StCY2NfdADc/1vhtGPpl2vaFM6HdMaaNwjiWubZ9//DXgYKJtjP+jKla+KB3w/Xuz3yZPvDzSmBFmlfSnO0bpc841oiz1hX17bwzq3Pvbjg6M8VzDfP7WFGhxtxUcNxh/Rzjxc1RjGVlDzX4M4EoQGycSw/OzowBOlrn4xUaNQzjPOgezEL04StbEMxcKltN1xHTSYs9mcpa8g3rXRds6Z02qASW5p24wDSnkJfa3TWzIZipYO3n5yoog+jhqy8iOsbnyD4G08FYXwwXZHmI3E/F8wqGThpqpxjSC8WTzAr8swup0NjgZSb8NY2XVxixbqxYDaP6NdvMEZfGL+NLyynlyjWy+ke5/tDxJvEVKjqqrsyl47TtLEgxH9MhMJKm2QRgRvWJaMkvxni37BA1ouKDwfSRQs+D9SRVjTPnq4TxmQl79hEUyhtT4EZgtSqTqnPYbQevrox3fEjHq/7QLwaP2EOepINWdmo8pSerSPhvij4L7wdqKe9e5VAMoOXrSdQI1wbUVLyp/w8eosRMvs5sgZMZ4fNX4k7sd4Txj95/s52eoMERzBGEApk0ZQd2Q8trcDHamjK7AFBkHeFgqXEciDRlqgFaWrhpINXXKMdSgSbgv1UKzqGYcAqCM5rgLDbWsXQHt2eXxCUq27dGHgSvJIVD3cEsGPoF70/EirvxzhR0AIRxaR9aJ/EKeYHS8OVPoUm86vxgKGkgckwgcagAwIBF6KBvgSBuzd/55NTV07Vjq7xFngCfgVnUjLrbR2KTIIBIL7XUrmtB0wFFrX3tRutT4CwZapATOjYoZj4lWgKH6vyDMzfikGoA3QIV6OZgixWyc7fGPsiXipU4Ad1xYcJHBwQl9QGwkMlg+dvX6BhM3ItFRaky/BEDKxS7s0W1Nznje9uPzx090aXoKWkOcbVEk2Sq6EeMQ0JMFtY77vV0tOc60o2LKhldvcbLEPakbmpko4auX/LNXidgofZ+MQbp0o=' from squid (length: 1843).
2010/06/30 15:56:42| squid_kerb_auth: parseNegTokenInit failed with rc=102
2010/06/30 15:56:42| squid_kerb_auth: gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information. No such file or directory
2010/06/30 15:56:42| squid_kerb_auth: User not authenticated


2.--------------------------hosts file-----------------------------------------------
[root@squidlhr1 ~]# cat /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 localhost.localdomain localhost
#10.1.82.53 squidlhr1.mailserver.v.local squidlhr1

#Mailserver Domain:
10.1.82.201 ldc-ms-dc1.mailserver.v.local
10.1.82.202 ldc-ms-dc2.mailserver.v.local
10.25.88.163 kdc-ms-dc2.mailserver.v.local
10.25.88.162 kdc-ms-dc1.mailserver.v.local
10.32.11.11 isbitcdc03051.mailserver.v.local
10.32.11.10 isbitc-dc2.mailserver.v.local

::1 localhost6.localdomain6 localhost6


3.-------------------------host.conf-------------------------------------
[root@squidlhr1 ~]# cat /etc/host.conf
order bind,hosts

4.-------------------------network file-------------------------
[root@squidlhr1 ~]# cat /etc/sysconfig/network
NETWORKING=yes
NETWORKING_IPV6=no
HOSTNAME=squidlhr1


5.------------------------nslookup-------------------------------
[root@squidlhr1 ~]# nslookup
> squidlhr1
Server: 10.1.82.204
Address: 10.1.82.204#53
Name: squidlhr1.mailserver.v.local
Address: 10.1.82.53
> 10.1.82.53
Server: 10.1.82.204
Address: 10.1.82.204#53
53.82.1.10.in-addr.arpa name = squidlhr1.mailserver.v.local.
> ldc-ms-dc2.mailserver.v.local
Server: 10.1.82.204
Address: 10.1.82.204#53
Name: ldc-ms-dc2.mailserver.v.local
Address: 10.1.82.202

6--------------------------------------hostname----------------------------------------
[root@squidlhr1 ~]# hostname -s
squidlhr1
[root@squidlhr1 ~]# hostname -f
squidlhr1.mailserver.mcb.com.pk
[root@squidlhr1 ~]#

7-------------------------------------krb5.conf---------------------------------------
[libdefaults]
default_realm = MAILSERVER.v.local
dns_lookup_realm = true
dns_lookup_kdc = true
default_keytab_name = /etc/krb5.keytab
; for windows 2003 encryption type configuration.
default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
[realms]
v.local = {
kdc = ldc-mcb-dc2.v.local
admin_server = ldc-mcb-dc2.v.local
}
MAILSERVER.v.local = {
kdc = ldc-ms-dc2.mailserver.v.local
admin_server = ldc-ms-dc2.mailserver.v.local
}
# BT.v.local = {
# kdc = dc.bt.v.local
# admin_server = dc.bt.v.local
#}
[domain_realm]
.linux.home = MAILSERVER.v.local
.v.local = v.local
v.local = v.local
.mailserver.v.local = MAILSERVER.v.local
mailserver.v.local = MAILSERVER.v.local
#.bt.v.local = BT.v.local
#bt.v.local = BT.v.local
[logging]
kdc = FILE:/var/log/kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/kdc.log



8.----------------------------------------squid.conf relevant portion--------------------------------
# Part 2 Authentication/Authorization
auth_param negotiate program /usr/libexec/squid/squid_kerb_auth/squid_kerb_auth -d -i
auth_param negotiate children 10
auth_param negotiate keep_alive on
# basic auth ACL controls to make use of it are.(if and only if squid_kerb_ldap(authorization) is not used)
#acl auth proxy_auth REQUIRED
#http_access deny !auth
#http_access allow auth
#Groups fom Mailserver Domain:
external_acl_type squid_kerb_ldap_msgroup1 ttl=3600 negative_ttl=3600 %LOGIN /usr/libexec/squid/squid_kerb_ldap -g INETGRLHR1@xxxxxxxxxxxxxxxxxx -i -d
external_acl_type squid_kerb_ldap_msgroup2 ttl=3600 negative_ttl=3600 %LOGIN /usr/libexec/squid/squid_kerb_ldap -g INETGRLHR2@xxxxxxxxxxxxxxxxxx -i -d
external_acl_type squid_kerb_ldap_msgroup3 ttl=3600 negative_ttl=3600 %LOGIN /usr/libexec/squid/squid_kerb_ldap -g INETGRLHR3@xxxxxxxxxxxxxxxxxx -i -d
acl msgroup1 external squid_kerb_ldap_msgroup1
acl msgroup2 external squid_kerb_ldap_msgroup2
acl msgroup3 external squid_kerb_ldap_msgroup3

http_access deny msgroup2 msnd
http_access deny msgroup2 ym

###----Most Restricted settings Exclusive for Normal users......###
http_access deny msgroup3 Movies
http_access deny msgroup3 dlSites
http_access deny msgroup2 youtube_domains wh
http_access deny msgroup2 BIP wh

http_access allow msgroup1
http_access allow msgroup2
http_access allow msgroup3
http_access deny all

9---------------------klist---------------------------------------
[root@squidlhr1 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: techadmin_ba@xxxxxxxxxxxxxxxxxx
Valid starting     Expires            Service principal
06/30/10 15:25:06  07/01/10 01:24:49  krbtgt/MAILSERVER.v.local@xxxxxxxxxxxxxxxxxx
        renew until 07/01/10 15:25:06
06/30/10 15:25:49  07/01/10 01:24:49  ldap/ldc-ms-dc2.mailserver.v.local@
        renew until 07/01/10 15:25:06
06/30/10 15:25:49  06/30/10 15:27:49  kadmin/changepw@xxxxxxxxxxxxxxxxxx
        renew until 06/30/10 15:27:49

Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
 
Keytab name: FILE:/etc/squid/HTTP.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   2 HTTP/squidlhr1.mailserver.v.local@xxxxxxxxxxxxxxxxxx (DES cbc mode with CRC-32)
   2 HTTP/squidlhr1.mailserver.v.local@xxxxxxxxxxxxxxxxxx (DES cbc mode with RSA-MD5)
   2 HTTP/squidlhr1.mailserver.v.local@xxxxxxxxxxxxxxxxxx (ArcFour with HMAC/md5)
 
 
10.-------------------------msktutil------------------------------------------------------
msktutil -c -b "OU=UNIXOU" -s HTTP/squidlhr1.mailserver.mcb.com.pk -h squidlhr1.v.local -k /etc/squid/HTTP.keytab --computer-name squidlhr-http --upn HTTP/squidlhr1.mailserver.v.local --server ldc-ms-dc2.v.local --verbose


 
 
 
Please help me out as tried so not yet got a clue about. Will be thankful.
regards,
Bilal








----------------------------------------
> To: squid-users@xxxxxxxxxxxxxxx
> From: huaraz@xxxxxxxxxxxxxxxx
> Date: Tue, 29 Jun 2010 23:38:54 +0100
> Subject:  Re: Re: squid_kerb_auth (parseNegTokenInit failed with rc=102)
>
> Can you add the option -d -i to squid_kerb_auth and squid_kerb_ldap to
> create more debut output and send the cache.log extract
>
> Regards
> Markus
>
>
> "GIGO ." wrote in message
> news:SNT134-w34626D5C8EC65F9D8495B1B9CB0@xxxxxxxxxx
>
> Hi Henrik/Markus/All
>
> Every setting(keeping in view your recommendation) was correct i many a
> times confirmed that.Even i tried re-creating the SPN but in vain. However i
> just realized that most of the users were required to logoff and login to
> get authenticated through squid. I wonder why a user even with a valid TGT
> was require to do that as he should be able to get the TGS for every new
> kerberized service???
>
> Anyways of the few users i tried only one was able to access it without
> re-login. Bottom line is that its working.
>
>
> Now the authorization portion is not seems like behaving properly can you
> please check the syntax for correctness before i probe further. I have
> appended at the bottom my squid.conf portion relevant to this.
>
> e.g. After the authorization few of the clients were showing this wheter in
> the group or not:
> --------------------------------------------------------------
> Internet explorer cannot display the webpage
> what you can try:
> Diagnose connection problems
> More Info
> --------------------------------------------------------------
>
> Further i think IE7(and latest) and FireFox 3.6.x above are supportive for
> kerberos. Am i right? is there any special configuration required on the
> client side(other than the proxy settings).??
>
>
>
> #After allowing IP based clients and the access controls related to them.
> http_access allow ipbc
> # Part 2 Authentication/Authorization
> auth_param negotiate program
> /usr/libexec/squid/squid_kerb_auth/squid_kerb_auth
> auth_param negotiate children 10
> auth_param negotiate keep_alive on
> # basic auth ACL controls to make use of it are.(if and only if
> squid_kerb_ldap(authorization) is not used)
> #acl auth proxy_auth REQUIRED
> #http_access deny !auth
> #http_access allow auth
> #Groups fom Mailserver Domain:
> external_acl_type squid_kerb_ldap_ms_group1 ttl=3600 negative_ttl=3600
> %LOGIN /usr/libexec/squid/squid_kerb_ldap -g
> INETGRLHR1@xxxxxxxxxxxxxxxxxx
> external_acl_type squid_kerb_ldap_ms_group2 ttl=3600 negative_ttl=3600
> %LOGIN /usr/libexec/squid/squid_kerb_ldap -g
> INETGRLHR2@xxxxxxxxxxxxxxxxxx
> external_acl_type squid_kerb_ldap_ms_group3 ttl=3600 negative_ttl=3600
> %LOGIN /usr/libexec/squid/squid_kerb_ldap -g
> INETGRLHR3@xxxxxxxxxxxxxxxxxx
> acl ms_group1 external squid_kerb_ldap_ms_group1
> acl ms_group2 external squid_kerb_ldap_ms_group2
> acl ms_group3 external squid_kerb_ldap_ms_group3
> http_access deny ms_group2 msnd
> http_access deny ms_group3 msnd
> http_access deny ms_group2 msn
> http_access deny ms_group3 msn
> http_access deny ms_group2 msn1
> http_access deny ms_group3 msn1
> http_access deny ms_group2 numeric_IPs
> http_access deny ms_group3 numeric_IPs
> http_access deny ms_group2 Skype_UA
> http_access deny ms_group3 Skype_UA
> http_access deny ms_group2 ym
> http_access deny ms_group3 ym
> http_access deny ms_group2 ymregex
> http_access deny ms_group3 ymregex
> ###----Most Restricted settings Exclusive for Normal users......###
> http_access deny ms_group3 Movies
> http_access deny ms_group3 MP3s
> http_access deny ms_group3 FTP
> http_access deny ms_group3 MP3url
> http_reply_access deny ms_group3 deny_rep_mime_flashvideo
> http_access deny ms_group3 youtube_domains
> http_access deny ms_group3 facebook_sites
> http_access deny ms_group3 BIP
> http_access deny ms_group3 downloads
> http_access deny ms_group3 torrentSeeds
> http_access deny ms_group3 dlSites
> ##----- Time based ACLs--------------------
> http_access deny ms_group2 youtube_domains wh
> http_access deny ms_group2 BIP wh
> http_access deny ms_group2 facebook_sites wh
> http_access allow ms_group1
> http_access allow ms_group2
> http_access allow ms_group3
>
>
> http_access deny all
>
>
> Squid version: squid 2.7 stable 9 on CENTOS 5.4 64 bit.
>
>
>
>
>
>
>
>
>> To: squid-users@xxxxxxxxxxxxxxx
>> From: huaraz@xxxxxxxxxxxxxxxx
>> Date: Mon, 28 Jun 2010 23:56:51 +0100
>> Subject:  Re: squid_kerb_auth (parseNegTokenInit failed with
>> rc=102)
>>
>> Make sure the squid servers hostname matches squidhr1.v.local. If not
>> use -s
>> HTTP/squidhr1.v.local as an option to squid_kerb_auth.
>>
>> Regards
>> Markus
>>
>> "GIGO ." wrote in message
>> news:SNT134-w64257C53609757CD3CF006B9CA0@xxxxxxxxxx
>>
>> Hi all,
>>
>> I am unable to do kerberos authentication in my live enviroment as appose
>> to
>> the test enviroment where it was successful. My environment is Active
>> Direcory Single Forest Multidomain with each domain having multiple domain
>> controllers.
>>
>> SPN was created through:
>>
>> msktutil -c -b "OU=UNIXOU" -s HTTP/squidlhr1.v.local -h
>> squidlhr1.v.local -k
>> /etc/squid/HTTP.keytab --computer-name squid-http --upn
>> HTTP/squidlhr1.v.local --server ldc-ms-dc2.v.local --verbose
>>
>>
>> Through ADSIEDIT & setspn tools SPN is confirmed in the Active Directory.
>>
>> My kerb5.conf Settings:
>> [libdefaults]
>> default_realm = MAILSERVER.V.LOCAL
>> dns_lookup_realm = false
>> dns_lookup_kdc = false
>> default_keytab_name = /etc/krb5.keytab
>> ; for windows 2003 encryption type configuration.
>> default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
>> default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
>> permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
>> [realms]
>> V.LOCAL = {
>> kdc = ldc-v-dc2.v.local
>> admin_server = ldc-v-dc2.v.local
>> }
>> MAILSERVER.V.LOCAL = {
>> kdc = ldc-ms-dc2.mailserver.v.local
>> admin_server = ldc-ms-dc2.mailserver.v.local
>> }
>> # BT.V.LOCAL = {
>> # kdc = dc.bt.v.local
>> # admin_server = dc.bt.v.local
>> #}
>> [domain_realm]
>> .linux.home = MAILSERVER.V.LOCAL
>> .v.local = V.LOCAL
>> v.local = V.LOCAL
>> .mailserver.v.local = MAILSERVER.V.LOCAL
>> mailserver.v.local = MAILSERVER.V.LOCAL
>> #.bt.v.local= BT.V.LOCAL
>> #bt.v.local = BT.V.LOCAL
>> [logging]
>> kdc = FILE:/var/log/kdc.log
>> admin_server = FILE:/var/log/kadmin.log
>> default = FILE:/var/log/kdc.log
>>
>>
>>
>>
>>
>>
>>
>> I have tried this on multiple client computers but not seem to be
>> working....
>> Below are the files for your reference.
>>
>>
>> Dump through wire shark :
>> -------------------------
>>
>> Hypertext Transfer Protocol
>> GET http://www.google.com/ HTTP/1.1\r\n
>> Accept: */*\r\n
>> Accept-Language: en-us\r\n
>> User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;
>> Trident/4.0;
>> .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR
>> 3.5.30729; InfoPath.2; AskTB5.5)\r\n
>> Accept-Encoding: gzip, deflate\r\n
>> Proxy-Connection: Keep-Alive\r\n
>> [truncated] Cookie:
>> PREF=ID=dfcab88fe782b2f3:U=8cc1a776c84c55e1:TM=1273578259:LM=1273579194:S=ec2wG6BXReYHZvWe;
>> NID=36=iQ9ZARYGAQQvkpoAjK1OHFtg7BF7IE9hh-E__mxd9S8cV8EcNVq_M_9qMHZPatpJiifFPpdWYqJMmTtBxuCdoQMknggCTHJKkJkNigy5I6kewAQTepVnZ0Pb
>> [truncated] Proxy-Authorization: Negotiate
>> YIIFTwYGKwYBBQUCoIIFQzCCBT+gJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBRUEggURYIIFDQYJKoZIhvcSAQICAQBuggT8MIIE+KADAgEFoQMCAQ6iBwMFACAAAACjggQVYYIEE
>> TCCBA2gAwIBBaEXGxVNQUlMU0VSVkVSLk1DQi5D
>> GSS-API Generic Security Service Application Program Interface
>> OID: 1.3.6.1.5.5.2 (SPNEGO - Simple Protected Negotiation)
>> SPNEGO
>> negTokenInit
>> mechTypes: 3 items
>> MechType: 1.2.840.48018.1.2.2 (MS KRB5 - Microsoft Kerberos 5)
>> MechType: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
>> MechType: 1.3.6.1.4.1.311.2.2.10 (NTLMSSP - Microsoft NTLM Security
>> Support
>> Provider)
>> mechToken: 6082050D06092A864886F71201020201006E8204FC308204...
>> krb5_blob: 6082050D06092A864886F71201020201006E8204FC308204...
>> KRB5 OID: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
>> krb5_tok_id: KRB5_AP_REQ (0x0001)
>> Kerberos AP-REQ
>> Pvno: 5
>> MSG Type: AP-REQ (14)
>> Padding: 0
>> APOptions: 20000000 (Mutual required)
>> .0.. .... .... .... .... .... .... .... = Use Session Key: Do NOT use the
>> session key to encrypt the ticket
>> ..1. .... .... .... .... .... .... .... = Mutual required: MUTUAL
>> authentication is REQUIRED
>> Ticket
>> Tkt-vno: 5
>> Realm: MAILSERVER.V.LOCAL
>> Server Name (Service and Instance): HTTP/squidlhr1.v.local
>> Name-type: Service and Instance (2)
>> Name: HTTP
>> Name: squidlhr1.v.local
>> enc-part rc4-hmac
>> Encryption type: rc4-hmac (23)
>> Kvno: 2
>> enc-part: 60082AD63370B0B25657BB713A74B080C21E261079263809...
>> Authenticator rc4-hmac
>> Encryption type: rc4-hmac (23)
>> Authenticator data: A7B9567AB0F52FD022CD130905ACD67DA268C8222AC6ED97...
>> Host: www.google.com\r\n
>> \r\n
>>
>> Hypertext Transfer Protocol
>> HTTP/1.0 407 Proxy Authentication Required\r\n
>> Server: squid\r\n
>> Date: Fri, 25 Jun 2010 15:00:57 GMT\r\n
>> Content-Type: text/html\r\n
>> Content-Length: 1295\r\n
>> Content length: 1295
>> X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0\r\n
>> Proxy-Authenticate: Negotiate\r\n
>> Proxy-Authenticate: Negotiate gss_acquire_cred()\r\n
>> GSS-API Generic Security Service Application Program Interface
>> [Malformed Packet: GSS-API]
>> Expert Info (Error/Malformed): Malformed Packet (Exception occurred)
>> Message: Malformed Packet (Exception occurred)
>> Severity level: Error
>> Group: Malformed
>> X-Cache: MISS from squidlhr1\r\n
>> X-Cache-Lookup: NONE from squidlhr1:8080\r\n
>> Via: 1.0 squidlhr1main:8080 (squid)\r\n
>> Connection: close\r\n
>> \r\n
>>
>> squid_kerb_auth -d output:
>> ---------------------------
>>
>> 2010/06/28 10:03:24| squid_kerb_auth: Got 'YR
>> YIIFTgYGKwYBBQUCoIIFQjCCBT6gJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBRQEggUQYIIFDAYJKoZIhvcSAQICAQBuggT7MIIE96ADAgEFoQMCAQ6iBwMFACAAAACjggQVYYIEETCCBA2gAwIBBaEXGxVNQUlMU0VSVkVSLk1DQi5DT00uUEuiMjAwoAMCAQKhKTAnGwRIVFRQGx9zcXVpZGxocjEubWFpbHNlcnZlci5tY2IuY29tLnBro4IDtzCCA7OgAwIBF6EDAgECooIDpQSCA6HbSpgWaybiErloUupurbZsJqE/Frw2OkXksREX3nh6Nx3kZyKSLkO0P0ey+SF8KSn/bHPagvN8fLo7tUMgIXY2Q6Ok1UJkryz7HO+vztztxDYvir3vkzyc67kaV2xug4cZEPlu7FJJYwVGvgmwl3b3UGMprG+TC59GN9M5AKFq97blDGfCoKv2tSO4TaeOC5hG6Qa/KJUMVOh4U8k/fb92XzcrkOWPZOpySLVDfgXHGEpaIrsnzZ4dFTL2hrfd5bswjAGXmWmcSF57LY7BW0sD2HoNyNDkge6GtprrCMtEmaiqZUrsP6PosH9lMDplZWDNlfsKJb2lFRJh1gO0g9Drin4tX/UTAQNY2meu5urFQfHh4goVVyav2rjmdFQPvo16hiwHtrLOElK7Sa/XhiL2Lon/TrDu/0OYvXmNUMWcHCmMPo2JlYBetEMRX4EWMBxwy15cILOFx1b0zFwC3OQ59rk2eZz4ZI0cECaSLK0OVAxHAELL+xIgCaOn72RoyX4Zph3sjjTKzaxMiHMkkoo3flWODARLT6xJZ/FzjOUcEWNPlJaQhbp4HRba9AwzdSyjUT1VGzNDdYQeNfQU6qnDQQdTG8rTkb9ojv4uP4rjK7sjUyQOtOZDkxbr0rFo/8ilaXwgTOJyhZHps8fpW/6s1UzDs2AwbhCGjQVj4a7dnzfbYvzttrx8MRGX0iLVUt2Ugv9GxcOY+RT8U0PT7DvbeRkEdVQL6oy2E74CauMSxL/3ID3Bjh5B/YNB8bkOub5crSisnWQ+hB9DD4ABMTOubyAND06lDmeOewDkmwU3HYVAQhCcSpdbTGrGylXH5MBkEZPx9p0amGmPdqm5SVloE+qNFwsKiNkoUE8/24l8dGka2kYGP1e9/UaC5oMzTPRVVd2aHIDHcrv82eBZfRq6FL00jtZKKSIlZLEZ/m89p7Gfzafh3Ahh/7RZUOlx6zyXJYsRpa/Re/QouqoQ4igwxXWqtDLntncNKtPN/ksZmLYEF80DJZ7HfUR5s82ZRmfZgxojOnF7iGeX31dF6wSpbQX5G+TMIfZ9vHU123zJu1coJsQlJHjOurdFfm2Bb4v+aOL+U3U8XRH5ykKiAXagfopdWOOTV5BVnsMuO5fayZB2HIUGSEgdCY7PWxvUWy1Wv90j6jrvBdKDNzEQz8FAENlqVBCGYXa1nVQAoRmbgod8o2kyBRaXtbh+ut3lPFiwyafNUMSzIklpweBb4Bp6FKSByDCBxaADAgEXooG9BIG6QYc3eYt+8W+X0Zjiedx4J7FxcY+qZexmLowJf8JWFaXNS8vcDhCNnZU5oNYau2E8H78yzgPzPLJV3+ci/apcksEqrgbwPi9vmywxKyGhTW9CXXWIJmyftYSb5bIXnOHx0bfINJAqNFjoaaIQfwIJgUE4ZxWiUdfNNHcuYZoB3OdDg8LU8WheWZpyj64WCBUeaLz2JsVpefG3i3pDYgX6PpAaGRKwTqgDbrHDln8uLhSvwlHSheRSLmHQ'
>> from squid (length: 1819).
>> 2010/06/28 10:03:24| squid_kerb_auth: parseNegTokenInit failed with rc=102
>> 2010/06/28 10:03:24| squid_kerb_auth: gss_acquire_cred() failed:
>> Unspecified
>> GSS failure. Minor code may provide more information. No principal in
>> keytab
>> matches desired name
>>
>> Please your help will be required
>>
>> regards,
>>
>> Bilal
>>
>>
>>
>> _________________________________________________________________
>> Hotmail: Trusted email with powerful SPAM protection.
>> https://signup.live.com/signup.aspx?id=60969
>>
>>
> _________________________________________________________________
> Hotmail: Trusted email with Microsoft’s powerful SPAM protection.
> https://signup.live.com/signup.aspx?id=60969
>
> 		 	   		  
_________________________________________________________________
Hotmail: Powerful Free email with security by Microsoft.
https://signup.live.com/signup.aspx?id=60969
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux