Hi Nicola,
Can you run strace against squid_kerb_auth ? You can do this by selecting
just on child (e.g. auth_param negotiate children 1) and then do
trace -f -F -p <pid of squid_kerb_auth>. Please send me the output. Can you
also check on the client with kerbtray ( available from Microsoft ) that the
client has a ticket for HTTP/squid.domain.com and which encryption type it
is.
Regards
Markus
"Nicola Gentile" <nikkognt@xxxxxxxxx> wrote in message
news:AANLkTimlfs6h4t4ft4sw7kcv-eEhSizv1mvzQTlRrbZ6@xxxxxxxxxxxxxxxxx
Good morning,
I use successfully squid to authenticate AD users in a domain
.dom3.dom2.dom1.com and it works fine.
The server is debian etch with squid 2.7.STABLE6 and the clients are
Windows (ntlm) and Linux (squid_kerb_auth).
On Linux client pc I installed samba+winbind. The users accounts and
computers accounts are on a domain .dom3.dom2.dom1.com.
Now things have changed, the users accounts are on parent domain
(.domain.com) and the computers accounts are in child domain
(.child.domain.com).
The .domain.com is a root domain of forest.
The forest is in a mixed mode (windows 2008 and windows 2003).
I have installed a server with debian lenny with squid 2.7.STABLE9.
The configure options are:
--prefix=/usr/local/squid
--enable-auth=negotiate ntlm
--enable-ntlm-auth-helpers=SMB
--enable-negotiate-auth-helpers=squid_kerb_auth
--enable-default-err-language=Italian
--enable-err-languages=Italian English
--enable-async-io
--with-pthreads
--enable-storeio=ufs aufs diskd null
--with-large-files
This is my squid.conf
auth_param negotiate program /usr/local/squid/libexec/squid_kerb_auth
-d -s HTTP/squid.domain.com@.domain.com
auth_param negotiate children 10
auth_param negotiate keep_alive on
auth_param ntlm program /usr/local/squid/libexec/ntlm_auth
domain/server1 child/server2
auth_param ntlm children 30
auth_param ntlm keep_alive off
acl out proxy_auth REQUIRED
acl autkrb src 192.168.47.36
http_access allow out autkrb
This is my krb5.conf
[libdefaults]
default_realm = DOMAIN.COM
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
clockskew = 600
[realms]
DOMAIN.COM = {
kdc = srv1.domain.com
admin_server = srv1.domain.com
default_domain = domain.com
}
CHILD.DOMAIN.COM = {
kdc = serv1.child.domain.com
admin_server = serv1.child.domain.com
}
[domain_realm]
.domain.com = DOMAIN.COM
domain.com = DOMAIN.COM
.child.domain.com = CHILD.DOMAIN.COM
child.domain.com = CHILD.DOMAIN.COM
I also added the following lines to squid start script.
KRB5_KTNAME=/usr/local/squid/etc/squid20100714.keytab
export KRB5_KTNAME
The dns are configured as parent windows domain doami.com.
On client each time I try to use firefox, the server squid gives me
the following error:
squid_kerb_auth: gss_accept_sec_context() failed: Unspecified GSS
failure. Minor code may provide more information. No error
in the browser I see the pop-up for username and password.
What does means this error?
Have any ideas?
Thanks for your help
Nikkognt
