Now it works! I have not changed anything. Thanks for the help Nicola Gentile 2010/7/16 Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>: > Hi Nicola, > > Can you run strace against squid_kerb_auth ? You can do this by selecting > just on child (e.g. auth_param negotiate children 1) and then do trace -f > -F -p <pid of squid_kerb_auth>. Please send me the output. Can you also > check on the client with kerbtray ( available from Microsoft ) that the > client has a ticket for HTTP/squid.domain.com and which encryption type it > is. > > Regards > Markus > > "Nicola Gentile" <nikkognt@xxxxxxxxx> wrote in message > news:AANLkTimlfs6h4t4ft4sw7kcv-eEhSizv1mvzQTlRrbZ6@xxxxxxxxxxxxxxxxx >> >> Good morning, >> I use successfully squid to authenticate AD users in a domain >> .dom3.dom2.dom1.com and it works fine. >> The server is debian etch with squid 2.7.STABLE6 and the clients are >> Windows (ntlm) and Linux (squid_kerb_auth). >> On Linux client pc I installed samba+winbind. The users accounts and >> computers accounts are on a domain .dom3.dom2.dom1.com. >> >> Now things have changed, the users accounts are on parent domain >> (.domain.com) and the computers accounts are in child domain >> (.child.domain.com). >> The .domain.com is a root domain of forest. >> The forest is in a mixed mode (windows 2008 and windows 2003). >> >> I have installed a server with debian lenny with squid 2.7.STABLE9. >> >> The configure options are: >> >> --prefix=/usr/local/squid >> --enable-auth=negotiate ntlm >> --enable-ntlm-auth-helpers=SMB >> --enable-negotiate-auth-helpers=squid_kerb_auth >> --enable-default-err-language=Italian >> --enable-err-languages=Italian English >> --enable-async-io >> --with-pthreads >> --enable-storeio=ufs aufs diskd null >> --with-large-files >> >> This is my squid.conf >> >> auth_param negotiate program /usr/local/squid/libexec/squid_kerb_auth >> -d -s HTTP/squid.domain.com@.domain.com >> auth_param negotiate children 10 >> auth_param negotiate keep_alive on >> auth_param ntlm program /usr/local/squid/libexec/ntlm_auth >> domain/server1 child/server2 >> auth_param ntlm children 30 >> auth_param ntlm keep_alive off >> acl out proxy_auth REQUIRED >> acl autkrb src 192.168.47.36 >> http_access allow out autkrb >> >> This is my krb5.conf >> >> [libdefaults] >> default_realm = DOMAIN.COM >> >> # The following krb5.conf variables are only for MIT Kerberos. >> krb4_config = /etc/krb.conf >> krb4_realms = /etc/krb.realms >> kdc_timesync = 1 >> ccache_type = 4 >> forwardable = true >> proxiable = true >> dns_lookup_realm = false >> dns_lookup_kdc = false >> ticket_lifetime = 24h >> clockskew = 600 >> >> [realms] >> DOMAIN.COM = { >> kdc = srv1.domain.com >> admin_server = srv1.domain.com >> default_domain = domain.com >> } >> CHILD.DOMAIN.COM = { >> kdc = serv1.child.domain.com >> admin_server = serv1.child.domain.com >> } >> >> [domain_realm] >> .domain.com = DOMAIN.COM >> domain.com = DOMAIN.COM >> .child.domain.com = CHILD.DOMAIN.COM >> child.domain.com = CHILD.DOMAIN.COM >> >> I also added the following lines to squid start script. >> >> KRB5_KTNAME=/usr/local/squid/etc/squid20100714.keytab >> export KRB5_KTNAME >> >> The dns are configured as parent windows domain doami.com. >> >> On client each time I try to use firefox, the server squid gives me >> the following error: >> >> squid_kerb_auth: gss_accept_sec_context() failed: Unspecified GSS >> failure. Minor code may provide more information. No error >> >> in the browser I see the pop-up for username and password. >> >> What does means this error? >> Have any ideas? >> >> Thanks for your help >> >> Nikkognt >> > > >
