hello I am trying to setup kerberos auth against Active Directory - Windows 2000 - in squid, 2.7. This is primarily so that the username is captured in the access log. But also user based access control will occasionally be used. I've installed the squid_kerb_auth software from http://squidkerbauth.sourceforge.net/ The relevant squid config looks like this: auth_param negotiate program /usr/lib/squid/squid_kerb_auth -d auth_param negotiate children 10 auth_param negotiate keep_alive on external_acl_type squid_kerb_ldap ttl=3600 negative_ttl=3600 %LOGIN /usr/local/squid/squid_kerb_ldap -d -g active-directory-group@xxxxxxxxx acl ldap_group_check external squid_kerb_ldap acl k_test src [some.test.host.address] http_access allow k_test ldap_group_check http_access deny k_test Initially I used the msktutil package to create the AD account keytab, thus: msktutil -c -b "CN=COMPUTERS" -s HTTP/squidhost.my.domain -k /etc/squid/HTTP.keytab --computer-name squidhost --upn HTTP/squidhost.my.domain --server windows_ad_host.my.domain --verbose This produced the desired keytab but in the verbose output noted that the ticket version number was not returned ("must be Windows 2000" - it is) and so set the kvno to zero. This is reflected in the output of kvno HTTP/squidhost.my.domain When the client connected (Mac OS X 10.6) using the Chrome browser, squid's cache.log reported that the ticket version number didn't match: squid_kerb_auth: gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information. Key version number for principal in key table is incorrect. Using kvno HTTP/squidhost.my.domain on this client the version number was 3 while doing the same on the proxy the version was zero. So that made sense. I fixed this by not using msktutil and using ktpass on the Active DIrectory server and specifying -kvno 3. Installed this on the proxy host and that error went away. Reading about ktpass and kerberos auth in Microsoft's KB, it said that the (squid) host needs have an account created for it as a user in the domain. Weird but I did this, using the host name as the user shortname. I used this hostname in ktpass with -mapuser Now in squid's cache.log the logs show, in part, 2010/11/02 12:01:55| squid_kerb_auth: parseNegTokenInit failed with rc=102 2010/11/02 12:01:55| squid_kerb_auth: AF AA== rolf@xxxxxxxxx 2010/11/02 12:01:55| squid_kerb_ldap: Got User: rolf Domain: MY.DOMAIN 2010/11/02 12:01:55| squid_kerb_ldap: User domain loop: group@domain actiive-directory-group@xxxxxxxxx 2010/11/02 12:01:55| squid_kerb_ldap: Found group@domain active-directory-group@xxxxxxxxx 2010/11/02 12:01:55| squid_kerb_ldap: Setup Kerberos credential cache 2010/11/02 12:01:55| squid_kerb_ldap: Get default keytab file name 2010/11/02 12:01:55| squid_kerb_ldap: Got default keytab file name /etc/squid/HTTP.keytab 2010/11/02 12:01:55| squid_kerb_ldap: Get principal name from keytab /etc/squid/HTTP.keytab 2010/11/02 12:01:55| squid_kerb_ldap: Keytab entry has realm name: MY.DOMAIN 2010/11/02 12:01:55| squid_kerb_ldap: Found principal name: HTTP/squidhost.my.domain@xxxxxxxxx 2010/11/02 12:01:55| squid_kerb_ldap: Set credential cache to MEMORY:squid_ldap_20411 2010/11/02 12:01:55| squid_kerb_ldap: Got principal name HTTP/squidhost.my.domain@xxxxxxxxx 2010/11/02 12:01:55| squid_kerb_ldap: Stored credentials 2010/11/02 12:01:55| squid_kerb_ldap: Initialise ldap connection 2010/11/02 12:01:55| squid_kerb_ldap: Canonicalise ldap server name for domain MY.DOMAIN Apart from the first line ... "failed with rc=102" this looks ok. Then there are many (from debugging I presume) instances of: squid_kerb_ldap: Resolved SRV _ldap._tcp.MY.DOMAIN record to ad-domain-controller.my.domain for various domain controllers on the network. Then lots of 2010/11/02 12:02:09| squid_kerb_ldap: Setting up connection to ldap server various-domain-servers-and-workstations@xxxxxxxxx:389 2010/11/02 12:02:09| squid_kerb_ldap: SASL not supported on system Finally these log entries which show the deny reason - that I'm not a member of the group. But I confirm that I am a member of the group: 2010/11/02 12:02:09| squid_kerb_ldap: Error during initialisation of ldap connection: Success 2010/11/02 12:02:09| squid_kerb_ldap: Error during initialisation of ldap connection: Success 2010/11/02 12:02:09| squid_kerb_ldap: User rolf is not member of group@domain active-directory-group@xxxxxxxxx 2010/11/02 12:02:09| squid_kerb_ldap: Default domain loop: group@domain active-directory-group@xxxxxxxxx 2010/11/02 12:02:09| squid_kerb_ldap: Default group loop: group@domain active-directory-group@xxxxxxxxx 2010/11/02 12:02:09| squid_kerb_ldap: ERR I have tried many combinations of service keytab creation and so on, but I cannot get any further than this. Any help most appreciated. thanks rolf.