Hello The cache.log file are below: 2011/07/20 09:49:08| Starting Squid Cache version 3.1.4 for i686-pc-linux-gnu... 2011/07/20 09:49:08| Process ID 6027 2011/07/20 09:49:08| With 1024 file descriptors available 2011/07/20 09:49:08| Initializing IP Cache... 2011/07/20 09:49:08| DNS Socket created at [::], FD 7 2011/07/20 09:49:08| Adding domain xx.yy.zz.net from /etc/resolv.conf 2011/07/20 09:49:08| Adding nameserver 10.239.56.3 from /etc/resolv.conf 2011/07/20 09:49:08| helperOpenServers: Starting 10/10 'squid_kerb_auth' processes 2011/07/20 09:49:08| squid_kerb_auth: INFO: Starting version 1.0.5 2011/07/20 09:49:08| squid_kerb_auth: INFO: Starting version 1.0.5 2011/07/20 09:49:08| squid_kerb_auth: INFO: Starting version 1.0.5 2011/07/20 09:49:08| squid_kerb_auth: INFO: Starting version 1.0.5 2011/07/20 09:49:09| User-Agent logging is disabled. 2011/07/20 09:49:09| Referer logging is disabled. 2011/07/20 09:49:09| squid_kerb_auth: INFO: Starting version 1.0.5 2011/07/20 09:49:09| squid_kerb_auth: INFO: Starting version 1.0.5 2011/07/20 09:49:09| squid_kerb_auth: INFO: Starting version 1.0.5 2011/07/20 09:49:09| squid_kerb_auth: INFO: Starting version 1.0.5 2011/07/20 09:49:09| squid_kerb_auth: INFO: Starting version 1.0.5 2011/07/20 09:49:09| squid_kerb_auth: INFO: Starting version 1.0.5 2011/07/20 09:49:09| Unlinkd pipe opened on FD 32 2011/07/20 09:49:09| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec 2011/07/20 09:49:09| Store logging disabled 2011/07/20 09:49:09| Swap maxSize 0 + 262144 KB, estimated 20164 objects 2011/07/20 09:49:09| Target number of buckets: 1008 2011/07/20 09:49:09| Using 8192 Store buckets 2011/07/20 09:49:09| Max Mem size: 262144 KB 2011/07/20 09:49:09| Max Swap size: 0 KB 2011/07/20 09:49:09| Using Least Load store dir selection 2011/07/20 09:49:09| Set Current Directory to /var/spool/squid 2011/07/20 09:49:09| Loaded Icons. 2011/07/20 09:49:09| Accepting HTTP connections at [::]:8080, FD 33. 2011/07/20 09:49:09| Accepting HTTP connections at [::]:8084, FD 34. 2011/07/20 09:49:09| HTCP Disabled. 2011/07/20 09:49:09| Squid modules loaded: 0 2011/07/20 09:49:09| Adaptation support is off. 2011/07/20 09:49:09| Ready to serve requests. 2011/07/20 09:49:09| Configuring Parent parent.xx.yy.zz.net/8084/0 2011/07/20 09:49:09| Configuring Parent parent1.xx.yy.zz.net/8080/0 2011/07/20 09:49:10| storeLateRelease: released 0 objects 2011/07/20 09:50:33| squid_kerb_auth: DEBUG: Got 'YR YIII4QYGKwYBBQUCoIII1TCCCNGgJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCCKcEggijYIIInwYJKoZIhvcSAQIC ............ 2011/07/20 09:50:33| squid_kerb_auth: DEBUG: Decode 'YIII4QYGKwYBBQUCoIII1TCCCNGgJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCCKcEggijYIIInwYJKoZIhvcSAQI ............ 2011/07/20 09:50:35| squid_kerb_auth: ERROR: gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information. Key table entry not found 2011/07/20 09:50:35| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information. Key table entry not found' IE 8 was configurated with : "Enable Integrated Windows Authentication" checked Connection | Lan Setting | Server Proxy -> proxyservername Port 8080 On KerbTray List there is the following Ticket: HTTP:/proxyservername Client name : username@xxxxxxxxxxxx Servicename : HTTP:/proxyservername@xxxxxxxxxxxx Target name : HTTP:/proxyservername@xxxxxxxxxxxx Checked Flags are: Forwardable, Renewable, Preauthenticated -----Messaggio originale----- Da: Markus Moeller [mailto:huaraz@xxxxxxxxxxxxxxxx] Inviato: martedì 19 luglio 2011 23:15 A: squid-users@xxxxxxxxxxxxxxx Oggetto: Re: squid with kerberos authentication What does the cache.log file say if you add -d to auth_param negotiate program /usr/lib/squid/squid_kerb_auth i.e. auth_param negotiate program /usr/lib/squid/squid_kerb_auth -d How did you configure IE ? Can you see a ticket for HTTP/<squid-fqdn> in kerbtray (http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=23018)? Regards Markus "Franco, Battista" <Battista.Franco@xxxxxxxxxxxxxxxx> wrote in message news:0B0BF3F65F960A4B8BE340E64290F4CD0696D9A4@xxxxxxxxxxxxxxxxxxxxxxxxxx... Hello On Centos 6 I want used squid (version 3.1.4) with Kerberos authentication so only AD Windows 2003 authenticated users can surfing. Well I perform the steps (explained at link http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos) but when users tried to surfing the IE require user and password and didn't surfing. Why? Can you help me. **** MORE INFO **** I did the following steps: Install and configure samba modify krb5.conf net ads join -U DOMAIN\administrator kinit administrator@DOMAIN export KRB5_KTNAME=FILE:/etc/squid/HTTP.keytab net ads keytab CREATE -U DOMAIN\administrator net ads keytab ADD HTTP -U DOMAIN\administrator unset KRB5_KTNAME chgrp squid /etc/squid/HTTP.keytab chmod g+r /etc/squid/HTTP.keytab modify squid startup file with : KRB5_KTNAME=/etc/squid/HTTP.keytab export KRB5_KTNAME below squid.conf file: .... auth_param negotiate program /usr/lib/squid/squid_kerb_auth auth_param negotiate children 10 auth_param negotiate keep_alive on acl auth proxy_auth REQUIRED ... http_access deny !auth http_access allow auth http_access deny all .... With command : /usr/lib/squid/squid_kerb_auth_test proxyserver The token was displayed.
