Hello
Super! Everything works fine including groups for basic, ntlm and negotiate.
Is it possible to have Digest authentication with Windows 2003 AD?
add following for your wiki page:
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5
auth_param ntlm keep_alive on
Best regards,
George Machitidze
On Thu, Jan 12, 2012 at 4:29 PM, George Machitidze <giomac@xxxxxxxxx> wrote:
> Nevermind - my fault
>
> On Redhat winbind is running with root and owner of file is root:root,
> i've changed it to squid.
>
>
> Best regards,
> George Machitidze
>
>
>
> On Thu, Jan 12, 2012 at 4:01 PM, George Machitidze <giomac@xxxxxxxxx> wrote:
>> Here are first issues:
>>
>> [root@proxy ~]# kdestroy
>>
>> <NOW RESET DONE FOR HOST squid-k IN AD>
>>
>> [root@proxy ~]# msktutil --auto-update --verbose --computer-name squid-k
>> -- init_password: Wiping the computer password structure
>> -- get_dc_host: Attempting to find a Domain Controller to use
>> -- get_dc_host: Found Domain Controller: TEST-admsdc02
>> -- get_default_keytab: Obtaining the default keytab name:
>> /etc/squid/HTTP.keytab
>> -- create_fake_krb5_conf: Created a fake krb5.conf file:
>> /tmp/.msktkrb5.conf-iN2kxe
>> -- reload: Reloading Kerberos Context
>> -- finalize_exec: SAM Account Name is: squid-k$
>> -- try_machine_keytab_princ: Trying to authenticate for squid-k$ from
>> local keytab...
>> -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed
>> (Client not found in Kerberos database)
>> -- try_machine_keytab_princ: Authentication with keytab failed
>> -- try_machine_keytab_princ: Trying to authenticate for host/proxy
>> from local keytab...
>> -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed
>> (Client not found in Kerberos database)
>> -- try_machine_keytab_princ: Authentication with keytab failed
>> -- try_machine_password: Trying to authenticate for squid-k$ with password.
>> -- try_machine_password: Error: krb5_get_init_creds_keytab failed
>> (Client not found in Kerberos database)
>> -- try_machine_password: Authentication with password failed
>> -- try_user_creds: Checking if default ticket cache has tickets...
>> -- try_user_creds: Error: krb5_cc_get_principal failed (No
>> credentials cache found)
>> -- try_user_creds: User ticket cache was not valid.
>> Error: could not find any credentials to authenticate with. Neither keytab,
>> default machine password, nor calling user's tickets worked. Try
>> "kinit"ing yourself some tickets with permission to create computer
>> objects, or pre-creating the computer object in AD and selecting
>> 'reset account'.
>> -- ~KRB5Context: Destroying Kerberos Context
>>
>> [root@proxy ~]# cat /etc/krb5.conf
>> [logging]
>> default = FILE:/var/log/krb5libs.log
>> kdc = FILE:/var/log/krb5kdc.log
>> admin_server = FILE:/var/log/kadmind.log
>>
>> [libdefaults]
>> default_realm = TEST.GE
>> dns_lookup_realm = false
>> dns_lookup_kdc = false
>> ticket_lifetime = 24h
>> forwardable = yes
>> default_keytab_name = /etc/squid/HTTP.keytab
>> default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
>> default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
>> permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
>>
>> [realms]
>> TEST.GE = {
>> kdc = TEST-admsdc01.test.ge
>> kdc = TEST-admsdc01.test.ge
>> admin_server = TEST-admsdc01.test.ge
>> default_domain = test.ge
>> }
>>
>> [domain_realm]
>> test.ge = TEST.GE
>> .test.ge = TEST.GE
>>
>> [appdefaults]
>> pam = {
>> debug = true
>> ticket_lifetime = 36000
>> renew_lifetime = 36000
>> forwardable = true
>> krb4_convert = false
>> }
>>
>> Where can I find the reason?
>>
>> Best regards,
>> George Machitidze
>>
>>
>>
>> On Thu, Jan 12, 2012 at 1:11 PM, George Machitidze <giomac@xxxxxxxxx> wrote:
>>> Hello James
>>>
>>> Great job! Thanks for reply
>>>
>>> I will check and update with tests :)
>>>
>>> Best regards,
>>> George Machitidze
>>>
>>>
>>>
>>> On Thu, Jan 12, 2012 at 1:00 PM, James Robertson <j@xxxxxxxxxxxxxxxx> wrote:
>>>>> When I try to use Opera browser I am getting ugly message after
>>>>> entering credentials:
>>>>>
>>>>> authenticateNegotiateHandleReply: Error validating user via Negotiate.
>>>>> Error returned 'BH received type 1 NTLM token'
>>>>
>>>> Opera does not support Kerberos as far as I know. You will still
>>>> need to support NTLM. you will have issues with iTunes and possibly
>>>> various other apps as that need NTLM support.
>>>>
>>>>> Is there any "universal", well tested configuration/manual that will
>>>>> make all clients work?
>>>>
>>>> I just completed a guide based on Debian that supports Kerberos, NTLM
>>>> and basic auth and was planning on updating the Squid Wiki also
>>>> sometime soon. You should be able to translate that to your RH.
>>>>
>>>> HTH.
>>>>
>>>> http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Proxy
