Search squid archive

Kerberos with AD

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi All,

Have been banging my head against this for a few weeks now.

I have a fresh install of centos 6.2 and have installed squid 3.1.10.

I have copied the kerberos keytab file from our ad server.  It was
created with the command:

ktpass -princ HTTP/proxy-dev-k.domain.example@DOMAIN.EXAMPLE -mapuser
proxy-dev-k$@DOMAIN.EXAMPLE /rndpass -ptype KRB5_NT_PRINCIPAL -out c:
\krb5.keytab

When thats on my server i can run 

[root@proxy-dev ~]# klist -ke
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
   7 HTTP/proxy-dev-k.domain.example@DOMAIN.EXAMPLE (arcfour-hmac)

I can run kinit -k HTTP/proxy-dev-k.domain.example@DOMAIN.EXAMPLE

and that comes up in klist correctly.


My squid config is been cut down to be simple:

visible_hostname proxy-dev.domain.example

auth_param negotiate program  /usr/lib64/squid/squid_kerb_auth -i -d -s
HTTP/proxy-dev-k.domain.example@DOMAIN.EXAMPLE
auth_param negotiate children 10
auth_param negotiate keep_alive off

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
acl AUTHENTICATED proxy_auth REQUIRED

# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
http_access deny !AUTHENTICATED
http_access allow AUTHENTICATED
http_access deny all

http_port 8080


When i have a user try and connect with kerberos i get this error
message in cache.log

2012/04/16 08:12:12| squid_kerb_auth: ERROR: gss_accept_sec_context()
failed: Unspecified GSS failure.  Minor code may provide more
information. 
2012/04/16 08:12:12| authenticateNegotiateHandleReply: Error validating
user via Negotiate. Error returned 'BH gss_accept_sec_context() failed:
Unspecified GSS failure.  Minor code may provide more information. '
2012/04/16 08:12:12| squid_kerb_auth: INFO: User not authenticated

Any help would be awesome,

Cheers,

Simon Dwyer
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux