Further upon this i have updated to 3.1.19 and i get the same errors. I have fresh installed the machine back to how it was when the first email when out. On Mon, 2012-04-16 at 08:25 +1000, Simon Dwyer wrote: > Hi All, > > Have been banging my head against this for a few weeks now. > > I have a fresh install of centos 6.2 and have installed squid 3.1.10. > > I have copied the kerberos keytab file from our ad server. It was > created with the command: > > ktpass -princ HTTP/proxy-dev-k.domain.example@DOMAIN.EXAMPLE -mapuser > proxy-dev-k$@DOMAIN.EXAMPLE /rndpass -ptype KRB5_NT_PRINCIPAL -out c: > \krb5.keytab > > When thats on my server i can run > > [root@proxy-dev ~]# klist -ke > Keytab name: WRFILE:/etc/krb5.keytab > KVNO Principal > ---- > -------------------------------------------------------------------------- > 7 HTTP/proxy-dev-k.domain.example@DOMAIN.EXAMPLE (arcfour-hmac) > > I can run kinit -k HTTP/proxy-dev-k.domain.example@DOMAIN.EXAMPLE > > and that comes up in klist correctly. > > > My squid config is been cut down to be simple: > > visible_hostname proxy-dev.domain.example > > auth_param negotiate program /usr/lib64/squid/squid_kerb_auth -i -d -s > HTTP/proxy-dev-k.domain.example@DOMAIN.EXAMPLE > auth_param negotiate children 10 > auth_param negotiate keep_alive off > > acl SSL_ports port 443 > acl Safe_ports port 80 # http > acl Safe_ports port 21 # ftp > acl Safe_ports port 443 # https > acl Safe_ports port 70 # gopher > acl Safe_ports port 210 # wais > acl Safe_ports port 1025-65535 # unregistered ports > acl Safe_ports port 280 # http-mgmt > acl Safe_ports port 488 # gss-http > acl Safe_ports port 591 # filemaker > acl Safe_ports port 777 # multiling http > acl CONNECT method CONNECT > acl AUTHENTICATED proxy_auth REQUIRED > > # Deny requests to certain unsafe ports > http_access deny !Safe_ports > # Deny CONNECT to other than secure SSL ports > http_access deny CONNECT !SSL_ports > http_access deny !AUTHENTICATED > http_access allow AUTHENTICATED > http_access deny all > > http_port 8080 > > > When i have a user try and connect with kerberos i get this error > message in cache.log > > 2012/04/16 08:12:12| squid_kerb_auth: ERROR: gss_accept_sec_context() > failed: Unspecified GSS failure. Minor code may provide more > information. > 2012/04/16 08:12:12| authenticateNegotiateHandleReply: Error validating > user via Negotiate. Error returned 'BH gss_accept_sec_context() failed: > Unspecified GSS failure. Minor code may provide more information. ' > 2012/04/16 08:12:12| squid_kerb_auth: INFO: User not authenticated > > Any help would be awesome, > > Cheers, > > Simon Dwyer > >
