Re: Re: Squid authenticate in NTLMS not in KERBEROS

Mohamed Navas <vmnavas@xxxxxxxxx> · Tue, 3 Jul 2012 07:54:14 +0400

Following is my krb5.conf details,
I tried both msktutil and ktpass in the active directory domain
server. The thing is working well with NTLM.

krb5.conf
=======
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = ACCT.SYSNET.LOCAL
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
#default_keytab_name = /etc/squid/HTTP.keytab
#allow_weak_crypto = yes

; for Windows 2003
      default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
      default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
      permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5

[realms]
 ACCT.SYSNET.LOCAL = {
  kdc = ad01.acct.sysnet.local
  admin_server = ad01.acct.sysnet.local
  kdc = 192.168.8.122
 }

[domain_realm]
 .acct.sysnet.local = DXBPET.SYSNET.LOCAL
 acct.sysnet.local = DXBPET.SYSNET.LOCAL

from squid.conf
===========

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
#auth_param negotiate program  /usr/sbin/squid_kerb_auth -d
auth_param negotiate program /usr/local/bin/negotiate_wrapper -d
--ntlm /usr/bin/ntlm_auth --diagnostics
--helper-protocol=squid-2.5-ntlmssp --domain=ACCT.SYSNET.LOCAL
--kerberos /usr/sbin/squid_kerb_auth -d -s GSS_C_NO_NAME
auth_param negotiate children 10
auth_param negotiate keep_alive on

### pure ntlm authentication
auth_param ntlm program /usr/bin/ntlm_auth --diagnostics
--helper-protocol=squid-2.5-ntlmssp --domain=ACCT.SYSNET.LOCAL
auth_param ntlm children 10
auth_param ntlm keep_alive off
acl auth proxy_auth REQUIRED

On Tue, Jul 3, 2012 at 1:39 AM, Markus Moeller <huaraz@xxxxxxxxxxxxxxxx> wrote:
> How does your configuration look like ? How did you create the keytab file ?
>
> Markus
>
>
> "Mohamed Navas" <vmnavas@xxxxxxxxx> wrote in message
> news:CAJa81O71_pG63hu7XGW2om6EOBGTS8y-=xDbSRAyaZgCANaJgw@xxxxxxxxxxxxxx...
>
>> Hi,
>>
>> I have setup the squid authentication with windows 2003 Domain
>> controller. But it's working well with NTLM, but failed with kerberso
>> ..getting following error:-
>>
>> =====================================================================
>> 2012/07/02 15:07:17| squid_kerb_auth: ERROR: gss_accept_sec_context()
>> failed: Unspecified GSS failure.  Minor code may provide more
>> information.
>> 2012/07/02 15:07:17| negotiate_wrapper: Return 'BH
>> gss_accept_sec_context() failed: Unspecified GSS failure.  Minor code
>> may provide more information.
>> '
>> 2012/07/02 15:07:17| authenticateNegotiateHandleReply: Error
>> validating user via Negotiate. Error returned 'BH
>> gss_accept_sec_context() failed: Unspecified GSS failure.  Minor code
>> may provide more information
>>
>> =======================================================================
>>
>>
>