Re: Re: Squid authenticate in NTLMS not in KERBEROS

["Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx>]

Hi Mohamed,

Is /etc/squid/HTTP.keytab readable by the squid process owner ?

Did you include exprot KRB5_KTNAME=/etc/squid/HTTP.keytab to the startup 
script ?

What is the content of /etc/squid/HTTP.keytab ? You can check with 
kinit -ekt /etc/squid/HTTP.keytab (if you use MIT Kerberos)

Markus


"Mohamed Navas" <vmnavas@xxxxxxxxx> wrote in message 
news:CAJa81O4wH1==vKn3iSnV2Z=6w6OH9Zs+BDNPaPGeGL2gSuSHHA@xxxxxxxxxxxxxx...
> Following is my krb5.conf details,
> I tried both msktutil and ktpass in the active directory domain
> server. The thing is working well with NTLM.
>
> krb5.conf
> =======
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> default_realm = ACCT.SYSNET.LOCAL
> dns_lookup_realm = false
> dns_lookup_kdc = false
> ticket_lifetime = 24h
> renew_lifetime = 7d
> forwardable = true
> #default_keytab_name = /etc/squid/HTTP.keytab
> #allow_weak_crypto = yes
>
>
> ; for Windows 2003
>      default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
>      default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
>      permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
>
> [realms]
> ACCT.SYSNET.LOCAL = {
>  kdc = ad01.acct.sysnet.local
>  admin_server = ad01.acct.sysnet.local
>  kdc = 192.168.8.122
> }
>
> [domain_realm]
> .acct.sysnet.local = DXBPET.SYSNET.LOCAL
> acct.sysnet.local = DXBPET.SYSNET.LOCAL
>
>
> from squid.conf
> ===========
>
> #
> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
> #
> #auth_param negotiate program  /usr/sbin/squid_kerb_auth -d
> auth_param negotiate program /usr/local/bin/negotiate_wrapper -d
> --ntlm /usr/bin/ntlm_auth --diagnostics
> --helper-protocol=squid-2.5-ntlmssp --domain=ACCT.SYSNET.LOCAL
> --kerberos /usr/sbin/squid_kerb_auth -d -s GSS_C_NO_NAME
> auth_param negotiate children 10
> auth_param negotiate keep_alive on
>
> ### pure ntlm authentication
> auth_param ntlm program /usr/bin/ntlm_auth --diagnostics
> --helper-protocol=squid-2.5-ntlmssp --domain=ACCT.SYSNET.LOCAL
> auth_param ntlm children 10
> auth_param ntlm keep_alive off
> acl auth proxy_auth REQUIRED
>
>
> On Tue, Jul 3, 2012 at 1:39 AM, Markus Moeller <huaraz@xxxxxxxxxxxxxxxx> 
> wrote:
> > How does your configuration look like ? How did you create the keytab 
> > file ?
> >
> > Markus
> >
> >
> > "Mohamed Navas" <vmnavas@xxxxxxxxx> wrote in message
> > news:CAJa81O71_pG63hu7XGW2om6EOBGTS8y-=xDbSRAyaZgCANaJgw@xxxxxxxxxxxxxx...
> >
> > > Hi,
> > >
> > > I have setup the squid authentication with windows 2003 Domain
> > > controller. But it's working well with NTLM, but failed with kerberso
> > > ..getting following error:-
> > >
> > > =====================================================================
> > > 2012/07/02 15:07:17| squid_kerb_auth: ERROR: gss_accept_sec_context()
> > > failed: Unspecified GSS failure.  Minor code may provide more
> > > information.
> > > 2012/07/02 15:07:17| negotiate_wrapper: Return 'BH
> > > gss_accept_sec_context() failed: Unspecified GSS failure.  Minor code
> > > may provide more information.
> > > '
> > > 2012/07/02 15:07:17| authenticateNegotiateHandleReply: Error
> > > validating user via Negotiate. Error returned 'BH
> > > gss_accept_sec_context() failed: Unspecified GSS failure.  Minor code
> > > may provide more information
> > >
> > > =======================================================================