Hi Paul,
Does squid running user have read access to the keytab ? Did you use
export KRB5_KTNAME to point to the keytab in the startup script ? What is
the hostname of your squid host ? Did you get a minor code message ?
Check also my page for some further hints
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
Markus
"Paul Carew" <beavatronix@xxxxxxxxx> wrote in message
news:CAPHJSn3cN0uj3fsM1mD0iKkS4CTavBHQMu7ya=W8OJsp_twuGg@xxxxxxxxxxxxxx...
Hi!
I'm following the guide here
http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory
...to get Negotiate authentication working with Squid 3.2.1. NTLM
works fine but I when using Negotiate I am getting this in my
cache.log...
2012/08/17 17:31:01 kid1| ERROR: Negotiate Authentication validating
user. Error returned 'BH gss_accept_sec_context() failed: Unspecified
GSS failure. Minor code may provide more information. '
"kinit -V -kt /etc/squid/HTTP.keytab HTTP/proxy01.domain.local"
produces...
Using default cache: /tmp/krb5cc_0
Using principal: HTTP/proxy01.domain.local@DOMAIN.LOCAL
Using keytab: /etc/squid/HTTP.keytab
kinit: Preauthentication failed while getting initial credentials
"klist -ekt /etc/squid/HTTP.keytab" produces...
Keytab name: WRFILE:/etc/squid/HTTP.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
2 08/17/12 17:18:03 proxy01-h$@DOMAIN.LOCAL (arcfour-hmac)
2 08/17/12 17:18:04 proxy01-h$@DOMAIN.LOCAL (aes128-cts-hmac-sha1-96)
2 08/17/12 17:18:04 proxy01-h$@DOMAIN.LOCAL (aes256-cts-hmac-sha1-96)
2 08/17/12 17:18:04 HTTP/proxy01.domain.local@DOMAIN.LOCAL
(arcfour-hmac)
2 08/17/12 17:18:04 HTTP/proxy01.domain.local@DOMAIN.LOCAL
(aes128-cts-hmac-sha1-96)
2 08/17/12 17:18:04 HTTP/proxy01.domain.local@DOMAIN.LOCAL
(aes256-cts-hmac-sha1-96)
3 08/17/12 17:18:57 proxy01-h$@DOMAIN.LOCAL (arcfour-hmac)
3 08/17/12 17:18:57 proxy01-h$@DOMAIN.LOCAL (aes128-cts-hmac-sha1-96)
2 08/17/12 17:18:04 host/proxy01.domain.local@DOMAIN.LOCAL
(arcfour-hmac)
3 08/17/12 17:18:57 proxy01-h$@DOMAIN.LOCAL (aes256-cts-hmac-sha1-96)
2 08/17/12 17:18:04 host/proxy01.domain.local@DOMAIN.LOCAL
(aes128-cts-hmac-sha1-96)
2 08/17/12 17:18:04 host/proxy01.domain.local@DOMAIN.LOCAL
(aes256-cts-hmac-sha1-96)
auth_params are...
auth_param negotiate program /usr/lib/squid/negotiate_kerb_auth
auth_param negotiate children 30 startup=10 idle=5
auth_param negotiate keep_alive on
Can anyone help? I'm guessing I've not done something rather important?
Thank you.
Paul