Hi Markus Thanks for responding. The squid effective user can read the keytab and I've got the export line in the squid init script. If I check /proc/<pid>/environ for the main squid process I can see KRB5_KTNAME is set correctly. DNS hostname is proxy01.domain.local but --computer-name used in msktutil is proxy01-h. I have been playing with it since I wrote the original email and as long as I don't "Reset Account" for the proxy01-h computer account in AD everything works, mskutil --auto-update correctly checks the age of the password on the computer account and negotiate authentication works in Squid. ...as an aside, we use a commercial product to monitor internet access which operates off of the url_rewrite_program directive. Unfortunately, it expects the authenticated user to be returned in the format "DOMAIN\Username" where as negotiate_kerb_auth returns "Username@DOMAIN". Is there any way to alter the format of the returned username? Thanks again Paul On 18 August 2012 13:30, Markus Moeller <huaraz@xxxxxxxxxxxxxxxx> wrote: > Hi Paul, > > Does squid running user have read access to the keytab ? Did you use > export KRB5_KTNAME to point to the keytab in the startup script ? What is > the hostname of your squid host ? Did you get a minor code message ? > > Check also my page for some further hints > http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos > > Markus > > > "Paul Carew" <beavatronix@xxxxxxxxx> wrote in message > news:CAPHJSn3cN0uj3fsM1mD0iKkS4CTavBHQMu7ya=W8OJsp_twuGg@xxxxxxxxxxxxxx... > >> Hi! >> >> I'm following the guide here >> >> http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory >> ...to get Negotiate authentication working with Squid 3.2.1. NTLM >> works fine but I when using Negotiate I am getting this in my >> cache.log... >> >> 2012/08/17 17:31:01 kid1| ERROR: Negotiate Authentication validating >> user. Error returned 'BH gss_accept_sec_context() failed: Unspecified >> GSS failure. Minor code may provide more information. ' >> >> "kinit -V -kt /etc/squid/HTTP.keytab HTTP/proxy01.domain.local" >> produces... >> >> Using default cache: /tmp/krb5cc_0 >> Using principal: HTTP/proxy01.domain.local@DOMAIN.LOCAL >> Using keytab: /etc/squid/HTTP.keytab >> kinit: Preauthentication failed while getting initial credentials >> >> "klist -ekt /etc/squid/HTTP.keytab" produces... >> >> Keytab name: WRFILE:/etc/squid/HTTP.keytab >> KVNO Timestamp Principal >> ---- ----------------- >> -------------------------------------------------------- >> 2 08/17/12 17:18:03 proxy01-h$@DOMAIN.LOCAL (arcfour-hmac) >> 2 08/17/12 17:18:04 proxy01-h$@DOMAIN.LOCAL (aes128-cts-hmac-sha1-96) >> 2 08/17/12 17:18:04 proxy01-h$@DOMAIN.LOCAL (aes256-cts-hmac-sha1-96) >> 2 08/17/12 17:18:04 HTTP/proxy01.domain.local@DOMAIN.LOCAL >> (arcfour-hmac) >> 2 08/17/12 17:18:04 HTTP/proxy01.domain.local@DOMAIN.LOCAL >> (aes128-cts-hmac-sha1-96) >> 2 08/17/12 17:18:04 HTTP/proxy01.domain.local@DOMAIN.LOCAL >> (aes256-cts-hmac-sha1-96) >> 3 08/17/12 17:18:57 proxy01-h$@DOMAIN.LOCAL (arcfour-hmac) >> 3 08/17/12 17:18:57 proxy01-h$@DOMAIN.LOCAL (aes128-cts-hmac-sha1-96) >> 2 08/17/12 17:18:04 host/proxy01.domain.local@DOMAIN.LOCAL >> (arcfour-hmac) >> 3 08/17/12 17:18:57 proxy01-h$@DOMAIN.LOCAL (aes256-cts-hmac-sha1-96) >> 2 08/17/12 17:18:04 host/proxy01.domain.local@DOMAIN.LOCAL >> (aes128-cts-hmac-sha1-96) >> 2 08/17/12 17:18:04 host/proxy01.domain.local@DOMAIN.LOCAL >> (aes256-cts-hmac-sha1-96) >> >> auth_params are... >> >> auth_param negotiate program /usr/lib/squid/negotiate_kerb_auth >> auth_param negotiate children 30 startup=10 idle=5 >> auth_param negotiate keep_alive on >> >> Can anyone help? I'm guessing I've not done something rather important? >> >> Thank you. >> >> Paul >> > >
