Hi Paul.
A account reset means the password or key of this accounts changes and
the extracted key in the keytab will get out of sync. So don't reset the
account in AD, but only autoupdate from msktutil. Also don't share a samba
account with squid as samba daemons als reset the account from time to time.
Unfortunately the user@DOMAIN is the Kerberos format and NTDOMAIN\user the
Netbios format and thers is no obvious 1-2-1 mapping between both.
Markus
"Paul Carew" <beavatronix@xxxxxxxxx> wrote in message
news:CAPHJSn16A-QCu2wmsaQUEFN89RxhJTBx-xwSyRUByzvDW3AoyA@xxxxxxxxxxxxxx...
Hi Markus
Thanks for responding. The squid effective user can read the keytab
and I've got the export line in the squid init script. If I check
/proc/<pid>/environ for the main squid process I can see KRB5_KTNAME
is set correctly. DNS hostname is proxy01.domain.local but
--computer-name used in msktutil is proxy01-h.
I have been playing with it since I wrote the original email and as
long as I don't "Reset Account" for the proxy01-h computer account in
AD everything works, mskutil --auto-update correctly checks the age of
the password on the computer account and negotiate authentication
works in Squid.
...as an aside, we use a commercial product to monitor internet access
which operates off of the url_rewrite_program directive.
Unfortunately, it expects the authenticated user to be returned in the
format "DOMAIN\Username" where as negotiate_kerb_auth returns
"Username@DOMAIN". Is there any way to alter the format of the
returned username?
Thanks again
Paul
On 18 August 2012 13:30, Markus Moeller <huaraz@xxxxxxxxxxxxxxxx> wrote:
Hi Paul,
Does squid running user have read access to the keytab ? Did you use
export KRB5_KTNAME to point to the keytab in the startup script ? What
is
the hostname of your squid host ? Did you get a minor code message ?
Check also my page for some further hints
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
Markus
"Paul Carew" <beavatronix@xxxxxxxxx> wrote in message
news:CAPHJSn3cN0uj3fsM1mD0iKkS4CTavBHQMu7ya=W8OJsp_twuGg@xxxxxxxxxxxxxx...
Hi!
I'm following the guide here
http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory
...to get Negotiate authentication working with Squid 3.2.1. NTLM
works fine but I when using Negotiate I am getting this in my
cache.log...
2012/08/17 17:31:01 kid1| ERROR: Negotiate Authentication validating
user. Error returned 'BH gss_accept_sec_context() failed: Unspecified
GSS failure. Minor code may provide more information. '
"kinit -V -kt /etc/squid/HTTP.keytab HTTP/proxy01.domain.local"
produces...
Using default cache: /tmp/krb5cc_0
Using principal: HTTP/proxy01.domain.local@DOMAIN.LOCAL
Using keytab: /etc/squid/HTTP.keytab
kinit: Preauthentication failed while getting initial credentials
"klist -ekt /etc/squid/HTTP.keytab" produces...
Keytab name: WRFILE:/etc/squid/HTTP.keytab
KVNO Timestamp Principal
---- -----------------
--------------------------------------------------------
2 08/17/12 17:18:03 proxy01-h$@DOMAIN.LOCAL (arcfour-hmac)
2 08/17/12 17:18:04 proxy01-h$@DOMAIN.LOCAL (aes128-cts-hmac-sha1-96)
2 08/17/12 17:18:04 proxy01-h$@DOMAIN.LOCAL (aes256-cts-hmac-sha1-96)
2 08/17/12 17:18:04 HTTP/proxy01.domain.local@DOMAIN.LOCAL
(arcfour-hmac)
2 08/17/12 17:18:04 HTTP/proxy01.domain.local@DOMAIN.LOCAL
(aes128-cts-hmac-sha1-96)
2 08/17/12 17:18:04 HTTP/proxy01.domain.local@DOMAIN.LOCAL
(aes256-cts-hmac-sha1-96)
3 08/17/12 17:18:57 proxy01-h$@DOMAIN.LOCAL (arcfour-hmac)
3 08/17/12 17:18:57 proxy01-h$@DOMAIN.LOCAL (aes128-cts-hmac-sha1-96)
2 08/17/12 17:18:04 host/proxy01.domain.local@DOMAIN.LOCAL
(arcfour-hmac)
3 08/17/12 17:18:57 proxy01-h$@DOMAIN.LOCAL (aes256-cts-hmac-sha1-96)
2 08/17/12 17:18:04 host/proxy01.domain.local@DOMAIN.LOCAL
(aes128-cts-hmac-sha1-96)
2 08/17/12 17:18:04 host/proxy01.domain.local@DOMAIN.LOCAL
(aes256-cts-hmac-sha1-96)
auth_params are...
auth_param negotiate program /usr/lib/squid/negotiate_kerb_auth
auth_param negotiate children 30 startup=10 idle=5
auth_param negotiate keep_alive on
Can anyone help? I'm guessing I've not done something rather important?
Thank you.
Paul
