Many thanks Markus, I see what's going on now. :) I will approach the commercial company regarding adding support for the username being supplied in the kerberos format. Paul On 18 August 2012 20:58, Markus Moeller <huaraz@xxxxxxxxxxxxxxxx> wrote: > Hi Paul. > > A account reset means the password or key of this accounts changes and the > extracted key in the keytab will get out of sync. So don't reset the > account in AD, but only autoupdate from msktutil. Also don't share a samba > account with squid as samba daemons als reset the account from time to time. > Unfortunately the user@DOMAIN is the Kerberos format and NTDOMAIN\user the > Netbios format and thers is no obvious 1-2-1 mapping between both. > > Markus > > > "Paul Carew" <beavatronix@xxxxxxxxx> wrote in message > news:CAPHJSn16A-QCu2wmsaQUEFN89RxhJTBx-xwSyRUByzvDW3AoyA@xxxxxxxxxxxxxx... > >> Hi Markus >> >> Thanks for responding. The squid effective user can read the keytab >> and I've got the export line in the squid init script. If I check >> /proc/<pid>/environ for the main squid process I can see KRB5_KTNAME >> is set correctly. DNS hostname is proxy01.domain.local but >> --computer-name used in msktutil is proxy01-h. >> >> I have been playing with it since I wrote the original email and as >> long as I don't "Reset Account" for the proxy01-h computer account in >> AD everything works, mskutil --auto-update correctly checks the age of >> the password on the computer account and negotiate authentication >> works in Squid. >> >> ...as an aside, we use a commercial product to monitor internet access >> which operates off of the url_rewrite_program directive. >> Unfortunately, it expects the authenticated user to be returned in the >> format "DOMAIN\Username" where as negotiate_kerb_auth returns >> "Username@DOMAIN". Is there any way to alter the format of the >> returned username? >> >> Thanks again >> >> Paul >> >> >> On 18 August 2012 13:30, Markus Moeller <huaraz@xxxxxxxxxxxxxxxx> wrote: >>> >>> Hi Paul, >>> >>> Does squid running user have read access to the keytab ? Did you use >>> export KRB5_KTNAME to point to the keytab in the startup script ? What >>> is >>> the hostname of your squid host ? Did you get a minor code message ? >>> >>> Check also my page for some further hints >>> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos >>> >>> Markus >>> >>> >>> "Paul Carew" <beavatronix@xxxxxxxxx> wrote in message >>> >>> news:CAPHJSn3cN0uj3fsM1mD0iKkS4CTavBHQMu7ya=W8OJsp_twuGg@xxxxxxxxxxxxxx... >>> >>>> Hi! >>>> >>>> I'm following the guide here >>>> >>>> >>>> http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory >>>> ...to get Negotiate authentication working with Squid 3.2.1. NTLM >>>> works fine but I when using Negotiate I am getting this in my >>>> cache.log... >>>> >>>> 2012/08/17 17:31:01 kid1| ERROR: Negotiate Authentication validating >>>> user. Error returned 'BH gss_accept_sec_context() failed: Unspecified >>>> GSS failure. Minor code may provide more information. ' >>>> >>>> "kinit -V -kt /etc/squid/HTTP.keytab HTTP/proxy01.domain.local" >>>> produces... >>>> >>>> Using default cache: /tmp/krb5cc_0 >>>> Using principal: HTTP/proxy01.domain.local@DOMAIN.LOCAL >>>> Using keytab: /etc/squid/HTTP.keytab >>>> kinit: Preauthentication failed while getting initial credentials >>>> >>>> "klist -ekt /etc/squid/HTTP.keytab" produces... >>>> >>>> Keytab name: WRFILE:/etc/squid/HTTP.keytab >>>> KVNO Timestamp Principal >>>> ---- ----------------- >>>> -------------------------------------------------------- >>>> 2 08/17/12 17:18:03 proxy01-h$@DOMAIN.LOCAL (arcfour-hmac) >>>> 2 08/17/12 17:18:04 proxy01-h$@DOMAIN.LOCAL (aes128-cts-hmac-sha1-96) >>>> 2 08/17/12 17:18:04 proxy01-h$@DOMAIN.LOCAL (aes256-cts-hmac-sha1-96) >>>> 2 08/17/12 17:18:04 HTTP/proxy01.domain.local@DOMAIN.LOCAL >>>> (arcfour-hmac) >>>> 2 08/17/12 17:18:04 HTTP/proxy01.domain.local@DOMAIN.LOCAL >>>> (aes128-cts-hmac-sha1-96) >>>> 2 08/17/12 17:18:04 HTTP/proxy01.domain.local@DOMAIN.LOCAL >>>> (aes256-cts-hmac-sha1-96) >>>> 3 08/17/12 17:18:57 proxy01-h$@DOMAIN.LOCAL (arcfour-hmac) >>>> 3 08/17/12 17:18:57 proxy01-h$@DOMAIN.LOCAL (aes128-cts-hmac-sha1-96) >>>> 2 08/17/12 17:18:04 host/proxy01.domain.local@DOMAIN.LOCAL >>>> (arcfour-hmac) >>>> 3 08/17/12 17:18:57 proxy01-h$@DOMAIN.LOCAL (aes256-cts-hmac-sha1-96) >>>> 2 08/17/12 17:18:04 host/proxy01.domain.local@DOMAIN.LOCAL >>>> (aes128-cts-hmac-sha1-96) >>>> 2 08/17/12 17:18:04 host/proxy01.domain.local@DOMAIN.LOCAL >>>> (aes256-cts-hmac-sha1-96) >>>> >>>> auth_params are... >>>> >>>> auth_param negotiate program /usr/lib/squid/negotiate_kerb_auth >>>> auth_param negotiate children 30 startup=10 idle=5 >>>> auth_param negotiate keep_alive on >>>> >>>> Can anyone help? I'm guessing I've not done something rather important? >>>> >>>> Thank you. >>>> >>>> Paul >>>> >>> >>> >> > >
