A lot of thanks Markus and sorry by my big delay in answering but I didn't
know suficient for reply you.
I read a lot of posts and I checked my configuration and I think that now I
can reply you.
My configuration
[logging]
default = FILE:/var/log/krb/krb5libs.log
kdc = FILE:/var/log/krb/krb5kdc.log
admin_server = FILE:/var/log/krb/kadmind.log
[libdefaults]
default_realm = ABG.CORP
default_tgs_enctypes = rc4-hmac
default_tkt_enctypes = rc4-hmac
[realms]
ABG.CORP = {
default_domain = abg.corp
kdc = XXXXXXX.abg.corp:88
kdc = XXXXXXX.abg.corp:88
admin_server = XXXXX.abg.corp:749
}
[domain_realm]
.abg.corp = ABG.CORP
abg.corp = ABG.CORP
-rw-r----- 1 root squid 75 may 6 12:23 squid_w2008.keytab
kinit work properly for kdc and admin_server with 2003 and 2008
[root@proxyprueba ~]# kinit -V -kt /etc/squid/squid_w2008.keytab
HTTP/proxyprueba.abg.corp
Using default cache: /tmp/krb5cc_0
Using principal: HTTP/proxyprueba.abg.corp@xxxxxxxx
Using keytab: /etc/squid/squid_w2008.keytab
Authenticated to Kerberos v5
and y view the ticket
[root@proxyprueba ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: HTTP/proxyprueba.abg.corp@xxxxxxxx
Valid starting Expires Service principal
05/07/13 09:32:53 05/07/13 19:33:15 krbtgt/ABG.CORP@xxxxxxxx
renew until 05/08/13 09:32:53
All DNS resolution are good
direct --> proxyprueba.abg.corp. 3600 IN A 10.155.196.29
reverse --> 29.196.155.10.in-addr.arpa. 3600 IN PTR proxyprueba.abg.corp.
with DC is the same.
I configure the client (Windows XP and IE8) with the proxy name and port
8080. If I don't put autentication the client has internet if I put
authentication this doesn't have internet.
I list in the client, with kerbtray, all tickets and never view
HTTP/proxyprueba.abg.corp@xxxxxxxx. I capture the traffic betewn
with DC is the same.
I configured the client (Windows XP and IE8) with the proxy name and port
8080, with proxypack (url). If I don't put autentication the client has
internet if I put authentication this doesn't have internet.
I list in the client, with kerbtray, all tickets and never view
HTTP/proxyprueba.abg.corp@xxxxxxxx. I capture the traffic between proxy and
client and only view this
Hypertext Transfer Protocol
HTTP/1.0 407 Proxy Authentication Required\r\n
[Expert Info (Chat/Sequence): HTTP/1.0 407 Proxy Authentication
Required\r\n]
[Message: HTTP/1.0 407 Proxy Authentication Required\r\n]
[Severity level: Chat]
[Group: Sequence]
Request Version: HTTP/1.0
Status Code: 407
Response Phrase: Proxy Authentication Required
Server: squid/3.1.10\r\n
Mime-Version: 1.0\r\n
Date: Tue, 07 May 2013 06:53:18 GMT\r\n
Content-Type: text/html\r\n
Content-Length: 3931\r\n
[Content length: 3931]
X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0\r\n
Vary: Accept-Language\r\n
Content-Language: es\r\n
Proxy-Authenticate: Negotiate\r\n
X-Cache: MISS from proxyprueba.abg.corp\r\n
X-Cache-Lookup: NONE from proxyprueba.abg.corp:8080\r\n
Via: 1.0 proxyprueba.abg.corp (squid/3.1.10)\r\n
Connection: keep-alive\r\n
After NTML requirement
Can you help me? Now, I think that all is correct.
A lot of thanks.
--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Kerberos-with-2008-2003-DC-tp4659198p4659821.html
Sent from the Squid - Users mailing list archive at Nabble.com.
