Search squid archive

Re: kerberos ERROR: gss_accept_sec_context() failed: Unspecified GSS failure

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




Hi Glenn,

If you follow the online guide at http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos you will see for win2008 a

msktutil -c -b "CN=COMPUTERS" -s HTTP/<fqdn> -h <fqdn> -k /etc/squid/HTTP.keytab --computer-name squid-http --upn HTTP/<fqdn> --server <domain controller> --verbose --enctypes 28

i.e. the addition of --enctypes 28

Can you try that ?

Markus

"Glenn groves" <glenn.groves@xxxxxxxxx> wrote in message news:CAN55zj5L1nDOf1poMhGkfMjEGpV2hFmDw5zp4aQJCfvXZAqm0Q@xxxxxxxxxxxxxx...
Hi All,



I have been setting up a new proxy, it needs to have Kerberos auth so
that the users on the domain do not get prompted for a password - but
are authenticated and this is to show in the logs. Sorry for the
formatting, I tried using the bold and embed tags but they did not
work



It does not work for windows 7, windows 8 or windows 2008



I have it working when I try from a windows 2003 OS, and can see the
auth occurring in the logs:



............D1jAEc= user@xxxxxxxxxxxxx

2013/08/05 11:48:16| squid_kerb_auth: INFO: User user@xxxxxxxxxxxxx
authenticated



However from a windows 7 or windows 8 PC, the authentication does not
complete and instead there is an error:



2013/08/05 11:48:31| squid_kerb_auth: ERROR: gss_accept_sec_context()
failed: Unspecified GSS failure.  Minor code may provide more
information.

2013/08/05 11:48:31| authenticateNegotiateHandleReply: Error
validating user via Negotiate. Error returned 'BH
gss_accept_sec_context() failed: Unspecified GSS failure.  Minor code
may provide more information.



==> /var/log/squid/cache.log <==

2013/08/05 11:48:31| squid_kerb_auth: INFO: User not authenticated





Below is some information on the configuration:



We are running 3 x 2008R2 domain controllers and 1 x 2003 domain
controller, thus the domain mode is set to 2003.



The krb5.conf file contains:



[logging]

default = FILE:/var/log/krb5libs.log

kdc = FILE:/var/log/krb5kdc.log

admin_server = FILE:/var/log/kadmind.log



[libdefaults]

   default_realm = MYDOMAIN.COM.AU

   dns_lookup_kdc = false

   dns_lookup_realm = false

   ticket_lifetime = 24h

   default_keytab_name = /etc/squid/PROXY.keytab

   forwardable = true



; Note, because we have a 2003 domain controller, I have the 2003
uncommented below not the 2008 with AES

; for Windows 2003

   default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5

   default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5

   permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5



; for Windows 2008 with AES

;    default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac
des-cbc-crc des-cbc-md5

;    default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac
des-cbc-crc des-cbc-md5

;    permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5



[realms]

   MYDOMAIN.COM.AU = {

       kdc = kdc1.mydomain.com.au

       kdc = kdc2.mydomain.com.au

       kdc = kdc3.mydomain.com.au

       kdc = kdc4.mydomain.com.au

       admin_server = kdc1.mydomain.com.au

       default_domain = mydomain.com.au

   }



[domain_realm]

   .mydomain.com.au = MYDOMAIN.COM.AU

   mydomain.com.au = MYDOMAIN.COM.AU



The squid.conf contains the following custom settings:



auth_param negotiate program /usr/lib64/squid/squid_kerb_auth -i -d -s
HTTP/proxy.mydoamin.com.au

auth_param negotiate children 10

auth_param negotiate keep_alive on

auth_param basic credentialsttl 2 hours

acl ad_auth proxy_auth REQUIRE

http_access allow ad_auth

http_access allow localnet



(Note: I would like to get rid of the http_access allow localnet, but
even on 2003 when the auth works - internet access is denied without
this line)



My /etc/sysconfig/squid file has the following custom lines:



KRB5_KTNAME=/etc/squid/PROXY.keytab

export KRB5_KTNAME



when I ran this command, the keytab was generated successfully:



msktutil -c -b "CN=COMPUTERS" -s HTTP/proxy.mydomain.com.au -h
proxy.mydomain.com.au -k /etc/squid/PROXY.keytab --computer-name
PROXYK --upn HTTP/proxy.mydomain.com.au --server dc1.mydomain.com.au
--verbose



the permissions on the keytab are below which should be fine:

-rw-rw-rw-. 1 root root 1430 Aug  5 08:33 /etc/squid/PROXY.keytab



In Summary, the fact windows 2003 works and gets authenticated shows
to me that Kerberos is working, why wont windows 2008, 7 or 8 works?



Thanks,



Glenn







[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux