Hello, Markus! Sorry for not mentioning it at once, KRB5_KTNAME is being exported in /etc/sysconfig/squid and is readable by squid group. But there is still something wrong with it: keytab's access time is not changed neither when I restart squid not when I request an URL through the proxy. I think I should strace squid_kerb_auth to see what happens. Thanks for the hint! On Thu, Oct 31, 2013 at 12:53 AM, Markus Moeller <huaraz@xxxxxxxxxxxxxxxx> wrote: > Hi Mihail, > > Did you use export KRB5_KTNAME to point to the right keytab ? Is the > keytab readable by the user under which squid runs ? > > Markus > > "Mihail Lukin" wrote in message > news:CAAmm_rZ8jNoeFMRGthiYeHQ+GgSfmySFnw8708dwdDVUW3=R_g@xxxxxxxxxxxxxx... > > Hello, > > I'm trying to configure Squid 3.1 to authenticate through AD with W2K8 > DC with Kerberos. I used this how-to: > http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos on > CentOS 6 box that I've joined to domain with `net ads join`. > > Now I'm getting the error in cache.log when I'm trying to visit any > URL through this proxy: > > 2013/10/30 17:07:41| squid_kerb_auth: DEBUG: Got 'YR base64 encoded > data' from squid (length: 2295). > 2013/10/30 17:07:41| squid_kerb_auth: DEBUG: Decode 'base64 encoded > data' (decoded length: 1717). > 2013/10/30 17:07:41| squid_kerb_auth: ERROR: gss_acquire_cred() > failed: Unspecified GSS failure. Minor code may provide more > information. > 2013/10/30 17:07:41| authenticateNegotiateHandleReply: Error > validating user via Negotiate. Error returned 'BH gss_acquire_cred() > failed: Unspecified GSS failure. Minor code may provide more information. ' > > I could not figure out what the "minor code" is... I googled a lot with no > luck. > Any help is very appreciated. Thanks in advance! > -- С уважением, Михаил Лукин
