I don't know why access-time is not being updated, but strace has shown that keytab is being read successfully by squid_kerb_auth process. On Thu, Oct 31, 2013 at 8:15 AM, Mihail Lukin <mihail.lukin@xxxxxxxxx> wrote: > Hello, Markus! > > Sorry for not mentioning it at once, KRB5_KTNAME is being exported in > /etc/sysconfig/squid and is readable by squid group. But there is > still something wrong with it: keytab's access time is not changed > neither when I restart squid not when I request an URL through the > proxy. > > I think I should strace squid_kerb_auth to see what happens. Thanks > for the hint! > > On Thu, Oct 31, 2013 at 12:53 AM, Markus Moeller > <huaraz@xxxxxxxxxxxxxxxx> wrote: >> Hi Mihail, >> >> Did you use export KRB5_KTNAME to point to the right keytab ? Is the >> keytab readable by the user under which squid runs ? >> >> Markus >> >> "Mihail Lukin" wrote in message >> news:CAAmm_rZ8jNoeFMRGthiYeHQ+GgSfmySFnw8708dwdDVUW3=R_g@xxxxxxxxxxxxxx... >> >> Hello, >> >> I'm trying to configure Squid 3.1 to authenticate through AD with W2K8 >> DC with Kerberos. I used this how-to: >> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos on >> CentOS 6 box that I've joined to domain with `net ads join`. >> >> Now I'm getting the error in cache.log when I'm trying to visit any >> URL through this proxy: >> >> 2013/10/30 17:07:41| squid_kerb_auth: DEBUG: Got 'YR base64 encoded >> data' from squid (length: 2295). >> 2013/10/30 17:07:41| squid_kerb_auth: DEBUG: Decode 'base64 encoded >> data' (decoded length: 1717). >> 2013/10/30 17:07:41| squid_kerb_auth: ERROR: gss_acquire_cred() >> failed: Unspecified GSS failure. Minor code may provide more >> information. >> 2013/10/30 17:07:41| authenticateNegotiateHandleReply: Error >> validating user via Negotiate. Error returned 'BH gss_acquire_cred() >> failed: Unspecified GSS failure. Minor code may provide more information. ' >> >> I could not figure out what the "minor code" is... I googled a lot with no >> luck. >> Any help is very appreciated. Thanks in advance! >> > > > > -- > С уважением, > Михаил Лукин -- С уважением, Михаил Лукин
