Re: squid_kerb_auth: Unspecified GSS failure (W2K8)

["Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx>]

Hi Mihail,

  What does a klist -ekt <keytab> show  ? ( I assume you use MIT Kerberos 
on the squid server)

  What do you see with wireshark in the authentication header send to squid 
?

Markus

"Mihail Lukin"  wrote in message 
news:CAAmm_rZHZ8m1VbYF5mVW-ZbQYvOQhW0Nmf4saOp8GsY5x9KVJQ@xxxxxxxxxxxxxx...

I don't know why access-time is not being updated, but strace has
shown that keytab is being read successfully by squid_kerb_auth
process.

On Thu, Oct 31, 2013 at 8:15 AM, Mihail Lukin <mihail.lukin@xxxxxxxxx> 
wrote:
> Hello, Markus!
>
> Sorry for not mentioning it at once, KRB5_KTNAME is being exported in
> /etc/sysconfig/squid and is readable by squid group. But there is
> still something wrong with it: keytab's access time is not changed
> neither when I restart squid not when I request an URL through the
> proxy.
>
> I think I should strace squid_kerb_auth to see what happens. Thanks
> for the hint!
>
> On Thu, Oct 31, 2013 at 12:53 AM, Markus Moeller
> <huaraz@xxxxxxxxxxxxxxxx> wrote:
> > Hi Mihail,
> >
> >   Did you use export KRB5_KTNAME to point to the right keytab ?  Is the
> > keytab readable by the user under which squid runs ?
> >
> > Markus
> >
> > "Mihail Lukin"  wrote in message
> > news:CAAmm_rZ8jNoeFMRGthiYeHQ+GgSfmySFnw8708dwdDVUW3=R_g@xxxxxxxxxxxxxx...
> >
> > Hello,
> >
> > I'm trying to configure Squid 3.1 to authenticate through AD with W2K8
> > DC with Kerberos. I used this how-to:
> > http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos on
> > CentOS 6 box that I've joined to domain with `net ads join`.
> >
> > Now I'm getting the error in cache.log when I'm trying to visit any
> > URL through this proxy:
> >
> > 2013/10/30 17:07:41| squid_kerb_auth: DEBUG: Got 'YR base64 encoded
> > data' from squid (length: 2295).
> > 2013/10/30 17:07:41| squid_kerb_auth: DEBUG: Decode 'base64 encoded
> > data' (decoded length: 1717).
> > 2013/10/30 17:07:41| squid_kerb_auth: ERROR: gss_acquire_cred()
> > failed: Unspecified GSS failure.  Minor code may provide more
> > information.
> > 2013/10/30 17:07:41| authenticateNegotiateHandleReply: Error
> > validating user via Negotiate. Error returned 'BH gss_acquire_cred()
> > failed: Unspecified GSS failure.  Minor code may provide more 
> > information. '
> >
> > I could not figure out what the "minor code" is... I googled a lot with 
> > no
> > luck.
> > Any help is very appreciated. Thanks in advance!
>
>
>
> --
> С уважением,
> Михаил Лукин



--
С уважением,
Михаил Лукин