Hi, Markus! 1) Here is the output: Keytab name: FILE:/etc/squid/HTTP.keytab KVNO Timestamp Principal ---- ----------------- -------------------------------------------------------- 2 10/30/13 14:14:09 host/squidsrv.my.doma.in@xxxxxxxxxx (des-cbc-crc) 2 10/30/13 14:14:09 host/squidsrv.my.doma.in@xxxxxxxxxx (des-cbc-md5) 2 10/30/13 14:14:09 host/squidsrv.my.doma.in@xxxxxxxxxx (arcfour-hmac) 2 10/30/13 14:14:09 host/squidsrv.my.doma.in@xxxxxxxxxx (aes128-cts-hmac-sha1-96) 2 10/30/13 14:14:09 host/squidsrv.my.doma.in@xxxxxxxxxx (aes256-cts-hmac-sha1-96) 2 10/30/13 14:14:09 host/squidsrv@xxxxxxxxxx (des-cbc-crc) 2 10/30/13 14:14:09 host/squidsrv@xxxxxxxxxx (des-cbc-md5) 2 10/30/13 14:14:09 host/squidsrv@xxxxxxxxxx (arcfour-hmac) 2 10/30/13 14:14:09 host/squidsrv@xxxxxxxxxx (aes128-cts-hmac-sha1-96) 2 10/30/13 14:14:09 host/squidsrv@xxxxxxxxxx (aes256-cts-hmac-sha1-96) 2 10/30/13 14:14:09 SQUIDSRV$@MY.DOMA.IN (des-cbc-crc) 2 10/30/13 14:14:10 SQUIDSRV$@MY.DOMA.IN (des-cbc-md5) 2 10/30/13 14:14:10 SQUIDSRV$@MY.DOMA.IN (arcfour-hmac) 2 10/30/13 14:14:10 SQUIDSRV$@MY.DOMA.IN (aes128-cts-hmac-sha1-96) 2 10/30/13 14:14:10 SQUIDSRV$@MY.DOMA.IN (aes256-cts-hmac-sha1-96) 2) I see request header "Proxy-Authorization: Negotiate YIIHoAYGKwYBB..." 3) It worth to mention that using ntlm_auth instead of squid_kerb_auth works fine on this server. On Fri, Nov 1, 2013 at 1:45 AM, Markus Moeller <huaraz@xxxxxxxxxxxxxxxx> wrote: > Hi Mihail, > > What does a klist -ekt <keytab> show ? ( I assume you use MIT Kerberos on > the squid server) > > What do you see with wireshark in the authentication header send to squid > ? > > Markus > > "Mihail Lukin" wrote in message > news:CAAmm_rZHZ8m1VbYF5mVW-ZbQYvOQhW0Nmf4saOp8GsY5x9KVJQ@xxxxxxxxxxxxxx... > > > I don't know why access-time is not being updated, but strace has > shown that keytab is being read successfully by squid_kerb_auth > process. > > On Thu, Oct 31, 2013 at 8:15 AM, Mihail Lukin <mihail.lukin@xxxxxxxxx> > wrote: >> >> Hello, Markus! >> >> Sorry for not mentioning it at once, KRB5_KTNAME is being exported in >> /etc/sysconfig/squid and is readable by squid group. But there is >> still something wrong with it: keytab's access time is not changed >> neither when I restart squid not when I request an URL through the >> proxy. >> >> I think I should strace squid_kerb_auth to see what happens. Thanks >> for the hint! >> >> On Thu, Oct 31, 2013 at 12:53 AM, Markus Moeller >> <huaraz@xxxxxxxxxxxxxxxx> wrote: >>> >>> Hi Mihail, >>> >>> Did you use export KRB5_KTNAME to point to the right keytab ? Is the >>> keytab readable by the user under which squid runs ? >>> >>> Markus >>> >>> "Mihail Lukin" wrote in message >>> >>> news:CAAmm_rZ8jNoeFMRGthiYeHQ+GgSfmySFnw8708dwdDVUW3=R_g@xxxxxxxxxxxxxx... >>> >>> Hello, >>> >>> I'm trying to configure Squid 3.1 to authenticate through AD with W2K8 >>> DC with Kerberos. I used this how-to: >>> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos on >>> CentOS 6 box that I've joined to domain with `net ads join`. >>> >>> Now I'm getting the error in cache.log when I'm trying to visit any >>> URL through this proxy: >>> >>> 2013/10/30 17:07:41| squid_kerb_auth: DEBUG: Got 'YR base64 encoded >>> data' from squid (length: 2295). >>> 2013/10/30 17:07:41| squid_kerb_auth: DEBUG: Decode 'base64 encoded >>> data' (decoded length: 1717). >>> 2013/10/30 17:07:41| squid_kerb_auth: ERROR: gss_acquire_cred() >>> failed: Unspecified GSS failure. Minor code may provide more >>> information. >>> 2013/10/30 17:07:41| authenticateNegotiateHandleReply: Error >>> validating user via Negotiate. Error returned 'BH gss_acquire_cred() >>> failed: Unspecified GSS failure. Minor code may provide more >>> information. ' >>> >>> I could not figure out what the "minor code" is... I googled a lot with >>> no >>> luck. >>> Any help is very appreciated. Thanks in advance! >>> >> >> >> >> -- >> С уважением, >> Михаил Лукин > > > > > -- > С уважением, > Михаил Лукин >
