Thanks for the tip! Here is what it shows: Server Name (Service and Instance): HTTP/squidsrv.my.doma.in So, it is the right protocol and host name. But I do not see exact much in keytab. I'm not sure if it is the issue. I created keytab exactly as was shown here: http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos#Create_keytab (samba version, not msktutil). On Sun, Nov 3, 2013 at 1:29 AM, Markus Moeller <huaraz@xxxxxxxxxxxxxxxx> wrote: > Hi Mihail, > > If you use wireshark you can expand the details of: > > Proxy-Authorization: Negotiate YIIHoAYGKwYBB... > > It will tell you which service principal the client is sending to the > server ? I wonder if the name matches the names in your keytab. > > > Markus > > -----Original Message----- From: Mihail Lukin > Sent: Saturday, November 02, 2013 9:15 PM > To: Markus Moeller > Cc: squid-users > Subject: Re: Re: squid_kerb_auth: Unspecified GSS failure > (W2K8) > > > Hi, Markus! > > 1) Here is the output: > Keytab name: FILE:/etc/squid/HTTP.keytab > KVNO Timestamp Principal > ---- ----------------- > -------------------------------------------------------- > 2 10/30/13 14:14:09 host/squidsrv.my.doma.in@xxxxxxxxxx (des-cbc-crc) > 2 10/30/13 14:14:09 host/squidsrv.my.doma.in@xxxxxxxxxx (des-cbc-md5) > 2 10/30/13 14:14:09 host/squidsrv.my.doma.in@xxxxxxxxxx (arcfour-hmac) > 2 10/30/13 14:14:09 host/squidsrv.my.doma.in@xxxxxxxxxx > (aes128-cts-hmac-sha1-96) > 2 10/30/13 14:14:09 host/squidsrv.my.doma.in@xxxxxxxxxx > (aes256-cts-hmac-sha1-96) > 2 10/30/13 14:14:09 host/squidsrv@xxxxxxxxxx (des-cbc-crc) > 2 10/30/13 14:14:09 host/squidsrv@xxxxxxxxxx (des-cbc-md5) > 2 10/30/13 14:14:09 host/squidsrv@xxxxxxxxxx (arcfour-hmac) > 2 10/30/13 14:14:09 host/squidsrv@xxxxxxxxxx (aes128-cts-hmac-sha1-96) > 2 10/30/13 14:14:09 host/squidsrv@xxxxxxxxxx (aes256-cts-hmac-sha1-96) > 2 10/30/13 14:14:09 SQUIDSRV$@MY.DOMA.IN (des-cbc-crc) > 2 10/30/13 14:14:10 SQUIDSRV$@MY.DOMA.IN (des-cbc-md5) > 2 10/30/13 14:14:10 SQUIDSRV$@MY.DOMA.IN (arcfour-hmac) > 2 10/30/13 14:14:10 SQUIDSRV$@MY.DOMA.IN (aes128-cts-hmac-sha1-96) > 2 10/30/13 14:14:10 SQUIDSRV$@MY.DOMA.IN (aes256-cts-hmac-sha1-96) > > 2) I see request header "Proxy-Authorization: Negotiate YIIHoAYGKwYBB..." > 3) It worth to mention that using ntlm_auth instead of squid_kerb_auth > works fine on this server. > > > On Fri, Nov 1, 2013 at 1:45 AM, Markus Moeller <huaraz@xxxxxxxxxxxxxxxx> > wrote: >> >> Hi Mihail, >> >> What does a klist -ekt <keytab> show ? ( I assume you use MIT Kerberos >> on >> the squid server) >> >> What do you see with wireshark in the authentication header send to >> squid >> ? >> >> Markus >> >> "Mihail Lukin" wrote in message >> news:CAAmm_rZHZ8m1VbYF5mVW-ZbQYvOQhW0Nmf4saOp8GsY5x9KVJQ@xxxxxxxxxxxxxx... >> >> >> I don't know why access-time is not being updated, but strace has >> shown that keytab is being read successfully by squid_kerb_auth >> process. >> >> On Thu, Oct 31, 2013 at 8:15 AM, Mihail Lukin <mihail.lukin@xxxxxxxxx> >> wrote: >>> >>> >>> Hello, Markus! >>> >>> Sorry for not mentioning it at once, KRB5_KTNAME is being exported in >>> /etc/sysconfig/squid and is readable by squid group. But there is >>> still something wrong with it: keytab's access time is not changed >>> neither when I restart squid not when I request an URL through the >>> proxy. >>> >>> I think I should strace squid_kerb_auth to see what happens. Thanks >>> for the hint! >>> >>> On Thu, Oct 31, 2013 at 12:53 AM, Markus Moeller >>> <huaraz@xxxxxxxxxxxxxxxx> wrote: >>>> >>>> >>>> Hi Mihail, >>>> >>>> Did you use export KRB5_KTNAME to point to the right keytab ? Is the >>>> keytab readable by the user under which squid runs ? >>>> >>>> Markus >>>> >>>> "Mihail Lukin" wrote in message >>>> >>>> >>>> news:CAAmm_rZ8jNoeFMRGthiYeHQ+GgSfmySFnw8708dwdDVUW3=R_g@xxxxxxxxxxxxxx... >>>> >>>> Hello, >>>> >>>> I'm trying to configure Squid 3.1 to authenticate through AD with W2K8 >>>> DC with Kerberos. I used this how-to: >>>> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos on >>>> CentOS 6 box that I've joined to domain with `net ads join`. >>>> >>>> Now I'm getting the error in cache.log when I'm trying to visit any >>>> URL through this proxy: >>>> >>>> 2013/10/30 17:07:41| squid_kerb_auth: DEBUG: Got 'YR base64 encoded >>>> data' from squid (length: 2295). >>>> 2013/10/30 17:07:41| squid_kerb_auth: DEBUG: Decode 'base64 encoded >>>> data' (decoded length: 1717). >>>> 2013/10/30 17:07:41| squid_kerb_auth: ERROR: gss_acquire_cred() >>>> failed: Unspecified GSS failure. Minor code may provide more >>>> information. >>>> 2013/10/30 17:07:41| authenticateNegotiateHandleReply: Error >>>> validating user via Negotiate. Error returned 'BH gss_acquire_cred() >>>> failed: Unspecified GSS failure. Minor code may provide more >>>> information. ' >>>> >>>> I could not figure out what the "minor code" is... I googled a lot with >>>> no >>>> luck. >>>> Any help is very appreciated. Thanks in advance! >>>> >>> >>> >>> >>> -- >>> С уважением, >>> Михаил Лукин >> >> >> >> >> >> -- >> С уважением, >> Михаил Лукин >> > >
