Search squid archive

Re: squid proxy kerberos authentication failure. Help!!!

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi ,

Are you sure your squid user has read access to the keytab ? If the KVNO and HTTP/... name in the ticket match wht it is in the keytab it should work.

If your AD entry has also the userprincipalname set to HTTP/proxy.... you can test with kinit -kt <keytab> HTTP/proxy02... It shouldn't produce an error. It creates a cache which you can look at with klist.

Markus



"flypast"  wrote in message news:1387772115044-4663993.post@xxxxxxxxxxxxx...

Hi Markus,

Firstly, Thank you very much and Merry Christmas!!!

Tried as your suggestion.

But still no lucky.

The logs as below:
2013/12/23 14:27:47| squid_kerb_auth: DEBUG: Got 'YR
YIIFGgYGKwYBBQUCoIIFDjCCBQqgJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBOAEggTcYIIE2AYJKoZIhvcSAQICAQBuggTHMIIEw6ADAgEFoQMCAQ6iBwMFACAAAACjggPuYYID6jCCA+agAwIBBaEPGw1ERUVQTEFZRVIuQ09NoigwJqADAgECoR8wHRsESFRUUBsVcHJveHkwMi5kZWVwbGF5ZXIuY29to4IDojCCA56gAwIBF6EDAgEQooIDkASCA4zi9X+m6Oeb0vJLwtyfr2nIi9TLz67eGY7xwPo/IAwjDk0ex8u/thawee+EBof8EbXr+f3lxLytvFS7B0Rn++ECej/O38uSf2Swpd0tupixSFrQgKAhBOZy/meeUNs+b4ViLygMnb9aoqOuQak2y09NSUPcaQU0jqluO5KTS37W3vYuU8ykNO+DNf4lDkGqSSQ7SPApuH8NrrQ4sAkByVjDspfsLYd9AaaptdRMBPQLzSVKFVG9L3d3tRjV9VAPavCQxogVOsh3i+bPR0VcAbunjqWBVxBalB+28TU6MkyZ1fupZIq8fsXy6Q1jdiSK6ED7H3ovxV2X+O6MEEOPSmsHXqmOYjDjkRCGsFAT3lmJOycbzA4sTAyHIcYYAnSjLhTJ0sFDVnDbTpppD4R/rfYOJTeHZ4P19/laxYczN96r5E7EE906ss4GeodF5EANpE5oEqmQ+CxK1gVTcHlZ1BWbjqTUKVYEwdikZ8k2bexB06ibFUCjA4u6FIoY5fPH2xhB4qR4aLWtjuED+1XHLcwbJzawcDnbswMJobUOoXHxHRjYxMKfuzZAtZ8mPynFSZWTt2nuMIsGNvTiGSUAupqY1ILSnRWbs3EO5OX5AXJa3+uYhj09afbQViM3Zq0Uo6/foFYWcbhY/iERhPuHgGS6EAggHDhu7cWc1NP+4uW1UQv4jH/NFTo0rkLDLqw2ip6USlvqj2HvZFMNaBJ+WmhTDAmDQ2w7Z+XBCNdj3b8/b5qPTtF/aFoL6erc9cS6d7yqLQGVkmr193u6hx9iGoOsZ9/++olBzuE3Cr4dlbgkyLovmjytNA44R0QzjKs/6o8mZSQ7XUGZ4SqD2LP4g2/0iVa8BMPqsSCWqVXR+lGflO9wE7WX/Kemt4o6g8JHdvUr0/XvCvdGSaQLlp2sbKHE+NM3IZE1zfGrP38cmjyCsJmLsmeNGcyXYvUye9Crnu9FM1s1ZDgP9F7CJ9+KG9sybaiMqO4XQs+OMyC3kMzB3jhOhmfhqxe/Z6ohKIw3nalIog9ISCbzW1pi5uVNVMTV53Hzuw5Ww9jwHf9HkrTpFYng4ipeBhVH/DUaUjFfGUnxXMzkq1hX17MbOCfwW73fa71ZFa2zeW4B+RuOLfKWWQzFGGgDH/vAoSM6wP1FnyER6V5YBXIYkwfgOuH5EiLEHI474fL6FoxCf33SxrknpcpKmYc+SkAfZ2eZtaSBuzCBuKADAgEXooGwBIGtSESWmWq43Bh82AYW1XSYPPRL9oKMVOAn/ZERSgCz/jpooQTUTNsW6RMUgoSad14Y8bnGCog8fYHkuEu6/guI6P7fVwztLNtb1lbIeHtILSe28smMg02A9YlV7PzSD4tRA+Ob5kEAWdylpgjwHHCOfqw2qof4eMqNU79dTnfnHq13i7bn4VMwg7BWdFMS9Xi+pDplC4E4/Kpq7qaGB8WsLMRGB7KiBmQzz3VkoRE='
from squid (length: 1751).
2013/12/23 14:27:47| squid_kerb_auth: DEBUG: Decode
'YIIFGgYGKwYBBQUCoIIFDjCCBQqgJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBOAEggTcYIIE2AYJKoZIhvcSAQICAQBuggTHMIIEw6ADAgEFoQMCAQ6iBwMFACAAAACjggPuYYID6jCCA+agAwIBBaEPGw1ERUVQTEFZRVIuQ09NoigwJqADAgECoR8wHRsESFRUUBsVcHJveHkwMi5kZWVwbGF5ZXIuY29to4IDojCCA56gAwIBF6EDAgEQooIDkASCA4zi9X+m6Oeb0vJLwtyfr2nIi9TLz67eGY7xwPo/IAwjDk0ex8u/thawee+EBof8EbXr+f3lxLytvFS7B0Rn++ECej/O38uSf2Swpd0tupixSFrQgKAhBOZy/meeUNs+b4ViLygMnb9aoqOuQak2y09NSUPcaQU0jqluO5KTS37W3vYuU8ykNO+DNf4lDkGqSSQ7SPApuH8NrrQ4sAkByVjDspfsLYd9AaaptdRMBPQLzSVKFVG9L3d3tRjV9VAPavCQxogVOsh3i+bPR0VcAbunjqWBVxBalB+28TU6MkyZ1fupZIq8fsXy6Q1jdiSK6ED7H3ovxV2X+O6MEEOPSmsHXqmOYjDjkRCGsFAT3lmJOycbzA4sTAyHIcYYAnSjLhTJ0sFDVnDbTpppD4R/rfYOJTeHZ4P19/laxYczN96r5E7EE906ss4GeodF5EANpE5oEqmQ+CxK1gVTcHlZ1BWbjqTUKVYEwdikZ8k2bexB06ibFUCjA4u6FIoY5fPH2xhB4qR4aLWtjuED+1XHLcwbJzawcDnbswMJobUOoXHxHRjYxMKfuzZAtZ8mPynFSZWTt2nuMIsGNvTiGSUAupqY1ILSnRWbs3EO5OX5AXJa3+uYhj09afbQViM3Zq0Uo6/foFYWcbhY/iERhPuHgGS6EAggHDhu7cWc1NP+4uW1UQv4jH/NFTo0rkLDLqw2ip6USlvqj2HvZFMNaBJ+WmhTDAmDQ2w7Z+XBCNdj3b8/b5qPTtF/aFoL6erc9cS6d7yqLQGVkmr193u6hx9iGoOsZ9/++olBzuE3Cr4dlbgkyLovmjytNA44R0QzjKs/6o8mZSQ7XUGZ4SqD2LP4g2/0iVa8BMPqsSCWqVXR+lGflO9wE7WX/Kemt4o6g8JHdvUr0/XvCvdGSaQLlp2sbKHE+NM3IZE1zfGrP38cmjyCsJmLsmeNGcyXYvUye9Crnu9FM1s1ZDgP9F7CJ9+KG9sybaiMqO4XQs+OMyC3kMzB3jhOhmfhqxe/Z6ohKIw3nalIog9ISCbzW1pi5uVNVMTV53Hzuw5Ww9jwHf9HkrTpFYng4ipeBhVH/DUaUjFfGUnxXMzkq1hX17MbOCfwW73fa71ZFa2zeW4B+RuOLfKWWQzFGGgDH/vAoSM6wP1FnyER6V5YBXIYkwfgOuH5EiLEHI474fL6FoxCf33SxrknpcpKmYc+SkAfZ2eZtaSBuzCBuKADAgEXooGwBIGtSESWmWq43Bh82AYW1XSYPPRL9oKMVOAn/ZERSgCz/jpooQTUTNsW6RMUgoSad14Y8bnGCog8fYHkuEu6/guI6P7fVwztLNtb1lbIeHtILSe28smMg02A9YlV7PzSD4tRA+Ob5kEAWdylpgjwHHCOfqw2qof4eMqNU79dTnfnHq13i7bn4VMwg7BWdFMS9Xi+pDplC4E4/Kpq7qaGB8WsLMRGB7KiBmQzz3VkoRE='
(decoded length: 1310).
2013/12/23 14:27:47| squid_kerb_auth: ERROR: gss_accept_sec_context()
failed: Unspecified GSS failure.  Minor code may provide more information.
2013/12/23 14:27:47| squid_kerb_auth: INFO: User not authenticated
2013/12/23 14:27:47| authenticateNegotiateHandleReply: Error validating user
via Negotiate. Error returned 'BH gss_accept_sec_context() failed:
Unspecified GSS failure.  Minor code may provide more information

BTW:

On the DC
C:\Users\Administrator>setspn -L proxy02
Registered ServicePrincipalNames for
CN=proxy02,CN=Computers,DC=deeplayer,DC=com
:
       HTTP/proxy02.deeplayer.com

[root@proxy01 squid]# klist -ekt /etc/squid/squid.keytab
Keytab name: FILE:/etc/squid/squid.keytab
KVNO Timestamp         Principal
---- -----------------
--------------------------------------------------------
 16 12/22/13 13:14:31 proxy02$@DEEPLAYER.COM (arcfour-hmac)
 16 12/22/13 13:14:31 proxy02$@DEEPLAYER.COM (aes128-cts-hmac-sha1-96)
 16 12/22/13 13:14:31 proxy02$@DEEPLAYER.COM (aes256-cts-hmac-sha1-96)
 16 12/22/13 13:14:31 HTTP/proxy02.deeplayer.com@xxxxxxxxxxxxx
(arcfour-hmac)
 16 12/22/13 13:14:31 HTTP/proxy02.deeplayer.com@xxxxxxxxxxxxx
(aes128-cts-hmac-sha1-96)
 16 12/22/13 13:14:31 HTTP/proxy02.deeplayer.com@xxxxxxxxxxxxx
(aes256-cts-hmac-sha1-96)



--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-proxy-kerberos-authentication-failure-Help-tp4663964p4663993.html Sent from the Squid - Users mailing list archive at Nabble.com.





[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux