Hi to all! I've a 'little' problem.... I've followed the instruction of this guide: http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory And i've setup successfully the ntlm and basic authentication. browser and application works well, most of them use ntlm... But now i've a throuble with kerberos auth, as one win7 client seem to use kerberos instead of ntlm. I get the following error on cache.log 2014/10/03 17:05:35| negotiate_wrapper: Got '...cut...' from squid (length: 219). 2014/10/03 17:05:35| negotiate_wrapper: Decode '...cut...' (decoded length: 161). 2014/10/03 17:05:35| negotiate_wrapper: received Kerberos token 2014/10/03 17:05:35| squid_kerb_auth: Got '...cut...' from squid (length: 219). 2014/10/03 17:05:35| squid_kerb_auth: Decode '...cut...' (decoded length: 161). 2014/10/03 17:05:35| squid_kerb_auth: gss_accept_sec_context() failed: An unsupported mechanism was requested. 2014/10/03 17:05:35| negotiate_wrapper: Return 'BH gss_accept_sec_context() failed: An unsupported mechanism was requested. ' 2014/10/03 17:05:35 kid1| ERROR: Negotiate Authentication validating user. Error returned 'BH gss_accept_sec_context() failed: An unsupported mechanism was requested. ' Kerberos seem to work as if i do: msktutil --auto-update --verbose --computer-name serv07-K I get: -- init_password: Wiping the computer password structure -- generate_new_password: Generating a new, random password for the computer account -- generate_new_password: Characters read from /dev/udandom = 82 -- get_dc_host: Attempting to find a Domain Controller to use (DNS SRV RR TCP) -- get_dc_host: Found DC: srv-dc1.domain.local -- get_dc_host: Canonicalizing DC through forward/reverse lookup... -- get_dc_host: Found Domain Controller: srv-dc1.domain.local -- get_default_keytab: Obtaining the default keytab name: /etc/squid/PROXY.keytab -- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-eMR9yQ -- reload: Reloading Kerberos Context -- finalize_exec: SAM Account Name is: serv07-K$ -- try_machine_keytab_princ: Trying to authenticate for serv07-K$ from local keytab... -- switch_default_ccache: Using the local credential cache: FILE:/tmp/.mskt_krb5_ccache-lY6luY -- finalize_exec: Authenticated using method 1 -- ldap_connect: Connecting to LDAP server: srv-dc1.domain.local try_tls=YES -- ldap_connect: Connecting to LDAP server: srv-dc1.domain.local try_tls=NO SASL/GSSAPI authentication started SASL username: serv07-K$@DOMAIN.LOCAL SASL SSF: 56 SASL data security layer installed. -- ldap_connect: LDAP_OPT_X_SASL_SSF=56 -- ldap_get_base_dn: Determining default LDAP base: dc=DOMAIN,dc=LOCAL -- get_default_ou: Determining default OU: CN=Computers,DC=domain,DC=local -- ldap_get_pwdLastSet: pwdLastSet is ...cut... -- execute: Password last set 0 days ago. -- execute: Exiting because password was changed recently. -- ~msktutil_exec: Destroying msktutil_exec -- ldap_cleanup: Disconnecting from LDAP server -- init_password: Wiping the computer password structure -- ~KRB5Context: Destroying Kerberos Context and doing klist i get: 10/03/14 16:38:47 10/04/14 02:38:47 krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL renew until 10/10/14 16:38:47 and a klist -k of the keytab file: 13 serv07-K$@DOMAIN.LOCAL 13 serv07-K$@DOMAIN.LOCAL 13 serv07-K$@DOMAIN.LOCAL 13 host/serv07@DOMAIN.LOCAL 13 host/serv07@DOMAIN.LOCAL 13 host/serv07@DOMAIN.LOCAL 13 HTTP/serv07.domain.local@DOMAIN.LOCAL 13 HTTP/serv07.domain.local@DOMAIN.LOCAL 13 HTTP/serv07.domain.local@DOMAIN.LOCAL So all seem to work correclty. The kerberos part of the squid.conf is: auth_param negotiate program /usr/local/bin/negotiate_wrapper -d --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=TUBOSIDER --kerberos /usr/local/bin/squid_kerb_auth -d -s GSS_C_NO_NAME auth_param negotiate children 10 startup=0 idle=1 auth_param negotiate keep_alive on Please help as i've already searched everywhere a solution that i can't find and i'm not so expert on squid! Thanks!!! -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Kerberos-auth-not-working-tp4667646.html Sent from the Squid - Users mailing list archive at Nabble.com. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
