I’ve got a Squid 3.3.3 running on Windows 2003 (and 2008) box via CYGWIN, works with the basic config. My next step is to put in some authentication in place, in this case Kerberos using.. auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -d -s HTTP/vis-squid.VAND1.OPPY.COM auth_param negotiate children 10 auth_param negotiate keep_alive on Before I can do this, I need to get a keytab file and setup the proper SPNs, on CYGWIN we don’t have Samba so I am using msktutil to create the computer account and keytab/SPNs; specifically one that works under CYGWIN (https://github.com/fd00/yacp/tree/master/msktutil). When I try to create the keytab as per http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos by running... msktutil -c -b "CN=computers" -s HTTP/xxx-squid.MY.DOMAIN.COM -k /etc/squid/PROXY.keytab --computer-name xxx-squid --upn HTTP/ xxx-squid.MY.DOMAIN.COM--server DCSRV02 --enctypes 28 –verbose It runs but dies at.. -- ldap_get_pwdLastSet: pwdLastSet is 130576191605205669 -- set_password: Successfully set password, waiting for it to be reflected in LDAP. -- ldap_get_pwdLastSet: pwdLastSet is 130576191607895789 -- set_password: Successfully reset computer's password -- set_password: Setting samba machine trust account password The syntax of this command is: NET [ ACCOUNTS | COMPUTER | CONFIG | CONTINUE | FILE | GROUP | HELP | HELPMSG | LOCALGROUP | NAME | PAUSE | PRINT | SEND | SESSION | SHARE | START | STATISTICS | STOP | TIME | USE | USER | VIEW ] Setting samba secret failed with error code 256 Error: set_password failed Hint: Does your password policy allow to change vis-squid's password? For example, there could be a "Minimum password age" policy preventing passwords from being changed too frequently. If so, you can reset the password instead of changing it using the --user-creds-only option. Be aware that you need a ticket of a user with administrative privileges for that. -- ~msktutil_exec: Destroying msktutil_exec -- ldap_cleanup: Disconnecting from LDAP server -- init_password: Wiping the password structure -- ~KRB5Context: Destroying Kerberos Context Looks like it is trying to use Samba’s “net” command which is different than the net command above (windows). So I edited http://repo.or.cz/w/msktutil.git/blob/9f22f3ec6efa0a6f8bb122fb14095a1ab50d3d6c:/msktpass.cpp and commented out the block of code that tries to run “net changesecretpw” samba cmd (I thought the whole purpose of msktutil was an alternative way to perform net ads keytab create so why is it running that cmdlet…) then re-compiled msktutil and re-ran it.. It went through this time with.. -- ldap_get_pwdLastSet: pwdLastSet is 130576324675479078 -- set_password: Successfully reset computer's password -- set_password: Setting samba machine trust account password -- set_password: Successfully set samba machine trust account password -- ldap_add_principal: Checking that adding principal HTTP/xxx-squid.MY.DOMAIN.COM to vis-squid won't cause a conflict -- ldap_add_principal: Adding principal HTTP/xxx-squid.MY.DOMAIN.COM to LDAP entry -- execute: Updating all entries for rmt-server01.MY.DOMAIN.COM in the keytab WRFILE:/etc/squid/PROXY.keytab -- update_keytab: Updating all entires for vis-squid -- ldap_get_kvno: KVNO is 4 -- add_principal_keytab: Adding principal to keytab: vis-squid -- add_principal_keytab: Using salt of MY.DOMAIN.COMHTTPxxx-squid.MY.DOMAIN.COM -- add_principal_keytab: Adding entry of enctype 0x17 -- add_principal_keytab: Using salt of MY.DOMAIN.COMHTTPxxx-squid.MY.DOMAIN.COM -- add_principal_keytab: Adding entry of enctype 0x11 -- add_principal_keytab: Using salt of MY.DOMAIN.COMHTTPxxx-squid.MY.DOMAIN.COM -- add_principal_keytab: Adding entry of enctype 0x12 -- add_principal_keytab: Adding principal to keytab: HTTP/xxx-squid.MY.DOMAIN.COM -- add_principal_keytab: Removing entries with kvno < 0 -- add_principal_keytab: Using salt of MY.DOMAIN.COMHTTPxxx-squid.MY.DOMAIN.COM -- add_principal_keytab: Adding entry of enctype 0x17 -- add_principal_keytab: Using salt of MY.DOMAIN.COMHTTPxxx-squid.MY.DOMAIN.COM -- add_principal_keytab: Adding entry of enctype 0x11 -- add_principal_keytab: Using salt of MY.DOMAIN.COMHTTPxxx-squid.MY.DOMAIN.COM -- add_principal_keytab: Adding entry of enctype 0x12 -- ~msktutil_exec: Destroying msktutil_exec -- ldap_cleanup: Disconnecting from LDAP server -- init_password: Wiping the password structure -- ~KRB5Context: Destroying Kerberos Context In AD I can see a new user account named “xxx-squid” (should this not be a computer object instead of a user object?), so now back to Squid (stop/start) and try hitting google.com via IE9/IE10/IE11 I get.. 2014/10/12 17:37:14 kid1| ERROR: Negotiate Authentication validating user. Error returned 'BH gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information. Key version number for principal in key table is incorrect' So.. something is still not right with my setup.. any suggestions? Can I create the keytab file on my Active Directory server and copy the file and use it instead? With the recent release of SQUID 3.3.3 to CYGWIN (http://sourceware.mirrors.tds.net/pub/sourceware.org/cygwin/x86/release/squid/) I’ve been at it for a few days trying to make it work but stuck at getting SSO with negotiate_kerberos_auth.. Any ideas? |
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
