|
HI Marcio,
The helper need a Kerberos token as input. Please have a look
at test_negotiate_auth.sh which is in src/auth/negotiate/kerberos of the
trunk version. The squid hostname must match the entry in your keytab and you
must have done kinit to authenticate against a Kerberos server (e.g. AD) as user
first.
Regards
Markus
"Marcio Demetrio Bacci" <marciobacci@xxxxxxxxx> wrote in message
news:CA+0TdyqEAt4L5KO4zrJNJ1aUe64mY2Re7z95KFdqW7Y8SV_qbg@xxxxxxxxxxxxxx... I have trouble to authenticate Squid3 with kerberos in Samba4 domain. I'm
using CentOS 7 and Squid 3.3.8 (yum install squid)
When I type the bellow command in terminal:
/usr/lib64/squid/negotiate_kerberos_auth -d -i -s HTTP/proxy.cms.ensino.br@xxxxxxxxxxxxx john xyz@12345 I have the following error: negotiate_kerberos_auth.cc(315): pid=6364 :2016/08/27 10:44:33| negotiate_kerberos_auth: DEBUG: Got 'john xyz@12345' from squid (length: 14). negotiate_kerberos_auth.cc(362): pid=6364 :2016/08/27 10:44:33| negotiate_kerberos_auth: ERROR: Invalid request [john xyz@12345] BH invalid request Here are my files configuration: /etc/krb5.conf [libdefaults] default_realm = CMS.ENSINO.BR [realms] CMS.ENSINO.BR = { kdc = dc1.cms.ensino.br:88 admin_server = dc1.cms.ensino.br default_domain = CMS.ENSINO.BR } [domain_realm] .cms.ensino.br = CMS.ENSINO.BR cms.ensino.br = CMS.ENSINO.BR Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 proxy-k$@CMS.ENSINO.BR 1 proxy-k$@CMS.ENSINO.BR 1 proxy-k$@CMS.ENSINO.BR 1 HTTP/proxy.cms.ensino.br@xxxxxxxxxxxxx 1 HTTP/proxy.cms.ensino.br@xxxxxxxxxxxxx 1 HTTP/proxy.cms.ensino.br@xxxxxxxxxxxxx 1 host/proxy.cms.ensino.br@xxxxxxxxxxxxx 1 host/proxy.cms.ensino.br@xxxxxxxxxxxxx 1 host/proxy.cms.ensino.br@xxxxxxxxxxxxx 1 host/proxy.cms.ensino.br@xxxxxxxxxxxxx 1 host/proxy.cms.ensino.br@xxxxxxxxxxxxx 1 host/PROXY@xxxxxxxxxxxxx 1 host/PROXY@xxxxxxxxxxxxx 1 host/PROXY@xxxxxxxxxxxxx 1 host/PROXY@xxxxxxxxxxxxx 1 host/PROXY@xxxxxxxxxxxxx 1 PROXY$@CMS.ENSINO.BR 1 PROXY$@CMS.ENSINO.BR 1 PROXY$@CMS.ENSINO.BR 1 PROXY$@CMS.ENSINO.BR 1 PROXY$@CMS.ENSINO.BR 1 proxy-k$@CMS.ENSINO.BR 1 proxy-k$@CMS.ENSINO.BR 1 HTTP/proxy.cms.ensino.br@xxxxxxxxxxxxx 1 HTTP/proxy.cms.ensino.br@xxxxxxxxxxxxx 1 HTTP/PROXY@xxxxxxxxxxxxx 1 HTTP/PROXY@xxxxxxxxxxxxx 1 HTTP/PROXY@xxxxxxxxxxxxx 1 HTTP/PROXY@xxxxxxxxxxxxx 1 HTTP/PROXY@xxxxxxxxxxxxx Keytab name: FILE:/etc/squid/PROXY.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 proxy-k$@CMS.ENSINO.BR 1 proxy-k$@CMS.ENSINO.BR 1 proxy-k$@CMS.ENSINO.BR 1 HTTP/proxy.cms.ensino.br@xxxxxxxxxxxxx 1 HTTP/proxy.cms.ensino.br@xxxxxxxxxxxxx 1 HTTP/proxy.cms.ensino.br@xxxxxxxxxxxxx 1 host/proxy.cms.ensino.br@xxxxxxxxxxxxx 1 host/proxy.cms.ensino.br@xxxxxxxxxxxxx 1 host/proxy.cms.ensino.br@xxxxxxxxxxxxx /etc/sysconfig/squid # default squid options SQUID_OPTS="" # Time to wait for Squid to shut down when asked. Should not be necessary # most of the time. SQUID_SHUTDOWN_TIMEOUT=100 # default squid conf file SQUID_CONF="/etc/squid/squid.conf" KRB5_KTNAME=/etc/squid/PROXY.keytab export KRB5_KTNAME kinit and klist commands are OK.
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users |
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
