Hi Markus, thank you for help me.
When I type the klist command, the result is:
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: robert@xxxxxxxxxxxxx
Valid starting Expires Service principal
28-08-2016 22:40:53 29-08-2016 08:40:53 krbtgt/CMS.ENSINO.BR@xxxxxxxxxxxxx
renew until 29-08-2016 22:40:41
But, I have the following result to command bellow:
/usr/lib64/squid/negotiate_kerberos_auth_test proxy.cms.ensino.br| awk '{sub(/Token:/,"YR"); print $0}END{print "QQ"}' | /usr/lib64/squid/negotiate_kerberos_auth -r -s HTTP/proxy.cms.ensino.br
Result:
TT oYGbMIGYoAMKAQGhCAYGKwYBBQIFooGGBIGDBQEwFKESBBBDTUIuRU5TSU5PLkVCLkJSfmkwZ6ADAgEFoQMCAR6iERgPMjAxNjA4MjkwMTM2MDVaowUCAwK7P6QRGA8yMDE2MDgyOTAxMzYwNVqlBQIDBhpppgMCAQepFRsTPHVuc3BlY2lmaWVkIHJlYWxtPqoLMAmgAwIBAKECMAA=
BH quit command
The HTTP/proxy.cms.ensino.br is in keytab files
I don't have the "test_negotiate_auth.sh" file in src/auth/negotiate/kerberos, but I have /usr/lib64/squid/negotiate_kerberos_auth_test, thus I'm using it.
My Linux distribution is CentOS 7
Regards,When I type the klist command, the result is:
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: robert@xxxxxxxxxxxxx
Valid starting Expires Service principal
28-08-2016 22:40:53 29-08-2016 08:40:53 krbtgt/CMS.ENSINO.BR@xxxxxxxxxxxxx
renew until 29-08-2016 22:40:41
But, I have the following result to command bellow:
/usr/lib64/squid/negotiate_kerberos_auth_test proxy.cms.ensino.br| awk '{sub(/Token:/,"YR"); print $0}END{print "QQ"}' | /usr/lib64/squid/negotiate_kerberos_auth -r -s HTTP/proxy.cms.ensino.br
Result:
TT oYGbMIGYoAMKAQGhCAYGKwYBBQIFooGGBIGDBQEwFKESBBBDTUIuRU5TSU5PLkVCLkJSfmkwZ6ADAgEFoQMCAR6iERgPMjAxNjA4MjkwMTM2MDVaowUCAwK7P6QRGA8yMDE2MDgyOTAxMzYwNVqlBQIDBhpppgMCAQepFRsTPHVuc3BlY2lmaWVkIHJlYWxtPqoLMAmgAwIBAKECMAA=
BH quit command
The HTTP/proxy.cms.ensino.br is in keytab files
I don't have the "test_negotiate_auth.sh" file in src/auth/negotiate/kerberos, but I have /usr/lib64/squid/negotiate_kerberos_auth_test, thus I'm using it.
My Linux distribution is CentOS 7
2016-08-28 15:24 GMT-03:00 Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>:
HI Marcio,The helper need a Kerberos token as input. Please have a look at test_negotiate_auth.sh which is in src/auth/negotiate/kerberos of the trunk version. The squid hostname must match the entry in your keytab and you must have done kinit to authenticate against a Kerberos server (e.g. AD) as user first.RegardsMarkus"Marcio Demetrio Bacci" <marciobacci@xxxxxxxxx> wrote in message news:CA+0TdyqEAt4L5KO4zrJNJ1aUe64mY2Re 7z95KFdqW7Y8SV_qbg@mail.gmail. com... MárcioI have trouble to authenticate Squid3 with kerberos in Samba4 domain. I'm using CentOS 7 and Squid 3.3.8 (yum install squid)When I type the bellow command in terminal:
/usr/lib64/squid/negotiate_kerberos_auth -d -i -s HTTP/proxy.cms.ensino.br@CMS. ENSINO.BR
john xyz@12345
I have the following error:
negotiate_kerberos_auth.cc(315): pid=6364 :2016/08/27 10:44:33| negotiate_kerberos_auth: DEBUG: Got 'john xyz@12345' from squid (length: 14).
negotiate_kerberos_auth.cc(362): pid=6364 :2016/08/27 10:44:33| negotiate_kerberos_auth: ERROR: Invalid request [john xyz@12345]
BH invalid request
Here are my files configuration:
/etc/krb5.conf
[libdefaults]
default_realm = CMS.ENSINO.BR
[realms]
CMS.ENSINO.BR = {
kdc = dc1.cms.ensino.br:88
admin_server = dc1.cms.ensino.br
default_domain = CMS.ENSINO.BR
}
[domain_realm]
.cms.ensino.br = CMS.ENSINO.BR
cms.ensino.br = CMS.ENSINO.BR
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- ------------------------------------------------------------ --------------
1 proxy-k$@CMS.ENSINO.BR
1 proxy-k$@CMS.ENSINO.BR
1 proxy-k$@CMS.ENSINO.BR
1 HTTP/proxy.cms.ensino.br@CMS.ENSINO.BR
1 HTTP/proxy.cms.ensino.br@CMS.ENSINO.BR
1 HTTP/proxy.cms.ensino.br@CMS.ENSINO.BR
1 host/proxy.cms.ensino.br@CMS.ENSINO.BR
1 host/proxy.cms.ensino.br@CMS.ENSINO.BR
1 host/proxy.cms.ensino.br@CMS.ENSINO.BR
1 host/proxy.cms.ensino.br@CMS.ENSINO.BR
1 host/proxy.cms.ensino.br@CMS.ENSINO.BR
1 host/PROXY@xxxxxxxxxxxxx
1 host/PROXY@xxxxxxxxxxxxx
1 host/PROXY@xxxxxxxxxxxxx
1 host/PROXY@xxxxxxxxxxxxx
1 host/PROXY@xxxxxxxxxxxxx
1 PROXY$@CMS.ENSINO.BR
1 PROXY$@CMS.ENSINO.BR
1 PROXY$@CMS.ENSINO.BR
1 PROXY$@CMS.ENSINO.BR
1 PROXY$@CMS.ENSINO.BR
1 proxy-k$@CMS.ENSINO.BR
1 proxy-k$@CMS.ENSINO.BR
1 HTTP/proxy.cms.ensino.br@CMS.ENSINO.BR
1 HTTP/proxy.cms.ensino.br@CMS.ENSINO.BR
1 HTTP/PROXY@xxxxxxxxxxxxx
1 HTTP/PROXY@xxxxxxxxxxxxx
1 HTTP/PROXY@xxxxxxxxxxxxx
1 HTTP/PROXY@xxxxxxxxxxxxx
1 HTTP/PROXY@xxxxxxxxxxxxx
Keytab name: FILE:/etc/squid/PROXY.keytab
KVNO Principal
---- ------------------------------------------------------------ --------------
1 proxy-k$@CMS.ENSINO.BR
1 proxy-k$@CMS.ENSINO.BR
1 proxy-k$@CMS.ENSINO.BR
1 HTTP/proxy.cms.ensino.br@CMS.ENSINO.BR
1 HTTP/proxy.cms.ensino.br@CMS.ENSINO.BR
1 HTTP/proxy.cms.ensino.br@CMS.ENSINO.BR
1 host/proxy.cms.ensino.br@CMS.ENSINO.BR
1 host/proxy.cms.ensino.br@CMS.ENSINO.BR
1 host/proxy.cms.ensino.br@CMS.ENSINO.BR
/etc/sysconfig/squid
# default squid options
SQUID_OPTS=""
# Time to wait for Squid to shut down when asked. Should not be necessary
# most of the time.
SQUID_SHUTDOWN_TIMEOUT=100
# default squid conf file
SQUID_CONF="/etc/squid/squid.conf"
KRB5_KTNAME=/etc/squid/PROXY.keytab
export KRB5_KTNAMEkinit and klist commands are OK.Best Regards,
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
