On 2017-07-27 10:27, Grey wrote:
Hi,
I'm trying to setup a proxy server using Squid 3.5.23 on Debian 9; I've
successfully setup Kerberos authentication generating the keytab file with
ktutil and manually setting the required SPN on my Windows domain
controller.
The problem I'm encountering is that sometimes (right now I'm the only one
using this proxy and it happens a couple times every day at random times)
while visiting random sites an authentication prompt appears asking for
credentials. Hitting Ok makes the prompt reappear and leads to a loop, while
hitting the cancel button makes the prompt go away and the page display an
error saying "Access denied. Authentication required." (white page with
black font; I'm not 100% sure that's the exact message, I'll come back and
update it as soon as it happens again); refreshing the page lets it load
normally and then everything works ok.
I'm posting the relevant configuration hoping that someone can help me or at
least point me in the right direction. Keep in mind that right now basic
authentication is disabled for testing sake, I'll later enable it when I've
worked out where the problem with Kerberos is.
###
auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -r
auth_param negotiate children 150
auth_param negotiate keep_alive off
acl whitelist dstdomain "/etc/squid/whitelist"
acl blacklist dstdomain "/etc/squid/blacklist"
acl AUTH proxy_auth REQUIRED
http_access deny !AUTH all
http_access deny !Safe_ports all
http_access deny CONNECT !SSL_ports all
http_access allow localhost manager
http_access deny manager all
http_access allow localhost all
acl destsquid dstdomain .squid1 .squid2
http_access allow destsquid all
http_access allow whitelist all
http_access deny blacklist all
acl test_account proxy_auth test_account
http_access allow test_account all
http_access deny all
--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Kerberos-access-denied-and-reauthentication-tp4683224.html
Sent from the Squid - Users mailing list archive at Nabble.com.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
Hi,
Could You please check and post a portion of cache.log? You may also
want to temporary modify squid.conf: by adding -d to this line:
auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -r -d
That should put negotiate_kerberos_auth in debug mode. Be aware that
kerberos ticket will be added to log, so before posting in You may want
to alterate your log.
Also, squidklient output for mgr:kerberosauthenticator may be helpful,
although I'm not sure is that the right name for this module, so check
mgr:menu for correct name.
--
Greets, Dijx
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
