Search squid archive

Re: Kerberos with AD

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]




Further upon this i have updated to 3.1.19 and i get the same errors.  I
have fresh installed the machine back to how it was when the first email
when out.

On Mon, 2012-04-16 at 08:25 +1000, Simon Dwyer wrote:
> Hi All,
> 
> Have been banging my head against this for a few weeks now.
> 
> I have a fresh install of centos 6.2 and have installed squid 3.1.10.
> 
> I have copied the kerberos keytab file from our ad server.  It was
> created with the command:
> 
> ktpass -princ HTTP/proxy-dev-k.domain.example@DOMAIN.EXAMPLE -mapuser
> proxy-dev-k$@DOMAIN.EXAMPLE /rndpass -ptype KRB5_NT_PRINCIPAL -out c:
> \krb5.keytab
> 
> When thats on my server i can run 
> 
> [root@proxy-dev ~]# klist -ke
> Keytab name: WRFILE:/etc/krb5.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------------------
>    7 HTTP/proxy-dev-k.domain.example@DOMAIN.EXAMPLE (arcfour-hmac)
> 
> I can run kinit -k HTTP/proxy-dev-k.domain.example@DOMAIN.EXAMPLE
> 
> and that comes up in klist correctly.
> 
> 
> My squid config is been cut down to be simple:
> 
> visible_hostname proxy-dev.domain.example
> 
> auth_param negotiate program  /usr/lib64/squid/squid_kerb_auth -i -d -s
> HTTP/proxy-dev-k.domain.example@DOMAIN.EXAMPLE
> auth_param negotiate children 10
> auth_param negotiate keep_alive off
> 
> acl SSL_ports port 443
> acl Safe_ports port 80          # http
> acl Safe_ports port 21          # ftp
> acl Safe_ports port 443         # https
> acl Safe_ports port 70          # gopher
> acl Safe_ports port 210         # wais
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280         # http-mgmt
> acl Safe_ports port 488         # gss-http
> acl Safe_ports port 591         # filemaker
> acl Safe_ports port 777         # multiling http
> acl CONNECT method CONNECT
> acl AUTHENTICATED proxy_auth REQUIRED
> 
> # Deny requests to certain unsafe ports
> http_access deny !Safe_ports
> # Deny CONNECT to other than secure SSL ports
> http_access deny CONNECT !SSL_ports
> http_access deny !AUTHENTICATED
> http_access allow AUTHENTICATED
> http_access deny all
> 
> http_port 8080
> 
> 
> When i have a user try and connect with kerberos i get this error
> message in cache.log
> 
> 2012/04/16 08:12:12| squid_kerb_auth: ERROR: gss_accept_sec_context()
> failed: Unspecified GSS failure.  Minor code may provide more
> information. 
> 2012/04/16 08:12:12| authenticateNegotiateHandleReply: Error validating
> user via Negotiate. Error returned 'BH gss_accept_sec_context() failed:
> Unspecified GSS failure.  Minor code may provide more information. '
> 2012/04/16 08:12:12| squid_kerb_auth: INFO: User not authenticated
> 
> Any help would be awesome,
> 
> Cheers,
> 
> Simon Dwyer
> 
> 




[Linux Audio Users]     [Photo]     [Yosemite News]     [Samba]     [Video Projectors]     [Video Devices]     [Big List of Linux Books]     [LCD TVs]     [Webcams]     [Linux USB]

  Powered by Linux