[squid-users] Re: squid_kerb_auth on mac os x

BTW If you download the cvs source from sourceforge at
http://squidkerbauth.cvs.sourceforge.net/squidkerbauth you can use
./configure and it should check everything for Mac

Markus

"Alex Morken" <IT_at_chrisking.com> wrote in message
news:AF122EC2-1BC7-4D1D-BF61-678C38EBA750_at_chrisking.com...
> Hello,
>
> This is the first time I have posted on this list, so hello to everyone.
> I have been trying to get squid_kerb_auth to work on Mac OS X 10.4.11 and
> I cannot seem to figure out the reason it fails.
>
> Here are the options I had set for the configure part of squid:
> Squid Cache: Version 2.7.STABLE2
> configure options: '--enable-auth=basic negotiate' '--enable-basic-
> auth-helpers=LDAP' '--enable-negotiate-auth-helpers=squid_kerb_auth'
> '--enable-esternal-acl-helpers=ldap_group' '--prefix=/usr/local/
> squid-2.7'
>
> Everything compiles nicely and produces no errors.
>
> I set up and tested my kerberos configuration per below:
>
> Set up a local keytab for squid - HTTP/host.domain.com_at_REALM.COM.
>
> Tested it by issuing the following command and it worked correctly:
>
> `kinit -k -t /etc/squid/squid.keytab HTTP/host.domain.com_at_REALM.COM`
>
> Set and exported KRB5_KTNAME pointing to the local keytab. I wrote a
> bash script that does this and I have also tried to set the environmental
> variable in the current shell and run it from there. Both work as
> expected.
>
> I added authentication to squid.conf
>
> auth_param negotiate program /usr/libexec/squid_kerb_auth -d -s HTTP/
> host.domain.com_at_REALM.COM
>
> I then started squid and it looks like everything is starting correctly.
> But it is still not dealing with kerberos correctly.
>
> I downloaded and compiled squid_kerb_auth by hand as I had found someone
> else on this list that was running into a problem similar to mine. I
> recompiled squid_kerb_auth with a few different options as mentioned in
> the thread. They are listed below.
>
> Compiled by hand:
> gcc -o squid_kerb_auth -DHAVE_SPNEGO -D__LITTLE_ENDIAN__ -Ispnegohelp
> squid_kerb_auth.c base64.c spnegohelp/derparse.c spnegohelp/ spnego.c
> spnegohelp/spnegohelp.c spnegohelp/spnegoparse.c -
> lgssapi_krb5 -lkrb5 -lcom_err
>
> root# ./squid_kerb_auth -d
> 2008/06/03 13:37:59| squid_kerb_auth: Starting version 1.0.1
> username_at_REALM.COM
> 2008/06/03 13:38:01| squid_kerb_auth: Got 'username' from squid (length:
> 15).
> 2008/06/03 13:38:01| squid_kerb_auth: gss_accept_sec_context() failed: A
> token was invalid. Token header is malformed or corruptBH
> gss_accept_sec_context() failed: A token was invalid. Token header is
> malformed or corrupt
>
>
> Results from just using ./configure and no options specified:
> host:/tmp/kerb/squid_kerb_auth root# ./squid_kerb_auth -d -s HTTP/
> host.domain.com_at_REALM.COM
> 2008/06/03 13:47:38| squid_kerb_auth: Starting version 1.0.1
> username_at_REALM.COM
> 2008/06/03 13:47:39| squid_kerb_auth: Got 'username_at_REALM.COM' from squid
> (length: 15).
> 2008/06/03 13:47:39| squid_kerb_auth: parseNegTokenInit failed with
> rc=108
> 2008/06/03 13:47:39| squid_kerb_auth: Token is possibly a GSSAPI token
> 2008/06/03 13:47:39| squid_kerb_auth: gss_accept_sec_context() failed: A
> token was invalid. Token header is malformed or corruptBH
> gss_accept_sec_context() failed: A token was invalid. Token header is
> malformed or corrupt
>
> I have also tried all combinations of -DHAVE_SPNEGO, - D__LITTLE_ENDIAN__
> and -D__BIG_ENDIAN__. All have failed in similar ways.
>
> So the obvious questions are - what am I doing wrong? am I using
> squid_kerb_auth correctly from the command line (can I use it all that
> way)? Is there anywhere I can look for more verbose logs from squid? I
> have been running squid with -d 9 -N options and it doesn't error to the
> logs or to the screen in any sort of verbose way (the way I would expect
> it to work). Any help would be much appreciated and I would be happy to
> provide any information you request!
>
> Thank you,
>
> Alex Morken
>
>
Received on Fri Jun 06 2008 - 23:28:40 MDT