Brian,
To clarify what I said the MIT Kerberos code on Mac does not support SPNEGO
yet, but my squid_kerb_auth deals with that when HAVE_SPNEGO is NOT defined.
Markus
"Markus Moeller" <huaraz_at_moeller.plus.com> wrote in message
news:g5a9h9$j0p$1_at_ger.gmane.org...
> Brian,
>
> Mac does not yet include spnego code. Don't use -DHAVE_SPNEGO to compile
> on Mac.
>
> Markus
>
> BTW If you download the cvs source from sourceforge at
> http://squidkerbauth.cvs.sourceforge.net/squidkerbauth you can use
> ./configure and it should check everything for Mac
>
> "Brian Kirk" <bekirk_at_gmail.com> wrote in message
> news:6ac1d44b0807111631l718a0e10ub0cdc913bf6b0a55_at_mail.gmail.com...
>>I have done the following:
>>
>> 1. created a key on the KDC with the following command:
>> ktpass -princ HTTP/squidtest.hdq.xyz.com_at_HDQ.XYZ.COM -pass password
>> -mapuser squidtest -out c:\temp\squidtest.HTTP.keytab
>>
>> 2. Setup the /etc/krb5.conf for our domain and realm.
>>
>> 3. I then copied the key to the linux box, set the permissions so it
>> is read only by squid, and ran the kutil command:
>> ktutil: rkt /opt/squid/etc/squidtest.HTTP.keytab
>> ktutil: wkt /etc/krb5.keytab
>> ktutil: q
>>
>> 4. I ran the kinit command and it seemed not to error:
>> kinit -k -t /opt/squid/etc/squidtest.HTTP.keytab
>> HTTP/squidtest.hdq.xyz.com
>>
>> 5. Output from the klist is as follows:
>> klist
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: HTTP/squidtest.hdq.xyz.com_at_HDQ.XYZ.COM
>>
>> Valid starting Expires Service principal
>> 07/11/08 19:08:55 07/12/08 05:08:55 krbtgt/HDQ.XYZ.COM_at_HDQ.XYZ.COM
>> renew until 07/12/08 05:08:55
>>
>>
>> Kerberos 4 ticket cache: /tmp/tkt0
>> klist: You have no tickets cached
>>
>> 6. I created a token with the squid_kerb_auth_test.c program and
>> authenticated with it:
>> [root_at_squidtest tmp]# /opt/squid/libexec/squid_kerb_auth -d -i -s
>> HTTP/squidtest.hdq.xyz.com </tmp/kir1864.token
>> 2008/07/11 19:13:31| squid_kerb_auth: Got 'YR
>> YIIP1QYJKoZIhvcSAQICAQBugg/EMIIPwKADAgEFoQMCAQ6iBwMFAAAAAACjgg74YYI.............................................................................................................................................pfdL/itMByBZYZshBJQgRViHFQgCsPdrJGRE4ePTRwS25ejLg=='
>> from squid (length: 5415).
>> AF AA== kir1864_at_HDQ.XYZ.COM
>> 2008/07/11 19:13:31| squid_kerb_auth: AF AA== kir1864_at_HDQ.XYZ.COM
>> 2008/07/11 19:13:31| squid_kerb_auth: User kir1864_at_HDQ.XYZ.COM
>> authenticated
>>
>> 7. I recompiled squid_kerb_auth with the -DHAVE_SPNEGO:
>> gcc -o squid_kerb_auth -DHAVE_SPNEGO -D__LITTLE_ENDIAN__ -Ispnegohelp
>> squid_kerb_auth.c base64.c spnegohelp/derparse.c spnegohelp/spnego.c
>> spnegohelp/spnegohelp.c spnegohelp/spnegoparse.c -lgssapi_krb5 -lkrb5
>> -lcom_err
>>
>> 8. Added this to my squid startup script and restarted squid, note I
>> have the auth_param in my squid.conf also below:
>> /etc/init.d/squid:export
>> KRB5_KTNAME=FILE:/opt/squid/etc/squidtest.HTTP.keytab
>> /etc/squid.conf:auth_param negotiate program
>> /opt/squid/libexec/squid_kerb_auth -d 9
>> /etc/squid.conf:auth_param negotiate children 1
>> /etc/squid.conf:auth_param negotiate keep_alive on
>>
>> 9. When I authenticate with IE 6, it goes to the basic authentication,
>> even with the "Enable Integrated Windows Authentication" checked, I
>> think I found that there is no way to do proxy kerberos authentication
>> with IE 6, if someone know differently let me know how. With IE 7 I
>> do get the following in the cache.log:
>> 2008/07/11 17:55:12| squid_kerb_auth: Got 'YR
>> YIIQHwYGKwYBBQUCoIIQEzCCEA+gJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKK..............................................................................................................................................bfhfphT7/Qu6CVQNdsKIK5Neq/ULSjfWmDdhxag4ZFDH6/V9/EJnNoNS/BQPwIqEgyzK5+nkg'
>> from squid (length: 5511).
>> 2008/07/11 17:55:12| squid_kerb_auth: gss_accept_sec_context() failed:
>> A token was invalid. Mechanism is incorrect
>>
>> Can anyone help with this problem?
>>
>> Thank you,
>> Brian Kirk
>>
>
>
>
Received on Sun Jul 13 2008 - 09:45:36 MDT
This archive was generated by hypermail 2.2.0 : Sun Jul 13 2008 - 12:00:04 MDT