Hi.
I'm trying to set up an authentication scheme for Vista/W7, but haven't
succeed yet. Squid says "squid_kerb_auth: gss_accept_sec_context()
failed: Miscellaneous failure (see text). failed to find
HTTP/proxy1.norma.com_at_NORMA.COM(kvno 6) in keytab /etc/krb5.keytab".
To save time I listed all diagnostics/creating process in sequential
way, so squid_kerb_auth debug token is at the end of the post.
I got:
Squid Cache: Version 2.7.STABLE6
FreeBSD 7.1-RELEASE
I'm using the Windows domain servers as the KDCs.
So far I have working kerberos clients on FreeBSD, but never used the
keytabs.
FreeBSD has a Heimdal version of Kerberos, I installed squid from ports.
squid_kerb_auth was build successfully and from what I see FreeBSD ports
system has a patch to build this helper properly with Heimdal (the same
text about Heimdal from helper's readme).
At this time I'm using also the basic scheme with PAM and an NTLM scheme
with winbind. All works just fine except when ut comes to Vista/Windows 7.
Here's my config, the part of it concerning the authentication:
===Cut===
auth_param negotiate program /usr/local/libexec/squid/squid_kerb_auth -d
-s HTTP/proxy1.norma.com_at_NORMA.COM
auth_param negotiate children 15
auth_param negotiate keep_alive on
auth_param ntlm program /usr/local/bin/ntlm_auth -d 0
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 15
auth_param basic program /usr/local/libexec/squid/pam_auth
auth_param basic children 25
auth_param basic realm Squid[Kamtelecom]
auth_param basic credentialsttl 1 minute
auth_param basic casesensitive off
===Cut===
To set up a negotiation scheme I've read the readme for the helper and
I've been here:
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
Since mskutil seems to refuse to compile properly (and since I suppose
there are better ways to do that) I used the FreeBSD version of ktutil
to create the keytab, and the Windows ktpass utility to create keytabs.
Both keytabs seems to work:
Keytab created with FreeBSD ktutil (ktutil -k HTTP.keytab add -p
HTTP/proxy1.norma.com_at_NORMA.COM -e des-cbc-md5 -V 6):
===Cut===
# kinit HTTP/proxy1.norma.com -k -t krb5.keytab
HTTP/proxy1.norma.com_at_NORMA.COM's Password:
kinit: NOTICE: ticket renewable lifetime is 1 week
# ktutil -k krb5.keytab list
krb5.keytab:
Vno Type Principal
6 des-cbc-md5 HTTP/proxy1.norma.com_at_NORMA.COM
===Cut===
Keytab created with windows ktpass:
(creation)
===Cut===
C:\Program Files\Support Tools>ktpass /out squid.keytab /princ
HTTP/proxy1.norma
.com_at_NORMA.COM /pass "sabbracadabra" /mapuser proxy1 /crypto DES-CBC-MD5
/ptype
KRB5_NT_SRV_HST
Targeting domain controller: hq-dc.norma.com
Successfully mapped HTTP/proxy1.norma.com to proxy1.
Password succesfully set!
WARNING: pType and account type do not match. This might cause problems.
Key created.
Output keytab to squid.keytab:
Keytab version: 0x502
keysize 58 HTTP/proxy1.norma.com_at_NORMA.COM ptype 3 (KRB5_NT_SRV_HST) vno
6 etype
0x3 (DES-CBC-MD5) keylength 8 (0x01dae9078fb07aa1)
===Cut===
Checking:
===Cut===
# kinit HTTP/proxy1.norma.com -k krb5.keytab.from-windows
HTTP/proxy1.norma.com_at_NORMA.COM's Password:
kinit: NOTICE: ticket renewable lifetime is 1 week
# ktutil -k krb5.keytab.from-windows list
krb5.keytab.from-windows:
Vno Type Principal
6 des-cbc-md5 HTTP/proxy1.norma.com_at_NORMA.COM
===Cut===
No matter which keytab I use, I got the inability to authenticate the
browser via negotiate scheme, and the following strings in log:
===Cut===
2009/08/18 11:48:22| squid_kerb_auth: Got 'YR
YIIF7QYGKwYBBQUCoIIF4TCCBd2gMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCBacEggWjYIIFnwYJKoZIhvcSAQICAQBuggWOMIIFiqADAgEFoQMCAQ6iBwMFACAAAACjggSEYYIEgDCCBHygAwIBBaELGwlOT1JNQS5DT02iIzAhoAMCAQKhGjAYGwRIVFRQGxBwcm94eTEubm9ybWEuY29to4IEQTCCBD2gAwIBF6EDAgEGooIELwSCBCsJVC1ze+akBTlfjn+zZWVAHz9BwW13UmXZqO7xZod3eg6/VHWwJ+ngXPw3uIZ8ZVMlO5RDXLXZQfkyKwxnvNj63uFBXnZe0tKNqoVSAjR/PoJ414GD+JfhQb9b3LfZa7xcK3uqL3yyWFy24vVkTWUQzvxXbXA+t7dVDbxP4IGN3rDiZC2Ri5lMln0NiTAX1V8kbtV/J6LA3eEBsBktXP/5d8B+WIvsOvHoD5AI0xEgTFj2/xbMxlSES0gGmfCmZWdgHhbFjauYMiL/yrMkNR/9vkolQNNR5vN27RIGV9so1Mi25oIcLTCh9VxvyzaA1PZumRKq1IKXL87oN6fpTQQeLKUVGctVm35DejrZ/IKhaocRDn+M7EdaXFxZnSorZ+p6fYJk3qLZR68S2znwhyTIjrg+ryLLPjPcH0oPfV/g6KxqV7ASzcM9uSe6u+n55TNFXxFTloEDEbdNwbwXPmb6cFbbUOptWBsYxP9ckibDFRoSEBGQWw4A1skXdgEMzQlFqozPnwBPUn+zcv7lfZOnDUY9Haff1mR1f9imoArivCH5h2fiYr5i6aCP++uun8L4AfbRgW4EW83CzKL7FzN1cm0OKd1/Zg4k9Yfdfj+4K5PnhgJHHAlG9zvkMhlWn5ubbQFXmCwlWQ9Vy8CL08LwVMWNLlTnMvwFJ8JKfEp5hTafzSSVBvp7ydOGwN6qPzv3QHXQP6gAirP9t/81dq/8drQlbeBnmoIS5NQRWbEiD8srPjyvDyXYB6PqB32KPm0WCHaa0IrX1D+D8T55kY9sGR4azM9Uq2oj0yNExPPNXL9hs1fKZoTLDr5IPWi9IJ3/JjvtnWEQSJIM+BRmoyvGUJvEHXLhwj71xh8DNZ9TFmry1DwCkMomnxW0Ab+Zj8PUiX0UK1p0lHm0b5qdMHmop2fzrRAvxykrjPl7z9uOqUOP9EDyfGZIAk2RrWujtzzRz/iO7kw3dCWD+5doqH52hNlp7D+eqyhKe8yFiQh5gq+SpV60bhsVF+8XCjAJCoyZYE1jQmpmAOFb239KnzVFDGZyZlkpWnHaLljLwJbqTk/g/zoalkCThlHr4MrOeQPxQ6ZvJQGyB/n95GuBIIfpIZTbpw/Y/gKOKdQDdVS2kG7ZOTsaN1Ubis7M42N7+PnenDE3GmuZ6WKZ+50PkeCMutRUC1eqYLfCBJaOr8AiSS108ms37lGrUEZfez1HlY6l3xLCWYzet8SoldGgFWgsQD1pZDBzLoQWBy60wMxug9ZDN52gHPEsaIi1ic7hq1Zt3PmUGLeQSWta1JXGtYJsK/kZ16dFyxdBYyZ3c42a1CMyguIsUHg5cC0T78eednTywJ0ASOo8Ik5lsMmAIbqVIgjlNAOYJZy9vUm9g307zeXssVbcRFTeMR1DTQlIWh2X95wKiKYbkfiDgKSB7DCB6aADAgEXooHhBIHeEU+iN66J5AHw8Z+wIIBQfCJQvv0heX+mi7PEatwNaCiE4pnOnARiVRjxwGQmaZmuLLSKM696Lu1PQW6RWCivRtl3huUuY/1tuAQIdNCwtK8vjP3S6mdy2CsLQaM/CUFsNqh6GdCPrjhnSmpsVDAlfTHhZc0L6Na45UcpAx+Df/HOU8e3oLRF1uhPusLpBl9MQLbzHm4ZWjLHPjGV0pgFEol+uYonPTe/vBCE2tv+q7lHLXLCOQquMdkr7ml4c8ZqLk+HV/c9+89zdSVvG0NtKtFaGHaEkSGHYmNh5qdj'
from squid (length:
2031).
2009/08/18 11:48:22| squid_kerb_auth: gss_accept_sec_context() failed:
Miscellaneous failure (see text). failed to find
HTTP/proxy1.norma.com_at_NORMA.COM(kvno 6) in keytab /etc/krb5.keytab
===Cut===
What should I do next, or, maybe, I did something wrong ?
Thanks.
Eugene.
Received on Tue Aug 18 2009 - 06:09:47 MDT
This archive was generated by hypermail 2.2.0 : Fri Aug 21 2009 - 12:00:03 MDT