I added some comments to the wiki.
Thank you
Markus
"Mrvka Andreas" <mrv_at_tuv.at> wrote in message
news:200908251055.04159.mrv_at_tuv.at...
> Hi again,
>
> I've found my error myself.
>
> Using this howto from Guido:
> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
>
> works great at my site (with defining my environment hosts, users and
> pass)!
>
> My caveat for not working was:
> _I used a too short name for the principal or hostname_ !!!
>
> First I tried the hostname squid-HTTP as Guido described in his example
> and
> this worked.
> Then I wanted to use my hostname: squid.domain.com and this arised an
> error.
>
> After being completly confused I wrote the hostname like
> squidproxy.domain.com
> without any expectation for success - but I got convinced.
>
>
> Squid authentication against Active Directory on Windows 2008 DCs work
> now!
>
> This must be a bug or anything else on the new domain controller because
> the
> same 'msktutil' command worked on AD 2003.
>
>
> I hope I could help some other people and maybe you can insert this caveat
> in
> your Wiki.
>
>
> Andrew
>
>
>
> Am Montag, 24. August 2009 13:55:23 schrieb Mrvka Andreas:
>> Hi list,
>>
>> I want to use this brilliant software squid but do you know what I
>> missing?
>>
>> I have working AD authentication on my SLES11 system
>> - kinit -k -t HTTP.keytab HTTP/squid.fqdn.com works
>> - login via ssh works with pam_krb5
>> - joining to my domain also worked as a charm
>>
>> At this stage I believe, I've set up krb5.conf correctly.
>>
>> So I compiled Squid 3.1.0.13.
>> configure options:
>> '--prefix=/usr/local/squid-3.1'
>> '--enable-auth=basic,ntlm,negotiate'
>> '--enable-basic-auth-helpers=SMB getpwnam multi-domain-NTLM'
>> '--enable-ntlm-auth-helpers=smb_lm no_check'
>> '--enable-negotiate-auth-helpers=squid_kerb_auth'
>> --with-squid=/install/squid-3.1.0.13
>> --enable-ltdl-convenience
>>
>> Next I inserted these lines into squid.conf
>> auth_param negotiate program squid_kerb_auth -d 99 -s HTTP/squid.fqdn.com
>> auth_param negotiate children 15
>> auth_param negotiate keep_alive on
>>
>>
>> Starting squid again worked fine, so didn't get any error at boot time
>> and
>> -- ps -ef -- shows me
>>
>> squid 28944 27915 0 12:51 pts/0 00:00:00 ./squid -N -d 20 -f
>> ../etc/squid.conf
>> squid 28945 28944 0 12:51 ? 00:00:00 (squid_kerb_auth) -d
>> 99 -s
>> HTTP/squid.fqdn.com
>> squid 28946 28944 0 12:51 ? 00:00:00 (squid_kerb_auth) -d
>> 99 -s
>> HTTP/squid.fqdn.com
>>
>>
>>
>> On my windows PC I configured proxy using manual setting to the FQDN of
>> squid.
>>
>> The result is - in cache.log I find
>> 2009/08/24 12:58:13| squid_kerb_auth: Got 'YR YIIFzAYGKwYBBQUCoIIFwDCCBby
>> ... [...]
>> from squid (length: 1987).
>> 2009/08/24 12:58:13| squid_kerb_auth: Decode 'YIIFzAYGKwYBBQ [...]
>> (decoded length: 1488)
>> 2009/08/24 13:21:19| squid_kerb_auth: gss_accept_sec_context() failed:
>> Unspecified GSS failure. Minor code may provide more information. Key
>> table entry not found
>> 2009/08/24 13:21:19| authenticateNegotiateHandleReply: Error validating
>> user via Negotiate. Error returned 'BH gss_accept_sec_context() failed:
>> Unspecified GSS failure. Minor code may provide more information. Key
>> table entry not found'
>>
>> I created my HTTP.keytab as it was described somewhere.
>> Logged on windows DC - used ktpass and mapped the service principal to a
>> windows user. After that I copied this file to linux squid.
>>
>>
>> I also tried to configure in squid.conf to use squid_kerb_auth -s
>> HTTP/squid.fqdn.com_at_REALM
>>
>> But this didn't work either.
>>
>> I think there is something small missing but I can't figure it out.
>>
>> Please can anybody help me?
>> I hope, my detailed explanation will help others too to configure their
>> systems.
>>
>> With best regards
>> Andrew
>>
>
Received on Tue Aug 25 2009 - 21:30:09 MDT
This archive was generated by hypermail 2.2.0 : Wed Aug 26 2009 - 12:00:04 MDT