[squid-users] Kerberos / AD Authentication: Unknown code krb5 236

From: Andrew M Stemen <andrew_at_andrewmstemen.net>
Date: Tue, 24 Nov 2009 11:59:26 -0500

I'm working on a new squid installation, where squid users need to be
authenticated to Active Directory via Kerberos. I've read several
configuration examples and I can't remember how many how-to guides, but
I must be overlooking something simple.

I'm running squid 3.0STABLE18 on CentOS 5.4 in a Hyper-V environment.
The KDC/AD server is Windows 2008 R2 (we have many 08R2 servers, and one
2003). I've tried IE8 and Firefox Windows XP Pro, and IE8 on Server
2008, as clients.

Problem: Whenever trying to use the proxy, the browser prompts the user
for authentication three times, and then returns a "ERROR: Cache Access
Denied." message. The following appears in cache.log:

2009/11/24 11:34:04| squid_kerb_auth: Got '[...block stripped by
AMS...]' from squid (length: 2195).
2009/11/24 11:34:04| squid_kerb_auth: gss_accept_sec_context() failed:
Unspecified GSS failure. Minor code may provide more information.
Unknown code krb5 236

==========================================
Begin krb5.conf
==========================================

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = CORE.CO.FAIRFIELD.OH.US
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h

default_tgs_enctypes = rc4-hmac
default_tkt_enctypes = rc4-hmac
permitted_enctypes = rc4-hmac
# permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac

[realms]
 CORE.CO.FAIRFIELD.OH.US = {
  kdc = 10.10.0.17:88
  admin_server = 10.10.0.17:749
  default_domain = core.co.fairfield.oh.us
 }

[domain_realm]
 .core.co.fairfield.oh.us = CORE.CO.FAIRFIELD.OH.US
 core.co.fairfield.oh.us = CORE.CO.FAIRFIELD.OH.US

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

==========================================
Begin squid.conf
==========================================

http_port 3128

auth_param negotiate program /opt/squid-3.0/sbin/squid_kerb_auth -d
auth_param negotiate children 10
auth_param negotiate keep_alive on

#acl all src all
acl AUTHENTICATED proxy_auth REQUIRED
acl localnet src 172.17.3.0/24

#http_access allow localnet
http_access allow AUTHENTICATED
#http_access allow all

cache_dir ufs /var/cache/squid-3.0 100 16 256
access_log /var/log/squid-3.0/access.log squid
cache_log /var/log/squid-3.0/cache.log
cache_store_log /var/log/squid-3.0/store.log
pid_filename /var/run/squid-3.0.pid
cache_effective_user squid
cache_effective_group squid
coredump_dir /var/cache/squid-3.0

==========================================
Begin kinit
==========================================

[root_at_ddoc-svr-ix01 ~]# kinit -V -k -t /etc/squid/HTTP.keytab
HTTP/ddoc-svr-ix01.core.co.fairfield.oh.us
Authenticated to Kerberos v5
[root_at_ddoc-svr-ix01 ~]#

==========================================
End Examples
==========================================

So.... I'm lost. Does anyone have any suggestions as to what I might be
overlooking or doing incorrectly?

Thanks!

---
Andrew Michael Stemen
andrew_at_andrewmstemen.net
Received on Tue Nov 24 2009 - 16:59:28 MST

This archive was generated by hypermail 2.2.0 : Thu Nov 26 2009 - 12:00:03 MST