Did you set the environment variable KRB5_KTNAME correctly to
FILE:/etc/squid/HTTP.keytab in the squid statup file ? Does the squid
process have read permissions on the keytab ?
Can you squid_kerb_auth with one child and use strace against it to check
for any access errors ?
Markus
"Andrew M Stemen" <andrew_at_andrewmstemen.net> wrote in message
news:1259081966.2255.1346836135_at_webmail.messagingengine.com...
> I'm working on a new squid installation, where squid users need to be
> authenticated to Active Directory via Kerberos. I've read several
> configuration examples and I can't remember how many how-to guides, but
> I must be overlooking something simple.
>
> I'm running squid 3.0STABLE18 on CentOS 5.4 in a Hyper-V environment.
> The KDC/AD server is Windows 2008 R2 (we have many 08R2 servers, and one
> 2003). I've tried IE8 and Firefox Windows XP Pro, and IE8 on Server
> 2008, as clients.
>
> Problem: Whenever trying to use the proxy, the browser prompts the user
> for authentication three times, and then returns a "ERROR: Cache Access
> Denied." message. The following appears in cache.log:
>
> 2009/11/24 11:34:04| squid_kerb_auth: Got '[...block stripped by
> AMS...]' from squid (length: 2195).
> 2009/11/24 11:34:04| squid_kerb_auth: gss_accept_sec_context() failed:
> Unspecified GSS failure. Minor code may provide more information.
> Unknown code krb5 236
>
> ==========================================
> Begin krb5.conf
> ==========================================
>
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> default_realm = CORE.CO.FAIRFIELD.OH.US
> dns_lookup_realm = false
> dns_lookup_kdc = false
> ticket_lifetime = 24h
>
> default_tgs_enctypes = rc4-hmac
> default_tkt_enctypes = rc4-hmac
> permitted_enctypes = rc4-hmac
> # permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac
>
> [realms]
> CORE.CO.FAIRFIELD.OH.US = {
> kdc = 10.10.0.17:88
> admin_server = 10.10.0.17:749
> default_domain = core.co.fairfield.oh.us
> }
>
> [domain_realm]
> .core.co.fairfield.oh.us = CORE.CO.FAIRFIELD.OH.US
> core.co.fairfield.oh.us = CORE.CO.FAIRFIELD.OH.US
>
> [appdefaults]
> pam = {
> debug = false
> ticket_lifetime = 36000
> renew_lifetime = 36000
> forwardable = true
> krb4_convert = false
> }
>
> ==========================================
> Begin squid.conf
> ==========================================
>
> http_port 3128
>
> auth_param negotiate program /opt/squid-3.0/sbin/squid_kerb_auth -d
> auth_param negotiate children 10
> auth_param negotiate keep_alive on
>
> #acl all src all
> acl AUTHENTICATED proxy_auth REQUIRED
> acl localnet src 172.17.3.0/24
>
> #http_access allow localnet
> http_access allow AUTHENTICATED
> #http_access allow all
>
> cache_dir ufs /var/cache/squid-3.0 100 16 256
> access_log /var/log/squid-3.0/access.log squid
> cache_log /var/log/squid-3.0/cache.log
> cache_store_log /var/log/squid-3.0/store.log
> pid_filename /var/run/squid-3.0.pid
> cache_effective_user squid
> cache_effective_group squid
> coredump_dir /var/cache/squid-3.0
>
> ==========================================
> Begin kinit
> ==========================================
>
> [root_at_ddoc-svr-ix01 ~]# kinit -V -k -t /etc/squid/HTTP.keytab
> HTTP/ddoc-svr-ix01.core.co.fairfield.oh.us
> Authenticated to Kerberos v5
> [root_at_ddoc-svr-ix01 ~]#
>
> ==========================================
> End Examples
> ==========================================
>
> So.... I'm lost. Does anyone have any suggestions as to what I might be
> overlooking or doing incorrectly?
>
> Thanks!
>
> ---
> Andrew Michael Stemen
> andrew_at_andrewmstemen.net
>
Received on Wed Nov 25 2009 - 22:57:43 MST
This archive was generated by hypermail 2.2.0 : Thu Nov 26 2009 - 12:00:03 MST