Re: [squid-users] Re: Re: Re: squid_kerb_auth problem

Hi Markus,

Using firefox at windows machine (not domain member)
- kerbtray don't show any credentials
- I don't have traffic at port 88.
- Don't work.

Using IE8 at windows machine (not domain member)
- kerbtray don't show any credentials
- At port 88 there are a TGS-REQ and a TGS-REP
- It works

Using firefox at windows machine (domain member of windows server)
- kerbtray show me the user principal and the service principal
HTTP/squid.domain.
- At port 88 there are a TGS-REQ and a TGS-REP
- It works

Using IE8 at windows machine (domain member of windows server)
- kerbtray show me the user principal and the service principal
HTTP/squid.domain.
- At port 88 there are a TGS-REQ and a TGS-REP
- It works

Regards
Jose

Markus Moeller wrote:
> Hi Jose
>
> Can you install kerbtray from the resource kit
> http://www.microsoft.com/downloads/details.aspx?FamilyID=9D467A69-57FF-4AE7-96EE-B18C4790CFFD&displaylang=en
> and start it ? It should list if you have got a TGS for
> HTTP/squid.domain.
>
> Also can you capture port 88(Kerberos) traffic on the client with
> wireshark ? When you login you should see an AS REQ and REP and
> when firefox authenticates to the proxy you should se a TGS REQ
> for HTTP/squid.domain.
>
> If not can you send me the capture to have a look at it ?
>
> Regards Markus
>
> "Jose Lopes" <jlopes_at_iportalmais.pt> wrote in message
> news:4B5596BB.8010103_at_iportalmais.pt...
>> Hi,
>>
>> I have the same problem. I have already set
>> network.negotiate-auth.trusted-uris to proxy domain. At the
>> firefox (FF) log appears: 0[825140]: service = squid.domain
>> 0[825140]: using negotiate-sspi 0[825140]: nsAuthSSPI::Init
>> 0[825140]: InitSSPI 0[825140]: Using SPN of [HTTP/squid.domain]
>> 0[825140]: nsHttpNegotiateAuth::GenerateCredentials()
>> [challenge=Negotiate] 0[825140]: entering
>> nsAuthSSPI::GetNextToken() 0[825140]: Sending a token of length
>> 40 0[825140]: nsHttpNegotiateAuth::GenerateCredentials()
>> [challenge=Negotiate] 0[825140]: entering
>> nsAuthSSPI::GetNextToken() 0[825140]: Cannot restart
>> authentication sequence!
>>
>> The http messages between squid an FF are:
>>
>> FF -> SQUID GET http://www.squid-cache.org/ HTTP/1.1 [...]
>>
>> SQUID -> FF HTTP/1.0 407 Proxy Authentication Required Server:
>> squid/3.0.STABLE14 [...] Proxy-Authenticate: Negotiate [...]
>>
>> FF -> SQUID GET http://www.squid-cache.org/ HTTP/1.1 [...]
>> Proxy-Authorization: Negotiate
>> TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==
>>
>> SQUID -> FF HTTP/1.0 407 Proxy Authentication Required Server:
>> squid/3.0.STABLE14 [...] Proxy-Authenticate: Negotiate [...]
>>
>>
>> I have already IE working, and the http seems similar.
>>
>> IE -> SQUID GET http://www.squid-cache.org/ HTTP/1.1 [...]
>>
>> SQUID -> IE HTTP/1.0 407 Proxy Authentication Required Server:
>> squid/3.0.STABLE14 [...] Proxy-Authenticate: Negotiate [...]
>>
>> IE -> SQUID GET http://www.squid-cache.org/ HTTP/1.1 [...]
>> Proxy-Authorization: Negotiate
>> TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==
>>
>> SQUID -> IE HTTP/1.0 407 Proxy Authentication Required Server:
>> squid/3.0.STABLE14 [...] Proxy-Authenticate: Negotiate [...]
>>
>> IE -> SQUID GET http://www.squid-cache.org/ HTTP/1.1 [...]
>> Proxy-Authorization: Negotiate
>> YIIE+gYGKwYBBQUCoIIE7jCCBOqgJDAiBgkqhkiC9xIBAgIGC[...] [...]
>>
>> SQUID -> IE HTTP/1.0 200 OK [...] Proxy-Authentication-Info:
>> Negotiate oYGgMIGdoAMKAQChCwYJKoZIgvcSAQICoo[...] [...]
>>
>>
>> Seems like at first IE use NTLM and at second use kerberos.
>>
>> I think FF is similar, but FF don't allow the second iteration.
>>
>> How can I put kerberos as first iteration?
>>
>> Thanks in advance Regards Jose
>>
>> Markus Moeller wrote:
>>>
>>> The message parseNegTokenInit failed with rc=102 just means the
>>> token is not a GSSAPI token wrapped in a SPNEGO token, but a
>>> plain GSSAPI token. When you use firefox you have to do a kinit
>>> first to store the AS token in the Kerberos cache for Firefox
>>> to use and I think Firfox has to be configured with
>>> network.negotiate-auth.trusted-uris to be set to the domains of
>>> your proxy server.
>>>
>>> Regards Markus
>>>
>>> "Umesh Bodalina" <u.bodalina_at_gmail.com> wrote in message
>>> news:c3b47c041001181054n7091ea3aj761a508938de74e3_at_mail.gmail.com...
>>> Hi Markus Sorry yes you were right, it was DNS.
>>>
>>> In our environment we are running two DNS servers. One using MS
>>> DNS and the other using unix BIND. The linux server was added
>>> to the unix DNS (with name proxy1.domain.com) but not to the MS
>>> DNS which was authority for ad.domain.com. Now that I think
>>> about it our MS DNS has issues doing reverse lookups for IPs
>>> that the unix DNS is authority for (which in this case was
>>> proxy1.domain.com).
>>>
>>> I changed linux server name to proxy1.ad.domain.com and now the
>>> squid_kerb_auth_test works. Using your squid_kerb_auth
>>> (version 1.0.5) I get: AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg==
>>> user_at_AD.DOMAIN.COM 2010/01/18 20:25:10| squid_kerb_auth: AF
>>> oRQwEqADCgEAoQsGCSqGSIb3EgECAg== user_at_AD.DOMAIN.COM When I try
>>> the same thing with the auth from squid-2.7.STABLE7.tar.bz2 I
>>> get 2010/01/18 20:29:07| squid_kerb_auth: parseNegTokenInit
>>> failed with rc=102 AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg==
>>> user_at_AD.DOMAIN.COM 2010/01/18 20:29:07| squid_kerb_auth: AF
>>> oRQwEqADCgEAoQsGCSqGSIb3EgECAg== user_at_AD.DOMAIN.COM Is the
>>> parseNegTokenInit failed with rc=102 ok?
>>>
>>> I then tried running squid and used Firefox 3.5.7. I got the
>>> following error from squid cache:
>>>
>>> authenticateNegotiateHandleReply: Failed validating user via
>>> Negotiate. Error returned 'type 1 NTLM token'
>>>
>>> Any ideas? Also I don't get any authentication popups for
>>> userid and password...
>>>
>>> A sample of the log: 2010/01/18 20:47:58| squid_kerb_auth: Got
>>> 'YR TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw=='
>>> from squid (length: 59). 2010/01/18 20:47:58| squid_kerb_auth:
>>> parseNegTokenInit failed with rc=101 2010/01/18 20:47:58|
>>> squid_kerb_auth: received type 1 NTLM token 2010/01/18
>>> 20:47:58| do_comm_select: 1 fds ready 2010/01/18 20:47:58|
>>> cbdataValid: 0x1838d448 2010/01/18 20:47:58|
>>> helperStatefulHandleRead: 30 bytes from negotiateauthenticator
>>> #1. 2010/01/18 20:47:58| commSetSelect: FD 7 type 1 2010/01/18
>>> 20:47:58| helperStatefulHandleRead: end of reply found
>>> 2010/01/18 20:47:58| cbdataValid: 0x18648bb8 2010/01/18
>>> 20:47:58| cbdataValid: 0x185cad18 2010/01/18 20:47:58|
>>> helperStatefulReleaseServer: 0x1838d448 2010/01/18 20:47:58|
>>> helperStatefulReset: 0x1838d448 2010/01/18 20:47:58|
>>> StatefulGetFirstAvailable: Running servers 10. 2010/01/18
>>> 20:47:58| authenticateNegotiateHandleReply: Failed validating
>>> user via Negotiate. Error returned 'type 1 NTLM token'
>>> 2010/01/18 20:47:58| authenticateValidateUser: Validated
>>> Auth_user request '0x18648960'. 2010/01/18 20:47:58|
>>> cbdataValid: 0x183561a8 2010/01/18 20:47:58| aclCheck: checking
>>> 'http_access deny !password' 2010/01/18 20:47:58|
>>> aclMatchAclList: checking !password 2010/01/18 20:47:58|
>>> aclMatchAcl: checking 'acl password proxy_auth REQUIRED'
>>> 2010/01/18 20:47:58| authenticateValidateUser: Validated
>>> Auth_user request '0x18648960'. 2010/01/18 20:47:58|
>>> authenticateNegotiateAuthenticateUser: need to challenge client
>>> 'received'! 2010/01/18 20:47:58| authenticateValidateUser:
>>> Validated Auth_user request '0x18648960'. 2010/01/18 20:47:58|
>>> aclAuthenticated: returning 0 sending authentication challenge.
>>> 2010/01/18 20:47:58| aclCheck: match found, returning 2
>>> 2010/01/18 20:47:58| cbdataUnlock: 0x183561a8 2010/01/18
>>> 20:47:58| aclCheckCallback: answer=2 2010/01/18 20:47:58|
>>> cbdataValid: 0x185ca298 2010/01/18 20:47:58| The request GET
>>>
http://en-gb.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GB:official
>>>
>>>
>>>
>>> is DENIED, because it matched 'password'
>>>
>>> My acl for this was: 'http_access deny !password'
>>>
>>> Regards Umesh
>>>
>>> 2010/1/16 Markus Moeller <huaraz_at_moeller.plus.com>:
>>>> Can you check your DNS you should get for
>>>>
>>>> nslookup name an ip and for the reverse nslookup ip the same
>>>> name.
>>>>
>>>> Which Kerberos libraries do you use ? Heimdal or MIT and
>>>> which release ?
>>>>
>>>> Markus
>>>>
>>>> "Umesh Bodalina" <u.bodalina_at_gmail.com> wrote in message
>>>> news:c3b47c041001160337k68a1313g1863689383a15121_at_mail.gmail.com...
>>>> Hi
>>>>
>>>> When I tried ./squid_kerb_auth_test proxy1 or
>>>> ./squid_kerb_auth_test proxy1.domain.com I got 2010/01/16
>>>> 12:31:47| squid_kerb_auth_test: gss_init_sec_context()
>>>> failed: Unspecified GSS failure. Minor code may provide more
>>>> information. Unknown code krb5 7 Token: NULL
>>>>
>>>> But I got a token if I used ./squid_kerb_auth_test domain.com
>>>> or ./squid_kerb_auth_test adserver.domain.com
>>>>
>>>> Using this token and squid auth in the same directory I got
>>>>
>>>> squid_kerb_auth: gss_accept_sec_context() failed: Unspecified
>>>> GSS failure. Minor code may provide more information. No
>>>> error BH gss_accept_sec_context() failed: Unspecified GSS
>>>> failure. Minor code may provide more information. No error
>>>>
>>>> Using the same token on the latest compiled squid
>>>> /usr/local/squid/libexec/squid_kerb_auth -d I got
>>>>
>>>> 2010/01/16 12:55:58| squid_kerb_auth: parseNegTokenInit
>>>> failed with rc=102 2010/01/16 12:55:58| squid_kerb_auth:
>>>> gss_accept_sec_context() failed: Unspecified GSS failure.
>>>> Minor code may provide more information. No error NA
>>>> gss_accept_sec_context() failed: Unspecified GSS failure.
>>>> Minor code may provide more information. No error
>>>>
>>>> Any ideas? Regards Umesh
>>>>
>>>>
>>>>
>>>> 2010/1/15 Markus Moeller <huaraz_at_moeller.plus.com>:
>>>>>
>>>>> There should be a squid_kerb_auth_test application in the
>>>>> same source directory as squid_kerb_auth.
>>>>>
>>>>> Do a kinit user_at_DOMAIN and then a squid_kerb_auth_test
>>>>> squid-fqdn which should give you a token like:
>>>>>
>>>>> Token: YIICPQYGKwYBBQUCoIICMTCCAi2gHzAdBgkqhkiG......
>>>>>
>>>>> which you can the use with squid_kerb_auth like
>>>>>
>>>>> export KRB5_KTNAME=/path-to-squid.keytab. ./squid_kerb_auth
>>>>> -d YR YIICPQYGKwYBBQUCoIICMTCCAi2gHzAdBgkqhkiG......
>>>>> 2010/01/15 14:40:29| squid_kerb_auth: Got 'YR
>>>>> YIICPQYGKwYBBQUCoIICMTCCAi2gHzAdBgkq...' from squid
>>>>> (length: 775). 2010/01/15 14:40:29| squid_kerb_auth: Decode
>>>>> 'YIICPQYGKwYBBQUCoIICMTCCAi2gHzAdBgkq...' (decoded length:
>>>>> 577). AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg== markus_at_SUSE.HOME
>>>>> 2010/01/15 14:40:29| squid_kerb_auth: AF
>>>>> oRQwEqADCgEAoQsGCSqGSIb3EgECAg== markus_at_SUSE.HOME
>>>>>
>>>>>
>>>>> Regards Markus
>>>>>
>>>>> "Markus Moeller" <huaraz_at_moeller.plus.com> wrote in message
>>>>> news:hipnhp$hs3$1_at_ger.gmane.org...
>>>>>>
>>>>>> When you use ktpass or msktutil you have to specify a
>>>>>> different AD object then your samba object and remove the
>>>>>> HTTP/... entries as service principal from your samba AD
>>>>>> object. If you want to have only one AD object you have
>>>>>> to use the net keytab command as described in the wiki.
>>>>>>
>>>>>>
>>>>>> Regards Markus
>>>>>>
>>>>>>
>>>>>> "Umesh Bodalina" <u.bodalina_at_gmail.com> wrote in message
>>>>>> news:c3b47c041001150053n290d6443q830770300636a0ca_at_mail.gmail.com...
>>>>>>
>>>>>>
>>>>>> Hi Ok. Did that now and I got:
>>>>>>
>>>>>> kvno HTTP/proxy1.domain.com HTTP/proxy1_at_DOMAIN.COM: kvno
>>>>>> = 5
>>>>>>
>>>>>> This number is different from the the keytab number. How
>>>>>> do I correct this?
>>>>>>
>>>>>> Yes I did use samba (net ads join -U adminuserid). Then I
>>>>>> tried the msktutil. Then finally ktpass.
>>>>>>
>>>>>> During the net ads join I got:
>>>>>>
>>>>>> # net ads join -U userid userid's password: Using short
>>>>>> domain name -- DOMAIN DNS update failed! Joined 'PROXY1'
>>>>>> to realm 'DOMAIN.COM'
>>>>>>
>>>>>> Is the DNS update a problem?
>>>>>>
>>>>>> Regards Umesh
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> 2010/1/15 Markus Moeller <huaraz_at_moeller.plus.com>:
>>>>>>>
>>>>>>> Sorry I forgot to say that you have to do a kinit
>>>>>>> aduser_at_REALM before you issue the kvno command. Did you
>>>>>>> use the sambe netjoin command to create the as account
>>>>>>> and the keytab ?
>>>>>>>
>>>>>>> Markus
>>>>>>>
>>>>>>> "Umesh Bodalina" <u.bodalina_at_gmail.com> wrote in
>>>>>>> message
>>>>>>> news:c3b47c041001140513s2af2a25fp7e103af29dfc3cbd_at_mail.gmail.com...
>>>>>>>
>>>>>>>
>>>>>>> Hi Markus I've checked with ADSIEDIT and found a single
>>>>>>> entry for the linux server named proxy1. Clicking on
>>>>>>> it's properties I found the following entries for
>>>>>>> service Principal Name:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HOST/PROXY1
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HOST/proxy1.domain.com
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HTTP/proxy1
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HTTP/proxy1.domain.com
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On the linux box:
>>>>>>>
>>>>>>> # klist -ekt /etc/squid/HTTP.keytab Keytab name:
>>>>>>> FILE:/etc/squid/HTTP.keytab KVNO Timestamp Principal
>>>>>>> ---- -----------------
>>>>>>> --------------------------------------------------------
>>>>>>> 7 01/01/70 02:00:00
>>>>>>> HTTP/proxy1.domain.com_at_AD.DOMAIN.COM (ArcFour with
>>>>>>> HMAC/md5)
>>>>>>>
>>>>>>> # kvno HTTP/proxy1.domain.com kvno: Ticket expired
>>>>>>> while getting credentials for
>>>>>>> HTTP/proxy1.domain.com_at_AD.DOMAIN.COM # kvno HTTP/proxy1
>>>>>>> kvno: Ticket expired while getting credentials for
>>>>>>> HTTP/proxy1_at_AD.DOMAIN.COM
>>>>>>>
>>>>>>> Should I remove the entry on AD, rejoin the pc to AD
>>>>>>> and create the keytab again? Which mechanism should I
>>>>>>> use to create the keytab? Is my DNS correct if the pc
>>>>>>> came up on AD as proxy1 should it be the fqdn
>>>>>>> (proxy1.domain.com)?
>>>>>>>
>>>>>>> Regards Umesh
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> 2010/1/13 Markus Moeller <huaraz_at_moeller.plus.com>:
>>>>>>>>
>>>>>>>> On AD you can use ADSIEDIT (
>>>>>>>> http://technet.microsoft.com/en-us/library/cc773354%28WS.10%29.aspx
>>>>>>>>
>>>>>>>>
>>>>>>>> ) to search for entries and delete,modify them. The
>>>>>>>> best instructions are
>>>>>>>> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
>>>>>>>>
>>>>>>>>
>>>>>>>> Let me know what you get once you deleted the old
>>>>>>>> entry. Another check is to use the kvno tool which
>>>>>>>> you should have when you use MIT Kerberos.
>>>>>>>>
>>>>>>>> #kvno HTTP/fqdn_at_REALM should give the same number as
>>>>>>>> klist -ekt squid.keytab e.g.
>>>>>>>>
>>>>>>>> # klist -ekt /etc/squid/squid.keytab Keytab name:
>>>>>>>> FILE:/etc/squid/squid.keytab KVNO Timestamp Principal
>>>>>>>> ---- -----------------
>>>>>>>> --------------------------------------------------------
>>>>>>>> 3 11/25/08 20:54:17
>>>>>>>> HTTP/opensuse11.suse.home_at_SUSE.HOME (ArcFour with
>>>>>>>> HMAC/md5) 3 11/25/08 20:54:17
>>>>>>>> HTTP/opensuse11.suse.home_at_SUSE.HOME (Triple DES cbc
>>>>>>>> mode with HMAC/sha1) 3 11/25/08 20:54:17
>>>>>>>> HTTP/opensuse11.suse.home_at_SUSE.HOME (DES cbc mode
>>>>>>>> with CRC-32)
>>>>>>>>
>>>>>>>> #kvno HTTP/opensuse11.suse.home
>>>>>>>> HTTP/opensuse11.suse.home_at_SUSE.HOME: kvno = 3
>>>>>>>>
>>>>>>>>
>>>>>>>> Regards Markus
>>>>>>>>
>>>>>>>> "Umesh Bodalina" <u.bodalina_at_gmail.com> wrote in
>>>>>>>> message
>>>>>>>> news:c3b47c041001130210i6299c910g51bb3a2ffa5c45f_at_mail.gmail.com...
>>>>>>>>
>>>>>>>>
>>>>>>>> Hi, I'm new to this. I've run the following command
>>>>>>>> on the server:
>>>>>>>>
>>>>>>>> ldapsearch -L -x -D "aduser" -w "password" -h
>>>>>>>> domainfqdn -p 389 -b "OU=name,DC=domain,DC=com"
>>>>>>>> "serviceprincipalname=HTTP/fqdn_at_REALM"
>>>>>>>>
>>>>>>>> and get # # LDAPv3 # base <OU=name,DC=domain,DC=com>
>>>>>>>> with scope subtree # filter:
>>>>>>>> serviceprincipalname=HTTP/fqdn_at_REALM # requesting:
>>>>>>>> ALL #
>>>>>>>>
>>>>>>>> # search result
>>>>>>>>
>>>>>>>> # numResponses: 1
>>>>>>>>
>>>>>>>> Is it possible to check directly on AD if this
>>>>>>>> service principal name exits? How else can I test if
>>>>>>>> this keytab works? If I create a new keytab what is
>>>>>>>> the procedure of getting rid of the old one and
>>>>>>>> retesting (what should be done on AD and the linux
>>>>>>>> box)?
>>>>>>>>
>>>>>>>> Are there any docs that will help me with this?
>>>>>>>>
>>>>>>>> Sorry for being a pain and thanks again. Regards
>>>>>>>> Umesh
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> 2010/1/13 Markus Moeller <huaraz_at_moeller.plus.com>:
>>>>>>>>>
>>>>>>>>> Can you check with an ldap query (e.g. with
>>>>>>>>> ldapadmin from sourceforge) or search with a filter
>>>>>>>>> "(serviceprincipalname=HTTP/fqdn_at_REALM)" if you
>>>>>>>>> have duplicate entries ?
>>>>>>>>>
>>>>>>>>> This kinit -k -t /etc/squid/squid.keytab
>>>>>>>>> HTTP/fqdn_at_REALM.KERBEROS will only work if the
>>>>>>>>> userprincipal name is HTTP/fqdn_at_REALM.KERBEROS
>>>>>>>>> which I think is not the case with ktpass.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Regards Markus
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> "Umesh Bodalina" <u.bodalina_at_gmail.com> wrote in
>>>>>>>>> message
>>>>>>>>> news:c3b47c041001120741n6c2edf4ftd67dbe4b5cf1e2f0_at_mail.gmail.com...
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Hi,
>>>>>>>>>>
>>>>>>>>>> I'm trying to get the squid helper
>>>>>>>>>> squid_kerb_auth to work against our Active
>>>>>>>>>> Directory (win 2003 sp2).
>>>>>>>>>>
>>>>>>>>>> I've compiled the latest squid version
>>>>>>>>>> (squid-2.7.STABLE7)on CentOS 5.4 64 bit.
>>>>>>>>>>
>>>>>>>>>> Squid Cache: Version 2.7.STABLE7 configure
>>>>>>>>>> options: '--prefix=/usr/local/squid'
>>>>>>>>>> '--disable-wccp' '--disable-wccpv2'
>>>>>>>>>> '--enable-large-cache-files' '--with-large-files'
>>>>>>>>>> '--enable-delay-pools'
>>>>>>>>>> '--enable-cachemgr-hostname' '=fqdn'
>>>>>>>>>> '--enable-ntlm-auth-helpers=SMB'
>>>>>>>>>> '--enable-auth=basic,ntlm,negotiate'
>>>>>>>>>> '--enable-negotiate-auth-helpers=squid_kerb_auth'
>>>>>>>>>> '--enable-snmp'
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> A keytab file was create on AD for squid
>>>>>>>>>> (HTTP/squid.domain_at_REALM.KERBEROS)
>>>>>>>>>>
>>>>>>>>>> ktpass -princ HTTP/fqdn_at_REALM -mapuser squiduser
>>>>>>>>>> -pass password -out HTTP.keytab
>>>>>>>>>>
>>>>>>>>>> Transferred the file on the CentOS server and
>>>>>>>>>> placed it in /etc/squid/HTTP.keytab
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> kinit -k -t /etc/squid/squid.keytab
>>>>>>>>>> HTTP/fqdn_at_REALM.KERBEROS
>>>>>>>>>>
>>>>>>>>>> I get the error message: kinit(v5): Client not
>>>>>>>>>> found in Kerberos database while getting initial
>>>>>>>>>> credentials
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> I've also tried creating the keytab file using
>>>>>>>>>> msktutil or samba according to the following doc:
>>>>>>>>>>
>>>>>>>>>> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> I get the same error.
>>>>>>>>>>
>>>>>>>>>> How do I sort out this problem?
>>>>>>>>>>
>>>>>>>>>> Thanks in advance. Regards Umesh
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>
>
>
Received on Wed Jan 20 2010 - 12:31:45 MST