It looks like a configuration error. Also I recall Heimdal had some issues
with Cross realms. But you say all clients are on Windows only the server
uses squid with Heindal, so the problem might be on the Windows side. Do the
three AD domains trust each other ?
Markus
"Fabian Hugelshofer" <fh_at_open.ch> wrote in message
news:4B8FDB2E.5000407_at_open.ch...
> Markus Moeller wrote:
>> Continuation needed means that the GSSAPI exchange has not finished and
>> the server needs more data from the client. Can you see in wireshark if
>> the token length is the one squid_kerb_auth says it is
>> > squid_kerb_auth: Got 'YRYI...' from squid (length: 3607)
>
> I could confirm that the data that the client sends in the HTTP request is
> the same that is received by squid_kerb_auth. "YR " is added by squid (the
> space in the log of my last post got lost).
>
> Further, I discovered that authentication is working for users from
> certain domains, but not for those at whose location the proxy is standing
> at. I describe the AD domain setup in more details:
>
> The computer account that is associated with the service principal in the
> keytab file is from domain A.EXAMPLE.COM. Users, for who access is not
> working, are from domain B1.B.EXAMPLE.COM. Access is working for users
> from C.EXAMPLE.COM and a few others. The users from these "other" domains
> have been tested by starting IE as a user from that domain on a computer
> in domain C.EXAMPLE.COM. I forgot to mention that all the clients are
> Windows XP with IE7.
>
> The FQDN of the proxy is not in the Windows domain hierarchy. It is
> proxy.d1.d.example.com.
>
> I compiled squid_kerb_auth_test from Squid 3.1. On the proxy:
>
> ## With a user from non-working domain B1.B.EXAMPLE.COM
> # kinit user1_at_B1.B.EXAMPLE.COM
> user1_at_B1.B.EXAMPLE.COM's Password:
> # squid_kerb_auth_test proxy.d1.d.example.com
> 2010/03/04 15:26:51| squid_kerb_auth_test: gss_init_sec_context() failed:
> An unsupported mechanism was requested. unknown mech-code 0 for mech
> unknown
> Token: NULL
> # kinit -S HTTP/proxy.d1.d.example.com_at_A.EXAMPLE.COM
> user1_at_B1.B.EXAMPLE.COM's Password:
> kinit: krb5_get_init_creds: Server
> (HTTP/proxy.d1.d.example.com_at_B1.B.EXAMPLE.COM) unknown
>
> ## With a user from the domain of the proxy (A.EXAMPLE.COM)
> # kinit user2_at_A.EXAMPLE.COM
> user2_at_A.EXAMPLE.COM's Password:
> # squid_kerb_auth_test proxy.d1.d.example.com
> Token: YIIF...
> # kinit -S HTTP/proxy.d1.d.example.com_at_A.EXAMPLE.COM
> user2_at_A.EXAMPLE.COM's Password:
>
> Tomorrow I will try with a user from another domain that is working and
> that is outside A.EXAMPLE.COM. The content of my krb5.conf is:
>
> [libdefaults]
> default_realm = A.EXAMPLE.COM
>
> [realms]
> A.EXAMPLE.COM = {
> kdc = 10.0.0.1
> kdc = 10.0.0.2
> }
> B1.b.EXAMPLE.COM = {
> kdc = 10.1.0.1
> kdc = 10.1.0.2
> }
>
> [domain_realm]
> .example.com = A.EXAMPLE.COM
> example.com = A.EXAMPLE.COM
> .d1.d.example.com = A.EXAMPLE.COM
> d1.d.example.com = A.EXAMPLE.COM
>
>
>
> Fabian
>
Received on Fri Mar 05 2010 - 01:15:01 MST
This archive was generated by hypermail 2.2.0 : Mon Mar 08 2010 - 12:00:03 MST