[squid-users] Re: help squid_kerb_auth

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Thu, 15 Jul 2010 23:40:18 +0100

Hi Nicola,

  Can you run strace against squid_kerb_auth ? You can do this by selecting
just on child (e.g. auth_param negotiate children 1) and then do
trace -f -F -p <pid of squid_kerb_auth>. Please send me the output. Can you
also check on the client with kerbtray ( available from Microsoft ) that the
client has a ticket for HTTP/squid.domain.com and which encryption type it
is.

Regards
Markus

"Nicola Gentile" <nikkognt_at_gmail.com> wrote in message
news:AANLkTimlfs6h4t4ft4sw7kcv-eEhSizv1mvzQTlRrbZ6_at_mail.gmail.com...
> Good morning,
> I use successfully squid to authenticate AD users in a domain
> .dom3.dom2.dom1.com and it works fine.
> The server is debian etch with squid 2.7.STABLE6 and the clients are
> Windows (ntlm) and Linux (squid_kerb_auth).
> On Linux client pc I installed samba+winbind. The users accounts and
> computers accounts are on a domain .dom3.dom2.dom1.com.
>
> Now things have changed, the users accounts are on parent domain
> (.domain.com) and the computers accounts are in child domain
> (.child.domain.com).
> The .domain.com is a root domain of forest.
> The forest is in a mixed mode (windows 2008 and windows 2003).
>
> I have installed a server with debian lenny with squid 2.7.STABLE9.
>
> The configure options are:
>
> --prefix=/usr/local/squid
> --enable-auth=negotiate ntlm
> --enable-ntlm-auth-helpers=SMB
> --enable-negotiate-auth-helpers=squid_kerb_auth
> --enable-default-err-language=Italian
> --enable-err-languages=Italian English
> --enable-async-io
> --with-pthreads
> --enable-storeio=ufs aufs diskd null
> --with-large-files
>
> This is my squid.conf
>
> auth_param negotiate program /usr/local/squid/libexec/squid_kerb_auth
> -d -s HTTP/squid.domain.com@.domain.com
> auth_param negotiate children 10
> auth_param negotiate keep_alive on
> auth_param ntlm program /usr/local/squid/libexec/ntlm_auth
> domain/server1 child/server2
> auth_param ntlm children 30
> auth_param ntlm keep_alive off
> acl out proxy_auth REQUIRED
> acl autkrb src 192.168.47.36
> http_access allow out autkrb
>
> This is my krb5.conf
>
> [libdefaults]
> default_realm = DOMAIN.COM
>
> # The following krb5.conf variables are only for MIT Kerberos.
> krb4_config = /etc/krb.conf
> krb4_realms = /etc/krb.realms
> kdc_timesync = 1
> ccache_type = 4
> forwardable = true
> proxiable = true
> dns_lookup_realm = false
> dns_lookup_kdc = false
> ticket_lifetime = 24h
> clockskew = 600
>
> [realms]
> DOMAIN.COM = {
> kdc = srv1.domain.com
> admin_server = srv1.domain.com
> default_domain = domain.com
> }
> CHILD.DOMAIN.COM = {
> kdc = serv1.child.domain.com
> admin_server = serv1.child.domain.com
> }
>
> [domain_realm]
> .domain.com = DOMAIN.COM
> domain.com = DOMAIN.COM
> .child.domain.com = CHILD.DOMAIN.COM
> child.domain.com = CHILD.DOMAIN.COM
>
> I also added the following lines to squid start script.
>
> KRB5_KTNAME=/usr/local/squid/etc/squid20100714.keytab
> export KRB5_KTNAME
>
> The dns are configured as parent windows domain doami.com.
>
> On client each time I try to use firefox, the server squid gives me
> the following error:
>
> squid_kerb_auth: gss_accept_sec_context() failed: Unspecified GSS
> failure. Minor code may provide more information. No error
>
> in the browser I see the pop-up for username and password.
>
> What does means this error?
> Have any ideas?
>
> Thanks for your help
>
> Nikkognt
>
Received on Thu Jul 15 2010 - 22:40:41 MDT

This archive was generated by hypermail 2.2.0 : Fri Jul 16 2010 - 12:00:03 MDT