[squid-users] Re: Re: help squid_kerb_auth

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Fri, 16 Jul 2010 13:48:13 +0100

Maybe there was still an old ticket on the client which has now expired.
This could be checked with kerbtray.

Markus

"Nicola Gentile" <nikkognt_at_gmail.com> wrote in message
news:AANLkTil4o5SIpA1Mz9IbdO7xuu6i_KNk4a9U17rFEieE_at_mail.gmail.com...
Now it works!
I have not changed anything.
Thanks for the help
Nicola Gentile

2010/7/16 Markus Moeller <huaraz_at_moeller.plus.com>:
> Hi Nicola,
>
> Can you run strace against squid_kerb_auth ? You can do this by selecting
> just on child (e.g. auth_param negotiate children 1) and then do trace -f
> -F -p <pid of squid_kerb_auth>. Please send me the output. Can you also
> check on the client with kerbtray ( available from Microsoft ) that the
> client has a ticket for HTTP/squid.domain.com and which encryption type it
> is.
>
> Regards
> Markus
>
> "Nicola Gentile" <nikkognt_at_gmail.com> wrote in message
> news:AANLkTimlfs6h4t4ft4sw7kcv-eEhSizv1mvzQTlRrbZ6_at_mail.gmail.com...
>>
>> Good morning,
>> I use successfully squid to authenticate AD users in a domain
>> .dom3.dom2.dom1.com and it works fine.
>> The server is debian etch with squid 2.7.STABLE6 and the clients are
>> Windows (ntlm) and Linux (squid_kerb_auth).
>> On Linux client pc I installed samba+winbind. The users accounts and
>> computers accounts are on a domain .dom3.dom2.dom1.com.
>>
>> Now things have changed, the users accounts are on parent domain
>> (.domain.com) and the computers accounts are in child domain
>> (.child.domain.com).
>> The .domain.com is a root domain of forest.
>> The forest is in a mixed mode (windows 2008 and windows 2003).
>>
>> I have installed a server with debian lenny with squid 2.7.STABLE9.
>>
>> The configure options are:
>>
>> --prefix=/usr/local/squid
>> --enable-auth=negotiate ntlm
>> --enable-ntlm-auth-helpers=SMB
>> --enable-negotiate-auth-helpers=squid_kerb_auth
>> --enable-default-err-language=Italian
>> --enable-err-languages=Italian English
>> --enable-async-io
>> --with-pthreads
>> --enable-storeio=ufs aufs diskd null
>> --with-large-files
>>
>> This is my squid.conf
>>
>> auth_param negotiate program /usr/local/squid/libexec/squid_kerb_auth
>> -d -s HTTP/squid.domain.com@.domain.com
>> auth_param negotiate children 10
>> auth_param negotiate keep_alive on
>> auth_param ntlm program /usr/local/squid/libexec/ntlm_auth
>> domain/server1 child/server2
>> auth_param ntlm children 30
>> auth_param ntlm keep_alive off
>> acl out proxy_auth REQUIRED
>> acl autkrb src 192.168.47.36
>> http_access allow out autkrb
>>
>> This is my krb5.conf
>>
>> [libdefaults]
>> default_realm = DOMAIN.COM
>>
>> # The following krb5.conf variables are only for MIT Kerberos.
>> krb4_config = /etc/krb.conf
>> krb4_realms = /etc/krb.realms
>> kdc_timesync = 1
>> ccache_type = 4
>> forwardable = true
>> proxiable = true
>> dns_lookup_realm = false
>> dns_lookup_kdc = false
>> ticket_lifetime = 24h
>> clockskew = 600
>>
>> [realms]
>> DOMAIN.COM = {
>> kdc = srv1.domain.com
>> admin_server = srv1.domain.com
>> default_domain = domain.com
>> }
>> CHILD.DOMAIN.COM = {
>> kdc = serv1.child.domain.com
>> admin_server = serv1.child.domain.com
>> }
>>
>> [domain_realm]
>> .domain.com = DOMAIN.COM
>> domain.com = DOMAIN.COM
>> .child.domain.com = CHILD.DOMAIN.COM
>> child.domain.com = CHILD.DOMAIN.COM
>>
>> I also added the following lines to squid start script.
>>
>> KRB5_KTNAME=/usr/local/squid/etc/squid20100714.keytab
>> export KRB5_KTNAME
>>
>> The dns are configured as parent windows domain doami.com.
>>
>> On client each time I try to use firefox, the server squid gives me
>> the following error:
>>
>> squid_kerb_auth: gss_accept_sec_context() failed: Unspecified GSS
>> failure. Minor code may provide more information. No error
>>
>> in the browser I see the pop-up for username and password.
>>
>> What does means this error?
>> Have any ideas?
>>
>> Thanks for your help
>>
>> Nikkognt
>>
>
>
>
Received on Fri Jul 16 2010 - 12:48:35 MDT

This archive was generated by hypermail 2.2.0 : Fri Jul 16 2010 - 12:00:03 MDT