[squid-users] Kerberos with AD from Simon Dwyer on 2012-04-15 (squid-users)

From: Simon Dwyer <mail_at_simmyd.net>
Date: Mon, 16 Apr 2012 08:25:54 +1000

Hi All,

Have been banging my head against this for a few weeks now.

I have a fresh install of centos 6.2 and have installed squid 3.1.10.

I have copied the kerberos keytab file from our ad server. It was
created with the command:

ktpass -princ HTTP/proxy-dev-k.domain.example_at_DOMAIN.EXAMPLE -mapuser
proxy-dev-k$@DOMAIN.EXAMPLE /rndpass -ptype KRB5_NT_PRINCIPAL -out c:
\krb5.keytab

When thats on my server i can run

[root_at_proxy-dev ~]# klist -ke
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal

----
--------------------------------------------------------------------------
   7 HTTP/proxy-dev-k.domain.example_at_DOMAIN.EXAMPLE (arcfour-hmac)
I can run kinit -k HTTP/proxy-dev-k.domain.example_at_DOMAIN.EXAMPLE
and that comes up in klist correctly.
My squid config is been cut down to be simple:
visible_hostname proxy-dev.domain.example
auth_param negotiate program  /usr/lib64/squid/squid_kerb_auth -i -d -s
HTTP/proxy-dev-k.domain.example_at_DOMAIN.EXAMPLE
auth_param negotiate children 10
auth_param negotiate keep_alive off
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
acl AUTHENTICATED proxy_auth REQUIRED
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
http_access deny !AUTHENTICATED
http_access allow AUTHENTICATED
http_access deny all
http_port 8080
When i have a user try and connect with kerberos i get this error
message in cache.log
2012/04/16 08:12:12| squid_kerb_auth: ERROR: gss_accept_sec_context()
failed: Unspecified GSS failure.  Minor code may provide more
information. 
2012/04/16 08:12:12| authenticateNegotiateHandleReply: Error validating
user via Negotiate. Error returned 'BH gss_accept_sec_context() failed:
Unspecified GSS failure.  Minor code may provide more information. '
2012/04/16 08:12:12| squid_kerb_auth: INFO: User not authenticated
Any help would be awesome,
Cheers,
Simon Dwyer

Received on Sun Apr 15 2012 - 22:26:06 MDT

This archive was generated by hypermail 2.2.0 : Mon Apr 16 2012 - 12:00:05 MDT