Re: [squid-users] Re: Squid authenticate in NTLMS not in KERBEROS from Mohamed Navas on 2012-07-02 (squid-users)

From: Mohamed Navas <vmnavas_at_gmail.com>
Date: Tue, 3 Jul 2012 07:54:14 +0400

Following is my krb5.conf details,
I tried both msktutil and ktpass in the active directory domain
server. The thing is working well with NTLM.

krb5.conf
=======
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = ACCT.SYSNET.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
#default_keytab_name = /etc/squid/HTTP.keytab
#allow_weak_crypto = yes

; for Windows 2003
      default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
      default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
      permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5

[realms]
ACCT.SYSNET.LOCAL = {
  kdc = ad01.acct.sysnet.local
  admin_server = ad01.acct.sysnet.local
  kdc = 192.168.8.122
}

[domain_realm]
.acct.sysnet.local = DXBPET.SYSNET.LOCAL
acct.sysnet.local = DXBPET.SYSNET.LOCAL

from squid.conf
===========

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
#auth_param negotiate program /usr/sbin/squid_kerb_auth -d
auth_param negotiate program /usr/local/bin/negotiate_wrapper -d
--ntlm /usr/bin/ntlm_auth --diagnostics
--helper-protocol=squid-2.5-ntlmssp --domain=ACCT.SYSNET.LOCAL
--kerberos /usr/sbin/squid_kerb_auth -d -s GSS_C_NO_NAME
auth_param negotiate children 10
auth_param negotiate keep_alive on

### pure ntlm authentication
auth_param ntlm program /usr/bin/ntlm_auth --diagnostics
--helper-protocol=squid-2.5-ntlmssp --domain=ACCT.SYSNET.LOCAL
auth_param ntlm children 10
auth_param ntlm keep_alive off
acl auth proxy_auth REQUIRED

On Tue, Jul 3, 2012 at 1:39 AM, Markus Moeller <huaraz_at_moeller.plus.com> wrote:
> How does your configuration look like ? How did you create the keytab file ?
>
> Markus
>
>
> "Mohamed Navas" <vmnavas_at_gmail.com> wrote in message
> news:CAJa81O71_pG63hu7XGW2om6EOBGTS8y-=xDbSRAyaZgCANaJgw_at_mail.gmail.com...
>
>> Hi,
>>
>> I have setup the squid authentication with windows 2003 Domain
>> controller. But it's working well with NTLM, but failed with kerberso
>> ..getting following error:-
>>
>> =====================================================================
>> 2012/07/02 15:07:17| squid_kerb_auth: ERROR: gss_accept_sec_context()
>> failed: Unspecified GSS failure. Minor code may provide more
>> information.
>> 2012/07/02 15:07:17| negotiate_wrapper: Return 'BH
>> gss_accept_sec_context() failed: Unspecified GSS failure. Minor code
>> may provide more information.
>> '
>> 2012/07/02 15:07:17| authenticateNegotiateHandleReply: Error
>> validating user via Negotiate. Error returned 'BH
>> gss_accept_sec_context() failed: Unspecified GSS failure. Minor code
>> may provide more information
>>
>> =======================================================================
>>
>>
>
Received on Tue Jul 03 2012 - 03:54:21 MDT

This archive was generated by hypermail 2.2.0 : Wed Jul 04 2012 - 12:00:02 MDT