[squid-users] Re: Re: No Kerberos Auth

Are you sure the rcache was disabled ? Do you also use squid_kerb_ldap ?

Markus

"Jarosch, Ralph" <Ralph.Jarosch_at_justiz.niedersachsen.de> wrote in message
news:C644CB972EDFA3488CFD140B498136231B5EB041_at_JUSTIZCEMBX14.justiz.niedersachsen.de...
OK i found the Problem,
If Kerberos activated I have the following iostat

Device: rrqm/s wrqm/s r/s w/s rkB/s wkB/s avgrq-sz
avgqu-sz await svctm %util
sda 0,00 1306,60 0,00 192,20 0,00 5779,20 60,14
12,77 59,86 3,34 64,16
dm-0 0,00 0,00 0,00 1507,40 0,00 6029,60 8,00
184,16 114,43 0,43 64,20
dm-1 0,00 0,00 0,00 0,00 0,00 0,00 0,00
0,00 0,00 0,00 0,00
dm-2 0,00 0,00 0,00 0,00 0,00 0,00 0,00
0,00 0,00 0,00 0,00

if I disable Kerberos

I get something like this.....

Device: rrqm/s wrqm/s r/s w/s rkB/s wkB/s avgrq-sz
avgqu-sz await svctm %util
sda 0,00 1,20 0,00 0,80 0,00 8,00 20,00
0,01 8,75 6,50 0,52
dm-0 0,00 0,00 0,00 2,00 0,00 8,00 8,00
0,02 9,50 2,60 0,52
dm-1 0,00 0,00 0,00 0,00 0,00 0,00 0,00
0,00 0,00 0,00 0,00
dm-2 0,00 0,00 0,00 0,00 0,00 0,00 0,00
0,00 0,00 0,00 0,00

So can someone tell me which files are handled by the helper ???

-----Ursprüngliche Nachricht-----
Von: Jarosch, Ralph [mailto:Ralph.Jarosch_at_justiz.niedersachsen.de]
Gesendet: Donnerstag, 1. November 2012 13:49
An: Jarosch, Ralph; Markus Moeller; squid-users_at_squid-cache.org
Betreff: AW: [squid-users] Re: No Kerberos Auth

Hello Markus,

i`ve found some answere from you in this thread
http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-kerb-auth-High-CPU-load-td4569213.html
where you wrote that it is better to deactivate the Kerberos replay cache by
KRB5RCACHETYPE=none export KRB5RCACHETYPE

So I have made this. But when I now look into /var/tmp I see something like
this

524289 4 drwxr-xr-x. 21 root root 4096 23. Feb 2012 ..
524658 4 -rw------- 1 root root 6 31. Okt 12:31 host_0
556670 160 -rw------- 1 squid squid 159568 1. Nov 13:37 HTTP_23
556440 644 -rw------- 1 root squid 654291 1. Nov 11:51
HTTP--PROXY--2-044_0
556647 420 -rw------- 1 squid squid 426700 1. Nov 13:45
HTTP--PROXY--2-044_23
556778 348 -rw------- 1 squid squid 355498 1. Nov 13:45 krb5_RC0wgu89
556770 364 -rw------- 1 squid squid 371134 1. Nov 13:45 krb5_RC1QKQZZ
556768 416 -rw------- 1 squid squid 421926 1. Nov 13:45 krb5_RC2ARJDz
556485 316 -rw------- 1 squid squid 322303 1. Nov 13:45 krb5_RC2sAN8f
556531 408 -rw------- 1 squid squid 416501 1. Nov 13:45 krb5_RC320K4T
556553 344 -rw------- 1 squid squid 350302 1. Nov 13:45 krb5_RC3IzwzV
556454 360 -rw------- 1 squid squid 365480 1. Nov 13:45 krb5_RC4EQh3a
556772 344 -rw------- 1 squid squid 350507 1. Nov 13:45 krb5_RC6RujE6
556563 364 -rw------- 1 squid squid 370475 1. Nov 13:45 krb5_RC6tC21J
556549 408 -rw------- 1 squid squid 416501 1. Nov 13:45 krb5_RC80gA4N
556721 416 -rw------- 1 squid squid 425832 1. Nov 13:45 krb5_RC978V2v
556701 364 -rw------- 1 squid squid 371785 1. Nov 13:45 krb5_RC9XR0Kd
556644 4 -rw------- 1 squid squid 6 1. Nov 13:45 krb5_RCaU8YfR
556764 420 -rw------- 1 squid squid 426049 1. Nov 13:45 krb5_RCAzy0sk
556659 376 -rw------- 1 squid squid 384588 1. Nov 13:45 krb5_RCBiW1Mh
556510 312 -rw------- 1 squid squid 316872 1. Nov 13:45 krb5_RCc6zIYF
556508 300 -rw------- 1 squid squid 303631 1. Nov 13:45 krb5_RCcaI3VJ
556461 400 -rw------- 1 squid squid 406085 1. Nov 13:45 krb5_RCClg8Et
556504 344 -rw------- 1 squid squid 348337 1. Nov 13:45 krb5_RCCs6MQJ
556439 4 -rw------- 1 squid squid 2 1. Nov 13:45 krb5_RCdo383X
556566 332 -rw------- 1 squid squid 338789 1. Nov 13:45 krb5_RCE8GITQ
556578 332 -rw------- 1 squid squid 336408 1. Nov 13:45 krb5_RCF9gZsN
556595 460 -rw------- 1 squid squid 470968 1. Nov 13:45 krb5_RCFUodDG
556488 416 -rw------- 1 squid squid 425832 1. Nov 13:45 krb5_RCGTDiEB
556709 332 -rw------- 1 squid squid 337710 1. Nov 13:45 krb5_RCgTwJ3f
556648 348 -rw------- 1 squid squid 353328 1. Nov 13:45 krb5_RCisx5n4
556759 380 -rw------- 1 squid squid 385890 1. Nov 13:45 krb5_RCJEBAOp
556758 340 -rw------- 1 squid squid 344220 1. Nov 13:45 krb5_RCJg0eSd
556432 420 -rw------- 1 squid squid 426049 1. Nov 13:45 krb5_RCJj4rHQ
556481 360 -rw------- 1 squid squid 367662 1. Nov 13:45 krb5_RCJreSOm
556675 352 -rw------- 1 squid squid 359199 1. Nov 13:45 krb5_RCJZYypn
556711 420 -rw------- 1 squid squid 426049 1. Nov 13:45 krb5_RCkRw9Ze
556777 340 -rw------- 1 squid squid 347469 1. Nov 13:45 krb5_RCL3Tgal
556760 344 -rw------- 1 squid squid 350302 1. Nov 13:45 krb5_RCLrZ1Di
556497 408 -rw------- 1 squid squid 416501 1. Nov 13:45 krb5_RClv9U8x
556522 364 -rw------- 1 squid squid 372736 1. Nov 13:45 krb5_RCN4uERP
556773 396 -rw------- 1 squid squid 404335 1. Nov 13:45 krb5_RCNkZeTL
556774 368 -rw------- 1 squid squid 375032 1. Nov 13:45 krb5_RCnOjYHH
556716 384 -rw------- 1 squid squid 389796 1. Nov 13:45 krb5_RCNyY5qU
556434 4 -rw------- 1 squid squid 2 1. Nov 13:45 krb5_RCocScCS
556762 396 -rw------- 1 squid squid 401731 1. Nov 13:45 krb5_RCODlWN5
556560 384 -rw------- 1 squid squid 389796 1. Nov 13:45 krb5_RCpaS6SL
556555 348 -rw------- 1 squid squid 352472 1. Nov 13:45 krb5_RCqtwlsZ
556771 420 -rw------- 1 squid squid 426483 1. Nov 13:45 krb5_RCqVMxHF
556529 316 -rw------- 1 squid squid 321863 1. Nov 13:45 krb5_RCr2X7QA
556761 348 -rw------- 1 squid squid 353774 1. Nov 13:45 krb5_RCr3bRH9
556698 320 -rw------- 1 squid squid 326426 1. Nov 13:45 krb5_RCREljB3
556493 408 -rw------- 1 squid squid 416501 1. Nov 13:45 krb5_RCsHmykO
556586 356 -rw------- 1 squid squid 363322 1. Nov 13:45 krb5_RCsP3jfM
556597 408 -rw------- 1 squid squid 416501 1. Nov 13:45 krb5_RCsu5Jtd
556435 356 -rw------- 1 squid squid 360923 1. Nov 13:45 krb5_RCT8Ai7n
556509 420 -rw------- 1 squid squid 426049 1. Nov 13:45 krb5_RCTABxmX
556567 420 -rw------- 1 squid squid 426700 1. Nov 13:45 krb5_RCUcdTjL
556734 332 -rw------- 1 squid squid 336408 1. Nov 13:45 krb5_RCUu6uoc
556775 384 -rw------- 1 squid squid 393051 1. Nov 13:45 krb5_RCvcTt9r
556462 420 -rw------- 1 squid squid 426483 1. Nov 13:45 krb5_RCvPAbL5
556442 428 -rw------- 1 squid squid 435814 1. Nov 13:45 krb5_RCvU8AuZ
556465 408 -rw------- 1 squid squid 413897 1. Nov 13:45 krb5_RCVUf8Qx
556602 424 -rw------- 1 squid squid 434176 1. Nov 13:45 krb5_RCVyqbdR
556562 428 -rw------- 1 squid squid 435814 1. Nov 13:45 krb5_RCweNiOb
556767 356 -rw------- 1 squid squid 363105 1. Nov 13:45 krb5_RCX0E5Nx
556528 380 -rw------- 1 squid squid 387184 1. Nov 13:45 krb5_RCxqyzb8
556679 360 -rw------- 1 squid squid 365697 1. Nov 13:45 krb5_RCY3iZtC
556769 420 -rw------- 1 squid squid 426700 1. Nov 13:45 krb5_RCyBEWeQ
556756 380 -rw------- 1 squid squid 386533 1. Nov 13:45 krb5_RCyyMnv4
556757 376 -rw------- 1 squid squid 382852 1. Nov 13:45 krb5_RCz2Efgl
556776 340 -rw------- 1 squid squid 346167 1. Nov 13:45 krb5_RCz5IwSr
556766 344 -rw------- 1 squid squid 349217 1. Nov 13:45 krb5_RCzEkkFY
556436 420 -rw------- 1 squid squid 426049 1. Nov 13:45 krb5_RCZoP903

Why is that happen ????

Do you know some solution ???

Thank you

Ralph
-----Ursprüngliche Nachricht-----
Von: Jarosch, Ralph [mailto:Ralph.Jarosch_at_justiz.niedersachsen.de]
Gesendet: Donnerstag, 1. November 2012 11:47
An: Markus Moeller; squid-users_at_squid-cache.org
Betreff: AW: [squid-users] Re: No Kerberos Auth

Wonderfull now it works .... But i`ve got a little bit slow.
Is there any limitation how many negotiate_wrapper I can start ?
Actually I use 250 and everyone is still busy

-----Ursprüngliche Nachricht-----
Von: Markus Moeller [mailto:huaraz_at_moeller.plus.com]
Gesendet: Mittwoch, 31. Oktober 2012 21:22
An: squid-users_at_squid-cache.org
Betreff: [squid-users] Re: No Kerberos Auth

Hi Ralph,

If you use NTLM and Kerberos make sure you do NOT use the sam AD account for
both. The samba daemon will change the password on a regular basis which
will bring the keytab out of sync with the AD acccount.

Your proxy will not need any kerberos cache (except if you use my
squid_kerb_ldap module but it is not the root user cache as you show below).

Markus

"Jarosch, Ralph" <Ralph.Jarosch_at_justiz.niedersachsen.de> wrote in message
news:C644CB972EDFA3488CFD140B498136231B5E9B34_at_JUSTIZCEMBX14.justiz.niedersachsen.de...
I've found this today. why is the last ticket not renewed ?? Could that
point the problem

[root_at_http-proxy ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal:
HTTP/http-proxy.justiz.niedersachsen.de_at_JUSTIZ.NIEDERSACHSEN.DE

Valid starting Expires Service principal
10/30/12 14:47:38 10/31/12 00:47:37
krbtgt/JUSTIZ.NIEDERSACHSEN.DE_at_JUSTIZ.NIEDERSACHSEN.DE
        renew until 10/31/12 14:47:38
10/30/12 15:24:49 10/31/12 00:47:37
ldap/justizhadc01.justiz.niedersachsen.de_at_JUSTIZ.NIEDERSACHSEN.DE
        renew until 10/31/12 14:47:38
10/30/12 15:24:49 10/30/12 15:26:49
kadmin/changepw_at_JUSTIZ.NIEDERSACHSEN.DE
        renew until 10/30/12 15:26:49

-----Ursprüngliche Nachricht-----
Von: Jarosch, Ralph [mailto:Ralph.Jarosch_at_justiz.niedersachsen.de]
Gesendet: Dienstag, 30. Oktober 2012 15:27
An: Bastien Ceriani
Cc: squid-users_at_squid-cache.org
Betreff: AW: [squid-users] No Kerberos Auth

I think encrypte Type is already 28.
This is the output with -- encrypt 28

-- ldap_set_supportedEncryptionTypes: No need to change
msDs-supportedEncryptionTypes they are 28

Von: Jarosch, Ralph
Gesendet: Dienstag, 30. Oktober 2012 15:24
An: 'Bastien Ceriani'
Cc: squid-users_at_squid-cache.org
Betreff: AW: [squid-users] No Kerberos Auth

Oh ok.. yes it work fine until ten minute i wrote the mail. There it crashed
from one minute to the other I'am just troubleshoot the problem..

Von: Bastien Ceriani [mailto:bastien.ceriani_at_bulkypix.com]
Gesendet: Dienstag, 30. Oktober 2012 15:16
An: Jarosch, Ralph
Cc: squid-users_at_squid-cache.org
Betreff: Re: [squid-users] No Kerberos Auth

Ok Thx,

With Windows Server 2008 you should use --enctypes 28 parameter with
msktutils command.

Did your ntlm authentification work fine ? How did you configure it ? With
Samba/Winbind ?
On Tue, Oct 30, 2012 at 3:08 PM, Jarosch, Ralph
<Ralph.Jarosch_at_justiz.niedersachsen.de> wrote:
OK for wireshark i must wait for tonight because no one here can work If
enable authentication

My keytab

Keytab name: WRFILE:/etc/squid/HTTP.keytab KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
6 10/30/12 09:47:42 http-proxy$@JUSTIZ.NIEDERSACHSEN.DE (arcfour-hmac)
6 10/30/12 09:47:42 http-proxy$@JUSTIZ.NIEDERSACHSEN.DE
(aes128-cts-hmac-sha1-96)
6 10/30/12 09:47:42 http-proxy$@JUSTIZ.NIEDERSACHSEN.DE
(aes256-cts-hmac-sha1-96)
6 10/30/12 09:47:42
HTTP/http-proxy.justiz.niedersachsen.de_at_JUSTIZ.NIEDERSACHSEN.DE
(arcfour-hmac)
6 10/30/12 09:47:42
HTTP/http-proxy.justiz.niedersachsen.de_at_JUSTIZ.NIEDERSACHSEN.DE
(aes128-cts-hmac-sha1-96)
6 10/30/12 09:47:42
HTTP/http-proxy.justiz.niedersachsen.de_at_JUSTIZ.NIEDERSACHSEN.DE
(aes256-cts-hmac-sha1-96)
6 10/30/12 09:47:42 HTTP/http-proxy_at_JUSTIZ.NIEDERSACHSEN.DE (arcfour-hmac)
6 10/30/12 09:47:42 HTTP/http-proxy_at_JUSTIZ.NIEDERSACHSEN.DE
(aes128-cts-hmac-sha1-96)
6 10/30/12 09:47:42 HTTP/http-proxy_at_JUSTIZ.NIEDERSACHSEN.DE
(aes256-cts-hmac-sha1-96)
6 10/30/12 09:47:42 HOST/HTTP-PROXY_at_JUSTIZ.NIEDERSACHSEN.DE (arcfour-hmac)
6 10/30/12 09:47:42 HOST/HTTP-PROXY_at_JUSTIZ.NIEDERSACHSEN.DE
(aes128-cts-hmac-sha1-96)
6 10/30/12 09:47:42 HOST/HTTP-PROXY_at_JUSTIZ.NIEDERSACHSEN.DE
(aes256-cts-hmac-sha1-96)

My Squid.conf

auth_param negotiate program /usr/lib64/squid/squid_kerb_auth -d -i -s
HTTP/http-proxy.justiz.niedersachsen.de_at_JUSTIZ.NIEDERSACHSEN.DE
auth_param negotiate children 100
auth_param negotiate keep_alive on

auth_param ntlm keep_alive on
auth_param ntlm program
/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 200

#auth_param ntlm max_challenge_reuses 0
#auth_param ntlm max_challenge_lifetime 2 minutes

auth_param basic program
/usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic
children 200 auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 5 hours

and my msktutil

msktutil -c -b "OU=Sonstige Server,OU=Globale
Dienste,DC=justiz,DC=niedersachsen,DC=de" -s
HTTP/http-proxy.justiz.niedersachsen.de -h
http-proxy.justiz.niedersachsen.de -k /etc/HTTP.keytab --computer-name
http-proxy --upn HTTP/http-proxy.justiz.niedersachsen.de --server
justizhadc01.justiz.niedersachsen.de --verbose

We use Windows 2008 R2 Server

Von: Bastien Ceriani [mailto:bastien.ceriani_at_bulkypix.com]
Gesendet: Dienstag, 30. Oktober 2012 15:00
An: Jarosch, Ralph
Betreff: Re: [squid-users] No Kerberos Auth

I'm in the same case..
Try to check kerberos TGS REQ and TGS REP with wireshark ?

Can you display :
- your keytab ? (klist -ekt HTTP.keytab)
- your auth_param squid config
- your mskutils command

What version of windows server is running ?

Regards,

On Tue, Oct 30, 2012 at 2:49 PM, Jarosch, Ralph
<Ralph.Jarosch_at_justiz.niedersachsen.de> wrote:
Hi,

i have some trouble to authenticate our web browser over Kerberos.
I Always get the following error message.

2012/10/30 14:27:55| squid_kerb_auth: DEBUG: Decode
'YIIJsQYGKwYBBQUCoIIJpTCCCaGgMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCCWsEgglnYIIJYwYJKoZIhvcSAQICAQBugglSMIIJTqADAgEFoQMCAQ6iBwMFACAAAACjggfWYYIH0jCCB86gAwIBBaEZGxdKVVNUSVouTklFREVSU0FDSFNFTi5ERaI1MDOgAwIBAqEsMCobBEhUVFAbImh0dHAtcHJveHkuanVzdGl6Lm5pZWRlcnNhY2hzZW4uZGWjggdzMIIHb6ADAgESoQMCAQaiggdhBIIHXZD9kqImwo4/wUYTAbzyxxCatVyvPJhdun6qKBUu8B9aMyWDY+7uyG36Uuu0i908tL8oHL+2x8CnoEYrascLrGifZrr9dldia7rKPg2uEl8lgqPAYGAZk/0HD5moUBmy4DrnWUtOEyfaqA4zWIW0rxAHbujQjDEfiWEG1/dwuDY/rXlXAGJ3HheS6DR/+L19bp79WsEVh8y/OS55bKOtpk0WdP3Ge/QqjnzrCZ2PWtEnAnTRcRhUpVc94VKG1KmedYcoMYclgP9CBukfO5NdV/g+sfCvfCbCO809nimrdu+0qUm746Xi5kEsBEOCUlW7OEtqrjssXZPxpjUmzJXBPF9cLGPyjpI66CDPuu6hwr5BEFvpqZyocQAFWoibzvTDY+ODtAZlQ24rhlWmVjlELEl8ebJLy72/sEJbtQYT6Xq4gtIurYmoH8g6gw1ERopvzA8s4ROJGeGK1qP3F81LWmO6+hJKTGrCJnFYg3IK2R15svPpwJxmEGSbr4cuiHdjYPLQEJCNnGhVv+ci0pvIeu4ttgJ4fl1Mp3Pk/TQgSegwMUHVWNqG0pyJL0TkoKA8giJ0G8tNU0EiSmvjk2eip7aJPIJxGO1mYha7lHCO7c+8wypYyAGSVg8mVUCSiGeYDOKurIZmkuUNvuwYOLM2d5v80TCxP2Xc42vdqy/1OZWi+6QdkrcSRC
C+ZfFKYXQSlmaU/phIBx0GUY974Tvn+UW4q4/PcFkQhSCE3nXgVyOyNAt7Vd7ncwWfOkASNZtQWLkdEQefWzx25oUktkBraUw/FBEZ2JBIv/SQfLDXXUAcdt86U9pnkxVUd9RsBPTJPyOMvZi5KXHOfOkB9DIrh0VjGwGVduXGvn37MyceVLgHspYa0YoWzWuVlSh9AdsVpSyrmgqWWcgrlROQkrrQm8KV655FuAzFG+YM+FgQubu89DRPpn27l7EltnyxuSblMbH6OCvnPRC5bEUzDHp3CudI9dopetMPUjA5nkZ0qObIFA+CpUcXqEcTq1DM5jGGPT5ZPzfDy0tGr/yGPq4daBQoTTER2gU3CLHY4pQHgqLW/ZsNEjf6wwbONQXUjMsh969LY3r99AVTAtq0Ne6rwmuHXyIg7MMWnoA0rLoWwVVasQTFaf0QrK+iQ208fqGmAEVnAihGMng6M7hsasDNchfu/xQi5pxLoAO2CSPOqkbhgAQ6HpP9CbWStIyw19iTnVcPMDmxZNFLfBQeMbxBr3hunuCCzEhSZwOo/+ES01+D+vnZxDEWUbP2LYF5N7p4crxi8QxJ6YANmY/3M1+KSoIB0AoB9yFQsfGQmfhGNkxzdkFuhUfxi5kWbS9I9AVj2QuMOcL4wDuQXGKvTJiIBcI+oKsEqZaP/g8pwp9xURZuAmV3B/s1yFi7MaxTiMkJa+WKkX/KuZqNkFmsAnSFvOdsY1ZqTUXByRqIeDIEDHwYLjegSc2CIGXEmOktXzdWXTNEj0CQt+YTS+rx0sGMM/BD5t/naw9D9K2wzFBdsbxEtMHC3nijCoQ/nurfYV2jTrUIT3vNa/jpfSx0vF0K1zo6dvoNf7wzbn6lmJ2MXS3R/YUmSF3bE+4xYp7OmHCYhnf9SxLy0nkqJdZX1pz5giPp+2dW8BYokfPiPZpWeLuqZHXdS9mE8I4HvDc8IRL9oboLhGO1t4KEd/JhcFWO26rfIwmvF7rqAm9wpG5vx/RE2sN5vwaZ2
KR63OFTEx/uTLdrAqJ/PDgQouwpD6pfmR4usHK1CQ+T6JX1GoPbAqJymMkowNNWHjPC10GZaeORmJAd8n3WVRbiqS7P3wloP1XjOX5NeQZt9rlVhiDW/ZBDNnT3gJCLc+Y0RU94glCuBE5zsU4BUr1Tf6lOq5orTstZo9lMVBYZOaEJEEvBnbHvssMLgyIbCo+9IsgXs2zmL4z03fBv4aiXZOuJ9SijTMWvUh43HRVZuoChpG+J9Sfp66bMq1Tq7WFedrzTItxFCFMRRKtIoYzEWg3zcALJ2PXDTh4hElp1/Twjgt/Tss9RKfpY+PMDFAnnhenEHx/UtSCyC5Dc/+4i6DDT7qMtDq1z6RmJTCeMGjW7N/NFiVzw+VciXvb+cN0OLwaKY4czzTxWMBlCt0cSixpZ4IQN+OZhYB5xzW48YNbPkBKUvq9RcNru5cM4TXrG+etLkWQVhrv3yR6t8WF4BNtaRl4kIUaZI1ER1UfpwKG32oENtivB/tUQlXT8CfTBgyll9r9jxkkfjseryg+SBwa190yW/c5zVoHGEk8qOs1JpAJzCPDMf7HbmC+IWrORp/8fOn3t8p3MYymVFyXKWvxu53ZtShDwjFbvc6cql9vfvYLg2qyrDa5kkQkNO+Dx51sOW6zG5w+iqlwR1wjPmWpZKRUw9I+LXB78gd3bUiraLt3DUa7BrV6Bv5mLljq+BjmwlTKIZe2121dLr4E1f3434TqR9KylNNOAQZUHq/stPB5DME41pupAGbABkpqw8Oz94e7FxDK+S1kG7iq10TbiujykggFdMIIBWaADAgESooIBUASCAUx+Eta8YNrsrH6y0iZa+KSlNWe/s93OLW9cvzDB+B60WDt56R7jV119CZ2uIqJcbPYvMrw/QeS4vYf+TlcaUwYMdsPKZyeDXsiiJE5PYKh7CXpIZ4u7aMJPLuawZIpcXUtffmcRdz+zn18SXL+nrfA4af7AtBvUWWS4ybGDWDH72Uhd/08qnYEYd7IIWViu52G+0/EF
kog6BnYVjyd1yYsoH/p6ztmIMVK12VXu9wh3wClHvpEtIM8ZkSvmvhIgYrkKO1LlriVwypSh8QmCUESjd36WNIM1HmUeshFu+Rk6+AZIxy+f71+qoU6dQom0oIB7vQ7gwRMa1tBuvf8RJagXnxjTaEJHQULkBfhGUcQ3VABR0J7ElLc4EPAshWBnJri10rNTz2O+oB4w2Uf01ieyu+Ks9apN8Ygf6ceH9sci+CZkEIwcgW24Wa8uHA=='
(decoded length: 2485).
2012/10/30 14:27:55| squid_kerb_auth: ERROR: gss_acquire_cred() failed:
Unspecified GSS failure. Minor code may provide more information. Unknown
error
2012/10/30 14:27:55| squid_kerb_auth: INFO: User not authenticated
2012/10/30 14:27:55| authenticateNegotiateHandleReply: Error validating user
via Negotiate. Error returned 'BH gss_acquire_cred() failed: Unspecified GSS
failure. Minor code may provide more information. Unknown error'

I followed the manual on
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos.
Everything worked fine an I created the HTTP.keytab with the msktutil.
I checked all with
[root_at_http-proxy /]# kinit -V -k -t /etc/squid/HTTP.keytab
HTTP/http-proxy.justiz.niedersachsen.de
Using default cache: /tmp/krb5cc_0
Using principal:
HTTP/http-proxy.justiz.niedersachsen.de_at_JUSTIZ.NIEDERSACHSEN.DE
Using keytab: /etc/squid/HTTP.keytab
Authenticated to Kerberos v5

So I have no idea what I'm doing wrong.

Is there any other way to troubleshoot the problem. ????

Thank you

Ralph
Received on Fri Nov 02 2012 - 00:09:57 MDT