Hello and Happy New Year!
Please help with my trouble. I want use kerberos authorisation, but in
user browser appear window with authorization dialog, and any users
can't pass it.
squid.conf:
auth_param negotiate program
/usr/local/libexec/squid/negotiate_kerberos_auth -d -s
HTTP/proxy.m-tisiz.local_at_M-TISIZ.LOCAL
auth_param negotiate children 5
auth_param negotiate keep_alive on
external_acl_type ext_kerberos_ldap_group_acl ttl=60 negative_ttl=60
%LOGIN /usr/local/libexec/squid/ext_kerberos_ldap_group_acl -d -g
inet_users@ -D m-tisiz.local
acl ldap_group_check external ext_kerberos_ldap_group_acl
In /usr/local/etc/rc.d/squid:
KRB5_KTNAME=/usr/local/etc/squid/HTTP.keytab
export KRB5_KTNAME
proxy# ls -la | grep HTTP.keytab
-rwxrwxrwx 1 squid squid 387 Jan 1 14:14 HTTP.keytab
(this permission for test only)
2013/01/02 12:50:47 kid1| Starting Squid Cache version 3.2.4 for
i386-portbld-freebsd8.3...
2013/01/02 12:50:47 kid1| Process ID 37309
2013/01/02 12:50:47 kid1| Process Roles: worker
2013/01/02 12:50:47 kid1| With 11095 file descriptors available
2013/01/02 12:50:47 kid1| Initializing IP Cache...
2013/01/02 12:50:47 kid1| DNS Socket created at 0.0.0.0, FD 7
2013/01/02 12:50:47 kid1| Adding domain m-tisiz.local from
/etc/resolv.conf
2013/01/02 12:50:47 kid1| Adding nameserver 192.168.100.244 from
/etc/resolv.conf
2013/01/02 12:50:47 kid1| Adding nameserver 192.168.100.250 from
/etc/resolv.conf
2013/01/02 12:50:47 kid1| helperOpenServers: Starting 0/5
'negotiate_kerberos_auth' processes
2013/01/02 12:50:47 kid1| helperStatefulOpenServers: No
'negotiate_kerberos_auth' processes needed.
2013/01/02 12:50:47 kid1| helperOpenServers: Starting 5/5
'ext_kerberos_ldap_group_acl' processes
2013/01/02 12:50:47 kid1| WARNING: no_suid: setuid(0): (1) Operation
not permitted
2013/01/02 12:50:47 kid1| WARNING: no_suid: setuid(0): (1) Operation
not permitted
2013/01/02 12:50:47 kid1| WARNING: no_suid: setuid(0): (1) Operation
not permitted
2013/01/02 12:50:47 kid1| WARNING: no_suid: setuid(0): (1) Operation
not permitted
kerberos_ldap_group.cc(336): pid=37310 :2013/01/02 12:50:47|
kerberos_ldap_group: INFO: Starting version 1.3.0sq
support_group.cc(367): pid=37310 :2013/01/02 12:50:47|
kerberos_ldap_group: INFO: Group list inet_users@
support_group.cc(425): pid=37310 :2013/01/02 12:50:47|
kerberos_ldap_group: INFO: Group inet_users Domain
support_netbios.cc(62): pid=37310 :2013/01/02 12:50:47|
kerberos_ldap_group: DEBUG: Netbios list NULL
support_netbios.cc(66): pid=37310 :2013/01/02 12:50:47|
kerberos_ldap_group: DEBUG: No netbios names defined.
support_lserver.cc(61): pid=37310 :2013/01/02 12:50:47|
kerberos_ldap_group: DEBUG: ldap server list NULL
support_lserver.cc(65): pid=37310 :2013/01/02 12:50:47|
kerberos_ldap_group: DEBUG: No ldap servers defined.
2013/01/02 12:50:47 kid1| WARNING: no_suid: setuid(0): (1) Operation
not permitted
2013/01/02 12:50:47 kid1| Unlinkd pipe opened on FD 23
2013/01/02 12:50:47 kid1| Local cache digest enabled; rebuild/rewrite
every 3600/3600 sec
2013/01/02 12:50:47 kid1| Logfile: opening log
daemon:/usr/squid/log/store.log
2013/01/02 12:50:47 kid1| Logfile Daemon: opening log
/usr/squid/log/store.log
2013/01/02 12:50:47 kid1| WARNING: no_suid: setuid(0): (1) Operation
not permitted
2013/01/02 12:50:47 kid1| Swap maxSize 1843200 + 204800 KB, estimated
157538 objects
2013/01/02 12:50:47 kid1| Target number of buckets: 7876
2013/01/02 12:50:47 kid1| Using 8192 Store buckets
2013/01/02 12:50:47 kid1| Max Mem size: 204800 KB
2013/01/02 12:50:47 kid1| Max Swap size: 1843200 KB
2013/01/02 12:50:47 kid1| Rebuilding storage in /usr/squid/ (no log)
2013/01/02 12:50:47 kid1| Using Least Load store dir selection
2013/01/02 12:50:47 kid1| Current Directory is /usr/local/etc/squid
2013/01/02 12:50:47 kid1| Loaded Icons.
2013/01/02 12:50:47.414 kid1| AsyncCall.cc(22) AsyncCall: The AsyncCall
clientListenerConnectionOpened constructed, this=0x293f6830 [call21]
2013/01/02 12:50:47.414 kid1| AsyncCall.cc(89) ScheduleCall:
StartListening.cc(54) will call
clientListenerConnectionOpened(local=0.0.0.0:3128 remote=[::] FD 27
flags=9, err=0, HTTP Socket port=0x28a16350) [call21]
2013/01/02 12:50:47.414 kid1| HTCP Disabled.
2013/01/02 12:50:47.414 kid1| Squid plugin modules loaded: 0
2013/01/02 12:50:47.414 kid1| AsyncCallQueue.cc(53) fireNext: entering
clientListenerConnectionOpened(local=0.0.0.0:3128 remote=[::] FD 27
flags=9, err=0, HTTP Socket port=0x28a16350)
2013/01/02 12:50:47.414 kid1| AsyncCall.cc(34) make: make call
clientListenerConnectionOpened [call21]
2013/01/02 12:50:47.414 kid1| Accepting HTTP Socket connections at
local=0.0.0.0:3128 remote=[::] FD 27 flags=9
2013/01/02 12:50:47.414 kid1| AsyncCallQueue.cc(55) fireNext: leaving
clientListenerConnectionOpened(local=0.0.0.0:3128 remote=[::] FD 27
flags=9, err=0, HTTP Socket port=0x28a16350)
2013/01/02 12:50:47.414 kid1| Done scanning /usr/squid/ dir (0 entries)
2013/01/02 12:50:47.414 kid1| Finished rebuilding storage from disk.
2013/01/02 12:50:47.414 kid1| 0 Entries scanned
2013/01/02 12:50:47.414 kid1| 0 Invalid entries.
2013/01/02 12:50:47.414 kid1| 0 With invalid flags.
2013/01/02 12:50:47.414 kid1| 0 Objects loaded.
2013/01/02 12:50:47.414 kid1| 0 Objects expired.
2013/01/02 12:50:47.414 kid1| 0 Objects cancelled.
2013/01/02 12:50:47.414 kid1| 0 Duplicate URLs purged.
2013/01/02 12:50:47.414 kid1| 0 Swapfile clashes avoided.
2013/01/02 12:50:47.414 kid1| Took 0.13 seconds ( 0.00 objects/sec).
2013/01/02 12:50:47.414 kid1| Beginning Validation Procedure
2013/01/02 12:50:47.414 kid1| Completed Validation Procedure
2013/01/02 12:50:47.414 kid1| Validated 0 Entries
2013/01/02 12:50:47.414 kid1| store_swap_size = 0.00 KB
2013/01/02 12:50:48 kid1| storeLateRelease: released 0 objects
2013/01/02 12:50:58 kid1| Starting new negotiateauthenticator
helpers...
2013/01/02 12:50:58 kid1| helperOpenServers: Starting 1/5
'negotiate_kerberos_auth' processes
2013/01/02 12:50:58 kid1| WARNING: no_suid: setuid(0): (1) Operation
not permitted
negotiate_kerberos_auth.cc(271): pid=37324 :2013/01/02 12:50:58|
negotiate_kerberos_auth: INFO: Starting version 3.0.4sq
negotiate_kerberos_auth.cc(316): pid=37324 :2013/01/02 12:50:58|
negotiate_kerberos_auth: DEBUG: Got 'YR
TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAHIXAAAADw==' from squid
(length: 59).
negotiate_kerberos_auth.cc(379): pid=37324 :2013/01/02 12:50:58|
negotiate_kerberos_auth: DEBUG: Decode
'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAHIXAAAADw==' (decoded
length: 40).
negotiate_kerberos_auth.cc(389): pid=37324 :2013/01/02 12:50:58|
negotiate_kerberos_auth: WARNING: received type 1 NTLM token
2013/01/02 12:50:58 kid1| ERROR: Negotiate Authentication validating
user. Error returned 'BH received type 1 NTLM token'
2013/01/02 12:51:00.323 kid1| client_side.cc(764) swanSong:
local=192.168.100.216:3128 remote=192.168.100.244:63943 flags=1
This log WARNING: no_suid: setuid(0): (1) Operation not permitted look
like permission trouble, but permission for HTTP.keytab - is OK.
proxy# kinit AnteC
AnteC_at_M-TISIZ.LOCAL's Password:
proxy# klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: AnteC_at_M-TISIZ.LOCAL
Issued Expires Principal
Jan 2 12:58:48 Jan 2 22:58:48 krbtgt/M-TISIZ.LOCAL_at_M-TISIZ.LOCAL
i created Keytab on Windows 2008 Server:
ktpass.exe /princ HTTP/proxy.m-tisiz.local_at_M-TISIZ.LOCAL /mapuser
proxy_squid_at_M-TISIZ.LOCAL /crypto ALL /ptype KRB5_NT_PRINCIPAL /pass
+rndpass /out C:\HTTP.keytab
Received on Wed Jan 02 2013 - 09:07:50 MST
This archive was generated by hypermail 2.2.0 : Sun Jan 06 2013 - 12:00:02 MST