[squid-users] Squid 3.2 kerberos authentication from Ludovit Koren on 2013-01-29 (squid-users)

From: Ludovit Koren <ludovit.koren_at_gmail.com>
Date: Tue, 29 Jan 2013 13:49:41 +0100 (CET)

Hi,

I am using FreeBSD 8.1, samba 3.6.9 and squid 3.2.6.

The /etc/krb5.conf file:

[logging]
default = FILE:/var/log/krb.log
kdc = FILE:/var/log/krb.log
admin_server = FILE:/var/log/krb.log
default_keytab_name = /usr/local/etc/squid/HTTP.keytab

[libdefaults]
default_realm = MDPT.LOCAL
dns_lookup_realm = no
dns_lookup_kdc = no
ticket_lifetime = 24h
forwardable = yes
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5

[realms]
EXAMPLE.LOCAL = {
  kdc = ads01.example.local:88
  admin_server = ads01.example.local:464
  default_domain = EXAMPLE.LOCAL
}

[domain_realm]
.domain.local = EXAMPLE.LOCAL
domain.local = EXAMPLE.LOCAL

[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 1
}

# klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: xkoren_at_EXAMPLE.LOCAL

Issued Expires Principal
Jan 29 13:26:54 Jan 29 23:26:54 HTTP/squid2_at_EXAMPLE.LOCAL

and I get the following error:

2013/01/29 13:36:30 kid1| Starting new negotiateauthenticator helpers...
2013/01/29 13:36:30 kid1| helperOpenServers: Starting 1/32 'negotiate_wrapper_auth' processes
2013/01/29 13:36:30 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted
2013/01/29 13:36:30| negotiate_wrapper: Starting version 1.0.1
2013/01/29 13:36:30| negotiate_wrapper: NTLM command: /usr/local/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp
2013/01/29 13:36:30| negotiate_wrapper: Kerberos command: /usr/local/libexec/squid/negotiate_kerberos_auth -d -s GSS_C_NO_NAME
2013/01/29 13:36:30| negotiate_wrapper: Got 'YR TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==' from squid (length: 59).
2013/01/29 13:36:30| negotiate_wrapper: Decode 'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==' (decoded length: 40).
2013/01/29 13:36:30| negotiate_wrapper: received type 1 NTLM token
negotiate_kerberos_auth.cc(271): pid=93059 :2013/01/29 13:36:30| negotiate_kerberos_auth: INFO: Starting version 3.0.4sq
2013/01/29 13:36:30| negotiate_wrapper: Return 'TT TlRMTVNTUAACAAAACAAIADgAAAAVgoniY4vxELxfaaEAAAAAAAAAAG4AbgBAAAAABgEAAAAAAA9NAEQAUABUAAIACABNAEQAUABUAAEADABTAFEAVQBJAEQAMgAEABwAdABlAGwAZQBjAG8AbQAuAGcAbwB2AC4AcwBrAAMAKgBzAHEAdQBpAGQAMgAuAHQAZQBsAGUAYwBvAG0ALgBnAG8AdgAuAHMAawAAAAAA
'
2013/01/29 13:36:30| negotiate_wrapper: Got 'KK TlRMTVNTUAADAAAAGAAYAHwAAAAGAQYBlAAAAAgACABYAAAAEAAQAGAAAAAMAAwAcAAAABAAEACaAQAAFYKI4gYBsR0AAAAPgUvYFXzvBnilZfvLSfLzUE0ARABQAFQAdQB6AGkAdgBhAHQAZQBsAE8AUABJAFMATgBCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOVyvgVb93T48t/OT6r29XQBAQAAAAAAAF/s0kMd/s0BRgY0Vi13cR0AAAAAAgAIAE0ARABQAFQAAQAMAFMAUQBVAEkARAAyAAQAHAB0AGUAbABlAGMAbwBtAC4AZwBvAHYALgBzAGsAAwAqAHMAcQB1AGkAZAAyAC4AdABlAGwAZQBjAG8AbQAuAGcAbwB2AC4AcwBrAAgAMAAwAAAAAAAAAAEAAAAAEAAAlgAoFHA9U+vb8UFwVQMvpx50bpEtKKqtZSzHIFFAsDkKABAAAAAAAAAAAAAAAAAAAAAAAAkAHABIAFQAVABQAC8AMQAwAC4AMQAuADgALgAzADEAAAAAAAAAAAD9G0LzjgxFX4gXbxAPqzuD' from squid (length: 571).
2013/01/29 13:36:30| negotiate_wrapper: Decode 'TlRMTVNTUAADAAAAGAAYAHwAAAAGAQYBlAAAAAgACABYAAAAEAAQAGAAAAAMAAwAcAAAABAAEACaAQAAFYKI4gYBsR0AAAAPgUvYFXzvBnilZfvLSfLzUE0ARABQAFQAdQB6AGkAdgBhAHQAZQBsAE8AUABJAFMATgBCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOVyvgVb93T48t/OT6r29XQBAQAAAAAAAF/s0kMd/s0BRgY0Vi13cR0AAAAAAgAIAE0ARABQAFQAAQAMAFMAUQBVAEkARAAyAAQAHAB0AGUAbABlAGMAbwBtAC4AZwBvAHYALgBzAGsAAwAqAHMAcQB1AGkAZAAyAC4AdABlAGwAZQBjAG8AbQAuAGcAbwB2AC4AcwBrAAgAMAAwAAAAAAAAAAEAAAAAEAAAlgAoFHA9U+vb8UFwVQMvpx50bpEtKKqtZSzHIFFAsDkKABAAAAAAAAAAAAAAAAAAAAAAAAkAHABIAFQAVABQAC8AMQAwAC4AMQAuADgALgAzADEAAAAAAAAAAAD9G0LzjgxFX4gXbxAPqzuD' (decoded length: 426).
2013/01/29 13:36:30| negotiate_wrapper: received type 3 NTLM token
2013/01/29 13:36:30| negotiate_wrapper: Return 'NA = NT_STATUS_UNSUCCESSFUL

I tried google, but I cannot resolve the problem. Please could you be
so kind as far as to point me in the right direction?

Thank you very much in advance.

regards,

lk
Received on Tue Jan 29 2013 - 12:49:54 MST

This archive was generated by hypermail 2.2.0 : Thu Jan 31 2013 - 12:00:04 MST