[squid-users] Re: Kerberos with 2008/2003 DC

A lot of thanks Markus and sorry by my big delay in answering but I didn't
know suficient for reply you.
I read a lot of posts and I checked my configuration and I think that now I
can reply you.
My configuration

[logging]
 default = FILE:/var/log/krb/krb5libs.log
 kdc = FILE:/var/log/krb/krb5kdc.log
 admin_server = FILE:/var/log/krb/kadmind.log

[libdefaults]
 default_realm = ABG.CORP
 default_tgs_enctypes = rc4-hmac
 default_tkt_enctypes = rc4-hmac

[realms]
 ABG.CORP = {
  default_domain = abg.corp
  kdc = XXXXXXX.abg.corp:88
  kdc = XXXXXXX.abg.corp:88
  admin_server = XXXXX.abg.corp:749
 }

[domain_realm]
 .abg.corp = ABG.CORP
 abg.corp = ABG.CORP

-rw-r----- 1 root squid 75 may 6 12:23 squid_w2008.keytab

kinit work properly for kdc and admin_server with 2003 and 2008

[root_at_proxyprueba ~]# kinit -V -kt /etc/squid/squid_w2008.keytab
HTTP/proxyprueba.abg.corp
Using default cache: /tmp/krb5cc_0
Using principal: HTTP/proxyprueba.abg.corp_at_ABG.CORP
Using keytab: /etc/squid/squid_w2008.keytab
Authenticated to Kerberos v5

and y view the ticket

[root_at_proxyprueba ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: HTTP/proxyprueba.abg.corp_at_ABG.CORP

Valid starting Expires Service principal
05/07/13 09:32:53 05/07/13 19:33:15 krbtgt/ABG.CORP_at_ABG.CORP
        renew until 05/08/13 09:32:53

All DNS resolution are good

direct --> proxyprueba.abg.corp. 3600 IN A 10.155.196.29

reverse --> 29.196.155.10.in-addr.arpa. 3600 IN PTR proxyprueba.abg.corp.

with DC is the same.

I configure the client (Windows XP and IE8) with the proxy name and port
8080. If I don't put autentication the client has internet if I put
authentication this doesn't have internet.
I list in the client, with kerbtray, all tickets and never view
HTTP/proxyprueba.abg.corp_at_ABG.CORP. I capture the traffic betewn

with DC is the same.

I configured the client (Windows XP and IE8) with the proxy name and port
8080, with proxypack (url). If I don't put autentication the client has
internet if I put authentication this doesn't have internet.
I list in the client, with kerbtray, all tickets and never view
HTTP/proxyprueba.abg.corp_at_ABG.CORP. I capture the traffic between proxy and
client and only view this

Hypertext Transfer Protocol
    HTTP/1.0 407 Proxy Authentication Required\r\n
        [Expert Info (Chat/Sequence): HTTP/1.0 407 Proxy Authentication
Required\r\n]
            [Message: HTTP/1.0 407 Proxy Authentication Required\r\n]
            [Severity level: Chat]
            [Group: Sequence]
        Request Version: HTTP/1.0
        Status Code: 407
        Response Phrase: Proxy Authentication Required
    Server: squid/3.1.10\r\n
    Mime-Version: 1.0\r\n
    Date: Tue, 07 May 2013 06:53:18 GMT\r\n
    Content-Type: text/html\r\n
    Content-Length: 3931\r\n
        [Content length: 3931]
    X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0\r\n
    Vary: Accept-Language\r\n
    Content-Language: es\r\n
    Proxy-Authenticate: Negotiate\r\n
    X-Cache: MISS from proxyprueba.abg.corp\r\n
    X-Cache-Lookup: NONE from proxyprueba.abg.corp:8080\r\n
    Via: 1.0 proxyprueba.abg.corp (squid/3.1.10)\r\n
    Connection: keep-alive\r\n

After NTML requirement

Can you help me? Now, I think that all is correct.

A lot of thanks.

--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Kerberos-with-2008-2003-DC-tp4659198p4659821.html
Sent from the Squid - Users mailing list archive at Nabble.com.