[squid-users] kerberos ERROR: gss_accept_sec_context() failed: Unspecified GSS failure

From: Glenn groves <glenn.groves_at_gmail.com>
Date: Mon, 5 Aug 2013 12:32:45 +1000

Hi All,

I have been setting up a new proxy, it needs to have Kerberos auth so
that the users on the domain do not get prompted for a password - but
are authenticated and this is to show in the logs. Sorry for the
formatting, I tried using the bold and embed tags but they did not
work

It does not work for windows 7, windows 8 or windows 2008

I have it working when I try from a windows 2003 OS, and can see the
auth occurring in the logs:

............D1jAEc= user_at_DOMAIN.COM.AU

2013/08/05 11:48:16| squid_kerb_auth: INFO: User user_at_DOMAIN.COM.AU
authenticated

However from a windows 7 or windows 8 PC, the authentication does not
complete and instead there is an error:

2013/08/05 11:48:31| squid_kerb_auth: ERROR: gss_accept_sec_context()
failed: Unspecified GSS failure. Minor code may provide more
information.

2013/08/05 11:48:31| authenticateNegotiateHandleReply: Error
validating user via Negotiate. Error returned 'BH
gss_accept_sec_context() failed: Unspecified GSS failure. Minor code
may provide more information.

==> /var/log/squid/cache.log <==

2013/08/05 11:48:31| squid_kerb_auth: INFO: User not authenticated

Below is some information on the configuration:

We are running 3 x 2008R2 domain controllers and 1 x 2003 domain
controller, thus the domain mode is set to 2003.

The krb5.conf file contains:

[logging]

default = FILE:/var/log/krb5libs.log

kdc = FILE:/var/log/krb5kdc.log

admin_server = FILE:/var/log/kadmind.log

[libdefaults]

    default_realm = MYDOMAIN.COM.AU

    dns_lookup_kdc = false

    dns_lookup_realm = false

    ticket_lifetime = 24h

    default_keytab_name = /etc/squid/PROXY.keytab

    forwardable = true

; Note, because we have a 2003 domain controller, I have the 2003
uncommented below not the 2008 with AES

; for Windows 2003

    default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5

    default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5

    permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5

; for Windows 2008 with AES

; default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac
des-cbc-crc des-cbc-md5

; default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac
des-cbc-crc des-cbc-md5

; permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5

[realms]

    MYDOMAIN.COM.AU = {

        kdc = kdc1.mydomain.com.au

        kdc = kdc2.mydomain.com.au

        kdc = kdc3.mydomain.com.au

        kdc = kdc4.mydomain.com.au

        admin_server = kdc1.mydomain.com.au

        default_domain = mydomain.com.au

    }

[domain_realm]

    .mydomain.com.au = MYDOMAIN.COM.AU

    mydomain.com.au = MYDOMAIN.COM.AU

The squid.conf contains the following custom settings:

auth_param negotiate program /usr/lib64/squid/squid_kerb_auth -i -d -s
HTTP/proxy.mydoamin.com.au

auth_param negotiate children 10

auth_param negotiate keep_alive on

auth_param basic credentialsttl 2 hours

acl ad_auth proxy_auth REQUIRE

http_access allow ad_auth

http_access allow localnet

(Note: I would like to get rid of the http_access allow localnet, but
even on 2003 when the auth works - internet access is denied without
this line)

My /etc/sysconfig/squid file has the following custom lines:

KRB5_KTNAME=/etc/squid/PROXY.keytab

export KRB5_KTNAME

when I ran this command, the keytab was generated successfully:

msktutil -c -b "CN=COMPUTERS" -s HTTP/proxy.mydomain.com.au -h
proxy.mydomain.com.au -k /etc/squid/PROXY.keytab --computer-name
PROXYK --upn HTTP/proxy.mydomain.com.au --server dc1.mydomain.com.au
--verbose

the permissions on the keytab are below which should be fine:

-rw-rw-rw-. 1 root root 1430 Aug 5 08:33 /etc/squid/PROXY.keytab

In Summary, the fact windows 2003 works and gets authenticated shows
to me that Kerberos is working, why wont windows 2008, 7 or 8 works?

Thanks,

Glenn
Received on Mon Aug 05 2013 - 02:32:53 MDT

This archive was generated by hypermail 2.2.0 : Tue Aug 06 2013 - 12:00:15 MDT