Re: [squid-users] Re: squid_kerb_auth: Unspecified GSS failure (W2K8) from Mihail Lukin on 2013-10-30 (squid-users)

From: Mihail Lukin <mihail.lukin_at_gmail.com>
Date: Thu, 31 Oct 2013 08:54:11 +0400

I don't know why access-time is not being updated, but strace has
shown that keytab is being read successfully by squid_kerb_auth
process.

On Thu, Oct 31, 2013 at 8:15 AM, Mihail Lukin <mihail.lukin_at_gmail.com> wrote:
> Hello, Markus!
>
> Sorry for not mentioning it at once, KRB5_KTNAME is being exported in
> /etc/sysconfig/squid and is readable by squid group. But there is
> still something wrong with it: keytab's access time is not changed
> neither when I restart squid not when I request an URL through the
> proxy.
>
> I think I should strace squid_kerb_auth to see what happens. Thanks
> for the hint!
>
> On Thu, Oct 31, 2013 at 12:53 AM, Markus Moeller
> <huaraz_at_moeller.plus.com> wrote:
>> Hi Mihail,
>>
>> Did you use export KRB5_KTNAME to point to the right keytab ? Is the
>> keytab readable by the user under which squid runs ?
>>
>> Markus
>>
>> "Mihail Lukin" wrote in message
>> news:CAAmm_rZ8jNoeFMRGthiYeHQ+GgSfmySFnw8708dwdDVUW3=R_g_at_mail.gmail.com...
>>
>> Hello,
>>
>> I'm trying to configure Squid 3.1 to authenticate through AD with W2K8
>> DC with Kerberos. I used this how-to:
>> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos on
>> CentOS 6 box that I've joined to domain with `net ads join`.
>>
>> Now I'm getting the error in cache.log when I'm trying to visit any
>> URL through this proxy:
>>
>> 2013/10/30 17:07:41| squid_kerb_auth: DEBUG: Got 'YR base64 encoded
>> data' from squid (length: 2295).
>> 2013/10/30 17:07:41| squid_kerb_auth: DEBUG: Decode 'base64 encoded
>> data' (decoded length: 1717).
>> 2013/10/30 17:07:41| squid_kerb_auth: ERROR: gss_acquire_cred()
>> failed: Unspecified GSS failure. Minor code may provide more
>> information.
>> 2013/10/30 17:07:41| authenticateNegotiateHandleReply: Error
>> validating user via Negotiate. Error returned 'BH gss_acquire_cred()
>> failed: Unspecified GSS failure. Minor code may provide more information. '
>>
>> I could not figure out what the "minor code" is... I googled a lot with no
>> luck.
>> Any help is very appreciated. Thanks in advance!
>>
>
>
>
> --
> С уважением,
> Михаил Лукин

-- 
С уважением,
Михаил Лукин

Received on Thu Oct 31 2013 - 04:54:44 MDT

This archive was generated by hypermail 2.2.0 : Fri Nov 01 2013 - 12:00:07 MDT