[squid-users] Re: squid_kerb_auth: Unspecified GSS failure (W2K8)

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Sun, 3 Nov 2013 00:20:55 -0000

Exactly you need the HTTP service principal in the keytab.

Regards
Markus

"Mihail Lukin" wrote in message
news:CAAmm_rYG0GiLjvaT50eeFL4JTzU9Ux0k01CvDCXH7D5H2C=0uQ_at_mail.gmail.com...

Thanks for the tip!

Here is what it shows:
Server Name (Service and Instance): HTTP/squidsrv.my.doma.in

So, it is the right protocol and host name. But I do not see exact
much in keytab. I'm not sure if it is the issue. I created keytab
exactly as was shown here:
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos#Create_keytab
(samba version, not msktutil).

On Sun, Nov 3, 2013 at 1:29 AM, Markus Moeller <huaraz_at_moeller.plus.com>
wrote:
> Hi Mihail,
>
> If you use wireshark you can expand the details of:
>
> Proxy-Authorization: Negotiate YIIHoAYGKwYBB...
>
> It will tell you which service principal the client is sending to the
> server ? I wonder if the name matches the names in your keytab.
>
>
> Markus
>
> -----Original Message----- From: Mihail Lukin
> Sent: Saturday, November 02, 2013 9:15 PM
> To: Markus Moeller
> Cc: squid-users
> Subject: Re: [squid-users] Re: squid_kerb_auth: Unspecified GSS failure
> (W2K8)
>
>
> Hi, Markus!
>
> 1) Here is the output:
> Keytab name: FILE:/etc/squid/HTTP.keytab
> KVNO Timestamp Principal
> ---- -----------------
> --------------------------------------------------------
> 2 10/30/13 14:14:09 host/squidsrv.my.doma.in_at_MY.DOMA.IN (des-cbc-crc)
> 2 10/30/13 14:14:09 host/squidsrv.my.doma.in_at_MY.DOMA.IN (des-cbc-md5)
> 2 10/30/13 14:14:09 host/squidsrv.my.doma.in_at_MY.DOMA.IN (arcfour-hmac)
> 2 10/30/13 14:14:09 host/squidsrv.my.doma.in_at_MY.DOMA.IN
> (aes128-cts-hmac-sha1-96)
> 2 10/30/13 14:14:09 host/squidsrv.my.doma.in_at_MY.DOMA.IN
> (aes256-cts-hmac-sha1-96)
> 2 10/30/13 14:14:09 host/squidsrv_at_MY.DOMA.IN (des-cbc-crc)
> 2 10/30/13 14:14:09 host/squidsrv_at_MY.DOMA.IN (des-cbc-md5)
> 2 10/30/13 14:14:09 host/squidsrv_at_MY.DOMA.IN (arcfour-hmac)
> 2 10/30/13 14:14:09 host/squidsrv_at_MY.DOMA.IN (aes128-cts-hmac-sha1-96)
> 2 10/30/13 14:14:09 host/squidsrv_at_MY.DOMA.IN (aes256-cts-hmac-sha1-96)
> 2 10/30/13 14:14:09 SQUIDSRV$@MY.DOMA.IN (des-cbc-crc)
> 2 10/30/13 14:14:10 SQUIDSRV$@MY.DOMA.IN (des-cbc-md5)
> 2 10/30/13 14:14:10 SQUIDSRV$@MY.DOMA.IN (arcfour-hmac)
> 2 10/30/13 14:14:10 SQUIDSRV$@MY.DOMA.IN (aes128-cts-hmac-sha1-96)
> 2 10/30/13 14:14:10 SQUIDSRV$@MY.DOMA.IN (aes256-cts-hmac-sha1-96)
>
> 2) I see request header "Proxy-Authorization: Negotiate YIIHoAYGKwYBB..."
> 3) It worth to mention that using ntlm_auth instead of squid_kerb_auth
> works fine on this server.
>
>
> On Fri, Nov 1, 2013 at 1:45 AM, Markus Moeller <huaraz_at_moeller.plus.com>
> wrote:
>>
>> Hi Mihail,
>>
>> What does a klist -ekt <keytab> show ? ( I assume you use MIT Kerberos
>> on
>> the squid server)
>>
>> What do you see with wireshark in the authentication header send to
>> squid
>> ?
>>
>> Markus
>>
>> "Mihail Lukin" wrote in message
>> news:CAAmm_rZHZ8m1VbYF5mVW-ZbQYvOQhW0Nmf4saOp8GsY5x9KVJQ_at_mail.gmail.com...
>>
>>
>> I don't know why access-time is not being updated, but strace has
>> shown that keytab is being read successfully by squid_kerb_auth
>> process.
>>
>> On Thu, Oct 31, 2013 at 8:15 AM, Mihail Lukin <mihail.lukin_at_gmail.com>
>> wrote:
>>>
>>>
>>> Hello, Markus!
>>>
>>> Sorry for not mentioning it at once, KRB5_KTNAME is being exported in
>>> /etc/sysconfig/squid and is readable by squid group. But there is
>>> still something wrong with it: keytab's access time is not changed
>>> neither when I restart squid not when I request an URL through the
>>> proxy.
>>>
>>> I think I should strace squid_kerb_auth to see what happens. Thanks
>>> for the hint!
>>>
>>> On Thu, Oct 31, 2013 at 12:53 AM, Markus Moeller
>>> <huaraz_at_moeller.plus.com> wrote:
>>>>
>>>>
>>>> Hi Mihail,
>>>>
>>>> Did you use export KRB5_KTNAME to point to the right keytab ? Is the
>>>> keytab readable by the user under which squid runs ?
>>>>
>>>> Markus
>>>>
>>>> "Mihail Lukin" wrote in message
>>>>
>>>>
>>>> news:CAAmm_rZ8jNoeFMRGthiYeHQ+GgSfmySFnw8708dwdDVUW3=R_g_at_mail.gmail.com...
>>>>
>>>> Hello,
>>>>
>>>> I'm trying to configure Squid 3.1 to authenticate through AD with W2K8
>>>> DC with Kerberos. I used this how-to:
>>>> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos on
>>>> CentOS 6 box that I've joined to domain with `net ads join`.
>>>>
>>>> Now I'm getting the error in cache.log when I'm trying to visit any
>>>> URL through this proxy:
>>>>
>>>> 2013/10/30 17:07:41| squid_kerb_auth: DEBUG: Got 'YR base64 encoded
>>>> data' from squid (length: 2295).
>>>> 2013/10/30 17:07:41| squid_kerb_auth: DEBUG: Decode 'base64 encoded
>>>> data' (decoded length: 1717).
>>>> 2013/10/30 17:07:41| squid_kerb_auth: ERROR: gss_acquire_cred()
>>>> failed: Unspecified GSS failure. Minor code may provide more
>>>> information.
>>>> 2013/10/30 17:07:41| authenticateNegotiateHandleReply: Error
>>>> validating user via Negotiate. Error returned 'BH gss_acquire_cred()
>>>> failed: Unspecified GSS failure. Minor code may provide more
>>>> information. '
>>>>
>>>> I could not figure out what the "minor code" is... I googled a lot with
>>>> no
>>>> luck.
>>>> Any help is very appreciated. Thanks in advance!
>>>>
>>>
>>>
>>>
>>> --
>>> С уважением,
>>> Михаил Лукин
>>
>>
>>
>>
>>
>> --
>> С уважением,
>> Михаил Лукин
>>
>
>
Received on Sun Nov 03 2013 - 00:21:15 MDT

This archive was generated by hypermail 2.2.0 : Sun Nov 03 2013 - 12:00:04 MST