[squid-users] Re: squid proxy kerberos authentication failure. Help!!! from Markus Moeller on 2013-12-23 (squid-users)

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Mon, 23 Dec 2013 16:33:59 -0000

Hi ,

Are you sure your squid user has read access to the keytab ? If the KVNO
and HTTP/... name in the ticket match wht it is in the keytab it should
work.

If your AD entry has also the userprincipalname set to HTTP/proxy....
you can test with kinit -kt <keytab> HTTP/proxy02... It shouldn't produce
an error. It creates a cache which you can look at with klist.

Markus

"flypast" wrote in message news:1387772115044-4663993.post_at_n4.nabble.com...

Hi Markus,

Firstly, Thank you very much and Merry Christmas!!!

Tried as your suggestion.

But still no lucky.

The logs as below:
2013/12/23 14:27:47| squid_kerb_auth: DEBUG: Got 'YR
YIIFGgYGKwYBBQUCoIIFDjCCBQqgJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBOAEggTcYIIE2AYJKoZIhvcSAQICAQBuggTHMIIEw6ADAgEFoQMCAQ6iBwMFACAAAACjggPuYYID6jCCA+agAwIBBaEPGw1ERUVQTEFZRVIuQ09NoigwJqADAgECoR8wHRsESFRUUBsVcHJveHkwMi5kZWVwbGF5ZXIuY29to4IDojCCA56gAwIBF6EDAgEQooIDkASCA4zi9X+m6Oeb0vJLwtyfr2nIi9TLz67eGY7xwPo/IAwjDk0ex8u/thawee+EBof8EbXr+f3lxLytvFS7B0Rn++ECej/O38uSf2Swpd0tupixSFrQgKAhBOZy/meeUNs+b4ViLygMnb9aoqOuQak2y09NSUPcaQU0jqluO5KTS37W3vYuU8ykNO+DNf4lDkGqSSQ7SPApuH8NrrQ4sAkByVjDspfsLYd9AaaptdRMBPQLzSVKFVG9L3d3tRjV9VAPavCQxogVOsh3i+bPR0VcAbunjqWBVxBalB+28TU6MkyZ1fupZIq8fsXy6Q1jdiSK6ED7H3ovxV2X+O6MEEOPSmsHXqmOYjDjkRCGsFAT3lmJOycbzA4sTAyHIcYYAnSjLhTJ0sFDVnDbTpppD4R/rfYOJTeHZ4P19/laxYczN96r5E7EE906ss4GeodF5EANpE5oEqmQ+CxK1gVTcHlZ1BWbjqTUKVYEwdikZ8k2bexB06ibFUCjA4u6FIoY5fPH2xhB4qR4aLWtjuED+1XHLcwbJzawcDnbswMJobUOoXHxHRjYxMKfuzZAtZ8mPynFSZWTt2nuMIsGNvTiGSUAupqY1ILSnRWbs3EO5OX5AXJa3+uYhj09afbQViM3Zq0Uo6/foFYWcbhY/iERhPuHgGS6EAggHDhu7cWc1NP+4uW1UQv4jH/NFTo0rkLDLqw2ip6USlvqj2HvZFMNaBJ+WmhTDAmDQ2w7Z+XBCNd
j3b8/b5qPTtF/aFoL6erc9cS6d7yqLQGVkmr193u6hx9iGoOsZ9/++olBzuE3Cr4dlbgkyLovmjytNA44R0QzjKs/6o8mZSQ7XUGZ4SqD2LP4g2/0iVa8BMPqsSCWqVXR+lGflO9wE7WX/Kemt4o6g8JHdvUr0/XvCvdGSaQLlp2sbKHE+NM3IZE1zfGrP38cmjyCsJmLsmeNGcyXYvUye9Crnu9FM1s1ZDgP9F7CJ9+KG9sybaiMqO4XQs+OMyC3kMzB3jhOhmfhqxe/Z6ohKIw3nalIog9ISCbzW1pi5uVNVMTV53Hzuw5Ww9jwHf9HkrTpFYng4ipeBhVH/DUaUjFfGUnxXMzkq1hX17MbOCfwW73fa71ZFa2zeW4B+RuOLfKWWQzFGGgDH/vAoSM6wP1FnyER6V5YBXIYkwfgOuH5EiLEHI474fL6FoxCf33SxrknpcpKmYc+SkAfZ2eZtaSBuzCBuKADAgEXooGwBIGtSESWmWq43Bh82AYW1XSYPPRL9oKMVOAn/ZERSgCz/jpooQTUTNsW6RMUgoSad14Y8bnGCog8fYHkuEu6/guI6P7fVwztLNtb1lbIeHtILSe28smMg02A9YlV7PzSD4tRA+Ob5kEAWdylpgjwHHCOfqw2qof4eMqNU79dTnfnHq13i7bn4VMwg7BWdFMS9Xi+pDplC4E4/Kpq7qaGB8WsLMRGB7KiBmQzz3VkoRE='
from squid (length: 1751).
2013/12/23 14:27:47| squid_kerb_auth: DEBUG: Decode
'YIIFGgYGKwYBBQUCoIIFDjCCBQqgJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBOAEggTcYIIE2AYJKoZIhvcSAQICAQBuggTHMIIEw6ADAgEFoQMCAQ6iBwMFACAAAACjggPuYYID6jCCA+agAwIBBaEPGw1ERUVQTEFZRVIuQ09NoigwJqADAgECoR8wHRsESFRUUBsVcHJveHkwMi5kZWVwbGF5ZXIuY29to4IDojCCA56gAwIBF6EDAgEQooIDkASCA4zi9X+m6Oeb0vJLwtyfr2nIi9TLz67eGY7xwPo/IAwjDk0ex8u/thawee+EBof8EbXr+f3lxLytvFS7B0Rn++ECej/O38uSf2Swpd0tupixSFrQgKAhBOZy/meeUNs+b4ViLygMnb9aoqOuQak2y09NSUPcaQU0jqluO5KTS37W3vYuU8ykNO+DNf4lDkGqSSQ7SPApuH8NrrQ4sAkByVjDspfsLYd9AaaptdRMBPQLzSVKFVG9L3d3tRjV9VAPavCQxogVOsh3i+bPR0VcAbunjqWBVxBalB+28TU6MkyZ1fupZIq8fsXy6Q1jdiSK6ED7H3ovxV2X+O6MEEOPSmsHXqmOYjDjkRCGsFAT3lmJOycbzA4sTAyHIcYYAnSjLhTJ0sFDVnDbTpppD4R/rfYOJTeHZ4P19/laxYczN96r5E7EE906ss4GeodF5EANpE5oEqmQ+CxK1gVTcHlZ1BWbjqTUKVYEwdikZ8k2bexB06ibFUCjA4u6FIoY5fPH2xhB4qR4aLWtjuED+1XHLcwbJzawcDnbswMJobUOoXHxHRjYxMKfuzZAtZ8mPynFSZWTt2nuMIsGNvTiGSUAupqY1ILSnRWbs3EO5OX5AXJa3+uYhj09afbQViM3Zq0Uo6/foFYWcbhY/iERhPuHgGS6EAggHDhu7cWc1NP+4uW1UQv4jH/NFTo0rkLDLqw2ip6USlvqj2HvZFMNaBJ+WmhTDAmDQ2w7Z+XBCN
dj3b8/b5qPTtF/aFoL6erc9cS6d7yqLQGVkmr193u6hx9iGoOsZ9/++olBzuE3Cr4dlbgkyLovmjytNA44R0QzjKs/6o8mZSQ7XUGZ4SqD2LP4g2/0iVa8BMPqsSCWqVXR+lGflO9wE7WX/Kemt4o6g8JHdvUr0/XvCvdGSaQLlp2sbKHE+NM3IZE1zfGrP38cmjyCsJmLsmeNGcyXYvUye9Crnu9FM1s1ZDgP9F7CJ9+KG9sybaiMqO4XQs+OMyC3kMzB3jhOhmfhqxe/Z6ohKIw3nalIog9ISCbzW1pi5uVNVMTV53Hzuw5Ww9jwHf9HkrTpFYng4ipeBhVH/DUaUjFfGUnxXMzkq1hX17MbOCfwW73fa71ZFa2zeW4B+RuOLfKWWQzFGGgDH/vAoSM6wP1FnyER6V5YBXIYkwfgOuH5EiLEHI474fL6FoxCf33SxrknpcpKmYc+SkAfZ2eZtaSBuzCBuKADAgEXooGwBIGtSESWmWq43Bh82AYW1XSYPPRL9oKMVOAn/ZERSgCz/jpooQTUTNsW6RMUgoSad14Y8bnGCog8fYHkuEu6/guI6P7fVwztLNtb1lbIeHtILSe28smMg02A9YlV7PzSD4tRA+Ob5kEAWdylpgjwHHCOfqw2qof4eMqNU79dTnfnHq13i7bn4VMwg7BWdFMS9Xi+pDplC4E4/Kpq7qaGB8WsLMRGB7KiBmQzz3VkoRE='
(decoded length: 1310).
2013/12/23 14:27:47| squid_kerb_auth: ERROR: gss_accept_sec_context()
failed: Unspecified GSS failure. Minor code may provide more information.
2013/12/23 14:27:47| squid_kerb_auth: INFO: User not authenticated
2013/12/23 14:27:47| authenticateNegotiateHandleReply: Error validating user
via Negotiate. Error returned 'BH gss_accept_sec_context() failed:
Unspecified GSS failure. Minor code may provide more information

BTW:

On the DC
C:\Users\Administrator>setspn -L proxy02
Registered ServicePrincipalNames for
CN=proxy02,CN=Computers,DC=deeplayer,DC=com
:
HTTP/proxy02.deeplayer.com

[root_at_proxy01 squid]# klist -ekt /etc/squid/squid.keytab
Keytab name: FILE:/etc/squid/squid.keytab
KVNO Timestamp Principal
---- -----------------
--------------------------------------------------------
  16 12/22/13 13:14:31 proxy02$@DEEPLAYER.COM (arcfour-hmac)
  16 12/22/13 13:14:31 proxy02$@DEEPLAYER.COM (aes128-cts-hmac-sha1-96)
  16 12/22/13 13:14:31 proxy02$@DEEPLAYER.COM (aes256-cts-hmac-sha1-96)
  16 12/22/13 13:14:31 HTTP/proxy02.deeplayer.com_at_DEEPLAYER.COM
(arcfour-hmac)
  16 12/22/13 13:14:31 HTTP/proxy02.deeplayer.com_at_DEEPLAYER.COM
(aes128-cts-hmac-sha1-96)
  16 12/22/13 13:14:31 HTTP/proxy02.deeplayer.com_at_DEEPLAYER.COM
(aes256-cts-hmac-sha1-96)

--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-proxy-kerberos-authentication-failure-Help-tp4663964p4663993.html
Sent from the Squid - Users mailing list archive at Nabble.com.

Received on Mon Dec 23 2013 - 16:34:16 MST

This archive was generated by hypermail 2.2.0 : Tue Dec 24 2013 - 12:00:05 MST