Hi, Markus!
1) Here is the output:
Keytab name: FILE:/etc/squid/HTTP.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
2 10/30/13 14:14:09 host/squidsrv.my.doma.in_at_MY.DOMA.IN (des-cbc-crc)
2 10/30/13 14:14:09 host/squidsrv.my.doma.in_at_MY.DOMA.IN (des-cbc-md5)
2 10/30/13 14:14:09 host/squidsrv.my.doma.in_at_MY.DOMA.IN (arcfour-hmac)
2 10/30/13 14:14:09 host/squidsrv.my.doma.in_at_MY.DOMA.IN
(aes128-cts-hmac-sha1-96)
2 10/30/13 14:14:09 host/squidsrv.my.doma.in_at_MY.DOMA.IN
(aes256-cts-hmac-sha1-96)
2 10/30/13 14:14:09 host/squidsrv_at_MY.DOMA.IN (des-cbc-crc)
2 10/30/13 14:14:09 host/squidsrv_at_MY.DOMA.IN (des-cbc-md5)
2 10/30/13 14:14:09 host/squidsrv_at_MY.DOMA.IN (arcfour-hmac)
2 10/30/13 14:14:09 host/squidsrv_at_MY.DOMA.IN (aes128-cts-hmac-sha1-96)
2 10/30/13 14:14:09 host/squidsrv_at_MY.DOMA.IN (aes256-cts-hmac-sha1-96)
2 10/30/13 14:14:09 SQUIDSRV$@MY.DOMA.IN (des-cbc-crc)
2 10/30/13 14:14:10 SQUIDSRV$@MY.DOMA.IN (des-cbc-md5)
2 10/30/13 14:14:10 SQUIDSRV$@MY.DOMA.IN (arcfour-hmac)
2 10/30/13 14:14:10 SQUIDSRV$@MY.DOMA.IN (aes128-cts-hmac-sha1-96)
2 10/30/13 14:14:10 SQUIDSRV$@MY.DOMA.IN (aes256-cts-hmac-sha1-96)
2) I see request header "Proxy-Authorization: Negotiate YIIHoAYGKwYBB..."
3) It worth to mention that using ntlm_auth instead of squid_kerb_auth
works fine on this server.
On Fri, Nov 1, 2013 at 1:45 AM, Markus Moeller <huaraz_at_moeller.plus.com> wrote:
> Hi Mihail,
>
> What does a klist -ekt <keytab> show ? ( I assume you use MIT Kerberos on
> the squid server)
>
> What do you see with wireshark in the authentication header send to squid
> ?
>
> Markus
>
> "Mihail Lukin" wrote in message
> news:CAAmm_rZHZ8m1VbYF5mVW-ZbQYvOQhW0Nmf4saOp8GsY5x9KVJQ_at_mail.gmail.com...
>
>
> I don't know why access-time is not being updated, but strace has
> shown that keytab is being read successfully by squid_kerb_auth
> process.
>
> On Thu, Oct 31, 2013 at 8:15 AM, Mihail Lukin <mihail.lukin_at_gmail.com>
> wrote:
>>
>> Hello, Markus!
>>
>> Sorry for not mentioning it at once, KRB5_KTNAME is being exported in
>> /etc/sysconfig/squid and is readable by squid group. But there is
>> still something wrong with it: keytab's access time is not changed
>> neither when I restart squid not when I request an URL through the
>> proxy.
>>
>> I think I should strace squid_kerb_auth to see what happens. Thanks
>> for the hint!
>>
>> On Thu, Oct 31, 2013 at 12:53 AM, Markus Moeller
>> <huaraz_at_moeller.plus.com> wrote:
>>>
>>> Hi Mihail,
>>>
>>> Did you use export KRB5_KTNAME to point to the right keytab ? Is the
>>> keytab readable by the user under which squid runs ?
>>>
>>> Markus
>>>
>>> "Mihail Lukin" wrote in message
>>>
>>> news:CAAmm_rZ8jNoeFMRGthiYeHQ+GgSfmySFnw8708dwdDVUW3=R_g_at_mail.gmail.com...
>>>
>>> Hello,
>>>
>>> I'm trying to configure Squid 3.1 to authenticate through AD with W2K8
>>> DC with Kerberos. I used this how-to:
>>> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos on
>>> CentOS 6 box that I've joined to domain with `net ads join`.
>>>
>>> Now I'm getting the error in cache.log when I'm trying to visit any
>>> URL through this proxy:
>>>
>>> 2013/10/30 17:07:41| squid_kerb_auth: DEBUG: Got 'YR base64 encoded
>>> data' from squid (length: 2295).
>>> 2013/10/30 17:07:41| squid_kerb_auth: DEBUG: Decode 'base64 encoded
>>> data' (decoded length: 1717).
>>> 2013/10/30 17:07:41| squid_kerb_auth: ERROR: gss_acquire_cred()
>>> failed: Unspecified GSS failure. Minor code may provide more
>>> information.
>>> 2013/10/30 17:07:41| authenticateNegotiateHandleReply: Error
>>> validating user via Negotiate. Error returned 'BH gss_acquire_cred()
>>> failed: Unspecified GSS failure. Minor code may provide more
>>> information. '
>>>
>>> I could not figure out what the "minor code" is... I googled a lot with
>>> no
>>> luck.
>>> Any help is very appreciated. Thanks in advance!
>>>
>>
>>
>>
>> --
>> С уважением,
>> Михаил Лукин
>
>
>
>
> --
> С уважением,
> Михаил Лукин
>
Received on Sat Nov 02 2013 - 21:15:49 MDT
This archive was generated by hypermail 2.2.0 : Sun Nov 03 2013 - 12:00:04 MST