Hi Markus,
Thanks for your input. I ended up completely removing everything and
recreating my key tab and it works great now.
One more question for you or the list: Is it possible to do machine based
AD auth to squid?
We have a use case here where we would want to allow a machine access to a
resource but not necessarily specifically allow the users who are logged
in to it.
Thanks again,
-Scott
Scott Finlon, CISSP GCIA GCIH
-----------------------------------
Information Security Engineer
The University of Scranton
email : scott.finlon_at_scranton.edu
phone : 570-941-6168
-----------------------------------
On 8/21/14, 3:20 PM, "Markus Moeller" <huaraz_at_moeller.plus.com> wrote:
>Hi Scott,
>
> So from what see in your first log you have a user MYSUER with a
>domain/realm MYDOMAIN, but squid belongs to SUBDOMAIN.DOMAIN.COM.
>squid_kerb_ldap tries to authenticate to the domain MYDOMAIN using the
>keytab but does not find any entry for MYDOMAIN in the keytab. Then
>squid_kerb_ldap tries to find an entry in the keytab of a domain which
>trusts MYDOMAIN and fails. It seems there is no Kerberos trust between
>MYDOMAIN and SUBDOMAIN.DOMAIN.COM.
>
> The second log looks better, but the password stored in the keytab for
>SQUIDPROXY-K$ is incorrect (Preauthentication failed).
>
>
>Markus
>
>"Scott Finlon" wrote in message
>news:D01B8481.36D86%scott.finlon_at_scranton.edu...
>
>Hi All,
>
>
>I have squid_kerb_auth working and authenticating via my key tab file.
>However, when trying to lock it down to users that are in a group in AD,
>I©öm seeing a weird issue.
>I put my sanitized output here: http://pastebin.com/wGc3RC0h
>But basically if I use this "./squid_kerb_ldap -d -g proxy_allow -D
>MYDOMAIN©÷ it is able to auth to AD and eventually attempts to use a bind
>path of dc=MYDOMAIN instead of dc=MYDOMAIN,dc=DOMAIN,dc=COM, and then it
>gives a referral error.
>
>So seeing that, I tried to use my full domain as the default domain, like
>this "./squid_kerb_ldap -d -g proxy_allow -D MYDOMAIN.MYDOMAIN.COM©÷ it
>gives a Preauthentication failed error and doesn©öt even make it in to AD,
>full output here: http://pastebin.com/Gk1ci0nt
>
>That makes me think it©ös an issue with the key tab file, but it works
>appropriately with kerb auth just not kerb ldap. Any ideas?
>I am going to try and make a key tab file with ktpass instead of msktutil
>and see if that has any affect.
>Thanks,
>-Scott
>
>
>
>
>
Received on Fri Aug 22 2014 - 15:54:33 MDT
This archive was generated by hypermail 2.2.0 : Fri Aug 22 2014 - 12:00:06 MDT