[squid-users] Kerberos auth not working

masterx81 gecom at tubosider.it
Fri Oct 3 15:34:29 UTC 2014 

Hi to all! I've a 'little' problem....
I've followed the instruction of this guide:
http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory
And i've setup successfully the ntlm and basic authentication. browser and
application works well, most of them use ntlm...
But now i've a throuble with kerberos auth, as one win7 client seem to use
kerberos instead of ntlm. 
I get the following error on cache.log

2014/10/03 17:05:35| negotiate_wrapper: Got '...cut...' from squid (length:
219).
2014/10/03 17:05:35| negotiate_wrapper: Decode '...cut...' (decoded length:
161).
2014/10/03 17:05:35| negotiate_wrapper: received Kerberos token
2014/10/03 17:05:35| squid_kerb_auth: Got '...cut...' from squid (length:
219).
2014/10/03 17:05:35| squid_kerb_auth: Decode '...cut...' (decoded length:
161).
2014/10/03 17:05:35| squid_kerb_auth: gss_accept_sec_context() failed: An
unsupported mechanism was requested.
2014/10/03 17:05:35| negotiate_wrapper: Return 'BH gss_accept_sec_context()
failed: An unsupported mechanism was requested.
'
2014/10/03 17:05:35 kid1| ERROR: Negotiate Authentication validating user.
Error returned 'BH gss_accept_sec_context() failed: An unsupported mechanism
was requested. '

Kerberos seem to work as if i do:
msktutil --auto-update --verbose --computer-name serv07-K

I get:
 -- init_password: Wiping the computer password structure
 -- generate_new_password: Generating a new, random password for the
computer account
 -- generate_new_password:  Characters read from /dev/udandom = 82
 -- get_dc_host: Attempting to find a Domain Controller to use (DNS SRV RR
TCP)
 -- get_dc_host: Found DC: srv-dc1.domain.local
 -- get_dc_host: Canonicalizing DC through forward/reverse lookup...
 -- get_dc_host: Found Domain Controller: srv-dc1.domain.local
 -- get_default_keytab: Obtaining the default keytab name:
/etc/squid/PROXY.keytab
 -- create_fake_krb5_conf: Created a fake krb5.conf file:
/tmp/.msktkrb5.conf-eMR9yQ
 -- reload: Reloading Kerberos Context
 -- finalize_exec: SAM Account Name is: serv07-K$
 -- try_machine_keytab_princ: Trying to authenticate for serv07-K$ from
local keytab...
 -- switch_default_ccache: Using the local credential cache:
FILE:/tmp/.mskt_krb5_ccache-lY6luY
 -- finalize_exec: Authenticated using method 1

 -- ldap_connect: Connecting to LDAP server: srv-dc1.domain.local
try_tls=YES
 -- ldap_connect: Connecting to LDAP server: srv-dc1.domain.local try_tls=NO
SASL/GSSAPI authentication started
SASL username: serv07-K$@DOMAIN.LOCAL
SASL SSF: 56
SASL data security layer installed.
 -- ldap_connect: LDAP_OPT_X_SASL_SSF=56

 -- ldap_get_base_dn: Determining default LDAP base: dc=DOMAIN,dc=LOCAL
 -- get_default_ou: Determining default OU: CN=Computers,DC=domain,DC=local
 -- ldap_get_pwdLastSet: pwdLastSet is ...cut...
 -- execute: Password last set 0 days ago.
 -- execute: Exiting because password was changed recently.
 -- ~msktutil_exec: Destroying msktutil_exec
 -- ldap_cleanup: Disconnecting from LDAP server
 -- init_password: Wiping the computer password structure
 -- ~KRB5Context: Destroying Kerberos Context

and doing klist i get:
10/03/14 16:38:47  10/04/14 02:38:47  krbtgt/DOMAIN.LOCAL at DOMAIN.LOCAL
        renew until 10/10/14 16:38:47

and a klist -k of the keytab file:
  13 serv07-K$@DOMAIN.LOCAL
  13 serv07-K$@DOMAIN.LOCAL
  13 serv07-K$@DOMAIN.LOCAL
  13 host/serv07 at DOMAIN.LOCAL
  13 host/serv07 at DOMAIN.LOCAL
  13 host/serv07 at DOMAIN.LOCAL
  13 HTTP/serv07.domain.local at DOMAIN.LOCAL
  13 HTTP/serv07.domain.local at DOMAIN.LOCAL
  13 HTTP/serv07.domain.local at DOMAIN.LOCAL



So all seem to work correclty.
The kerberos part of the squid.conf is:
auth_param negotiate program /usr/local/bin/negotiate_wrapper -d --ntlm
/usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp
--domain=TUBOSIDER --kerberos /usr/local/bin/squid_kerb_auth -d -s
GSS_C_NO_NAME
auth_param negotiate children 10 startup=0 idle=1
auth_param negotiate keep_alive on


Please help as i've already searched everywhere a solution that i can't find
and i'm not so expert on squid!
Thanks!!!



--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Kerberos-auth-not-working-tp4667646.html
Sent from the Squid - Users mailing list archive at Nabble.com.

More information about the squid-users mailing list