[squid-users] Trouble negotiate_kerberos_auth

Marcio Demetrio Bacci marciobacci at gmail.com
Mon Aug 29 01:58:25 UTC 2016 

Hi Markus, thank you for help me.

When I type the klist command, the result is:

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: robert at CMS.ENSINO.BR
Valid starting       Expires              Service principal
28-08-2016 22:40:53  29-08-2016 08:40:53  krbtgt/CMS.ENSINO.BR at CMS.ENSINO.BR
    renew until 29-08-2016 22:40:41

But, I have the following result to command bellow:
/usr/lib64/squid/negotiate_kerberos_auth_test proxy.cms.ensino.br| awk
'{sub(/Token:/,"YR"); print $0}END{print "QQ"}' |
/usr/lib64/squid/negotiate_kerberos_auth -r -s HTTP/proxy.cms.ensino.br

Result:
TT
oYGbMIGYoAMKAQGhCAYGKwYBBQIFooGGBIGDBQEwFKESBBBDTUIuRU5TSU5PLkVCLkJSfmkwZ6ADAgEFoQMCAR6iERgPMjAxNjA4MjkwMTM2MDVaowUCAwK7P6QRGA8yMDE2MDgyOTAxMzYwNVqlBQIDBhpppgMCAQepFRsTPHVuc3BlY2lmaWVkIHJlYWxtPqoLMAmgAwIBAKECMAA=
BH quit command


The HTTP/proxy.cms.ensino.br is in keytab files

I don't have the "test_negotiate_auth.sh" file in
src/auth/negotiate/kerberos, but I have
/usr/lib64/squid/negotiate_kerberos_auth_test, thus I'm using it.

My Linux distribution is CentOS 7

Regards,

Márcio




2016-08-28 15:24 GMT-03:00 Markus Moeller <huaraz at moeller.plus.com>:

>
> HI Marcio,
>
>   The helper need a Kerberos token as input.  Please have a look at
> test_negotiate_auth.sh  which is in src/auth/negotiate/kerberos of the
> trunk version. The squid hostname must match the entry in your keytab and
> you must have done kinit to authenticate against a Kerberos server (e.g.
> AD) as user first.
>
> Regards
> Markus
>
>
> "Marcio Demetrio Bacci" <marciobacci at gmail.com> wrote in message news:CA+
> 0TdyqEAt4L5KO4zrJNJ1aUe64mY2Re7z95KFdqW7Y8SV_qbg at mail.gmail.com...
> I have trouble to authenticate Squid3 with kerberos in Samba4 domain. I'm
> using CentOS 7 and Squid 3.3.8 (yum install squid)
>
> When I type the bellow command in terminal:
> /usr/lib64/squid/negotiate_kerberos_auth -d -i -s HTTP/
> proxy.cms.ensino.br at CMS.ENSINO.BR
> john xyz at 12345
>
> I have the following error:
> negotiate_kerberos_auth.cc(315): pid=6364 :2016/08/27 10:44:33|
> negotiate_kerberos_auth: DEBUG: Got 'john xyz at 12345' from squid (length:
> 14).
> negotiate_kerberos_auth.cc(362): pid=6364 :2016/08/27 10:44:33|
> negotiate_kerberos_auth: ERROR: Invalid request [john xyz at 12345]
> BH invalid request
>
>
> Here are my files configuration:
>
> /etc/krb5.conf
> [libdefaults]
>     default_realm = CMS.ENSINO.BR
> [realms]
>     CMS.ENSINO.BR = {
>     kdc = dc1.cms.ensino.br:88
>     admin_server = dc1.cms.ensino.br
>     default_domain = CMS.ENSINO.BR
>     }
> [domain_realm]
>     .cms.ensino.br = CMS.ENSINO.BR
>     cms.ensino.br = CMS.ENSINO.BR
>
>
>
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
> ---- ------------------------------------------------------------
> --------------
>    1 proxy-k$@CMS.ENSINO.BR
>    1 proxy-k$@CMS.ENSINO.BR
>    1 proxy-k$@CMS.ENSINO.BR
>    1 HTTP/proxy.cms.ensino.br at CMS.ENSINO.BR
>    1 HTTP/proxy.cms.ensino.br at CMS.ENSINO.BR
>    1 HTTP/proxy.cms.ensino.br at CMS.ENSINO.BR
>    1 host/proxy.cms.ensino.br at CMS.ENSINO.BR
>    1 host/proxy.cms.ensino.br at CMS.ENSINO.BR
>    1 host/proxy.cms.ensino.br at CMS.ENSINO.BR
>    1 host/proxy.cms.ensino.br at CMS.ENSINO.BR
>    1 host/proxy.cms.ensino.br at CMS.ENSINO.BR
>    1 host/PROXY at CMS.ENSINO.BR
>    1 host/PROXY at CMS.ENSINO.BR
>    1 host/PROXY at CMS.ENSINO.BR
>    1 host/PROXY at CMS.ENSINO.BR
>    1 host/PROXY at CMS.ENSINO.BR
>    1 PROXY$@CMS.ENSINO.BR
>    1 PROXY$@CMS.ENSINO.BR
>    1 PROXY$@CMS.ENSINO.BR
>    1 PROXY$@CMS.ENSINO.BR
>    1 PROXY$@CMS.ENSINO.BR
>    1 proxy-k$@CMS.ENSINO.BR
>    1 proxy-k$@CMS.ENSINO.BR
>    1 HTTP/proxy.cms.ensino.br at CMS.ENSINO.BR
>    1 HTTP/proxy.cms.ensino.br at CMS.ENSINO.BR
>    1 HTTP/PROXY at CMS.ENSINO.BR
>    1 HTTP/PROXY at CMS.ENSINO.BR
>    1 HTTP/PROXY at CMS.ENSINO.BR
>    1 HTTP/PROXY at CMS.ENSINO.BR
>    1 HTTP/PROXY at CMS.ENSINO.BR
>
>
> Keytab name: FILE:/etc/squid/PROXY.keytab
> KVNO Principal
> ---- ------------------------------------------------------------
> --------------
>    1 proxy-k$@CMS.ENSINO.BR
>    1 proxy-k$@CMS.ENSINO.BR
>    1 proxy-k$@CMS.ENSINO.BR
>    1 HTTP/proxy.cms.ensino.br at CMS.ENSINO.BR
>    1 HTTP/proxy.cms.ensino.br at CMS.ENSINO.BR
>    1 HTTP/proxy.cms.ensino.br at CMS.ENSINO.BR
>    1 host/proxy.cms.ensino.br at CMS.ENSINO.BR
>    1 host/proxy.cms.ensino.br at CMS.ENSINO.BR
>    1 host/proxy.cms.ensino.br at CMS.ENSINO.BR
>
>
> /etc/sysconfig/squid
> # default squid options
> SQUID_OPTS=""
> # Time to wait for Squid to shut down when asked. Should not be necessary
> # most of the time.
> SQUID_SHUTDOWN_TIMEOUT=100
> # default squid conf file
> SQUID_CONF="/etc/squid/squid.conf"
>
> KRB5_KTNAME=/etc/squid/PROXY.keytab
> export KRB5_KTNAME
>
>
> kinit and klist commands are OK.
>
> Best Regards,
>
> Márcio
>
>
> ------------------------------
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160828/2c7658a1/attachment.html>

More information about the squid-users mailing list