[squid-users] Kerberos access denied and reauthentication

Grey wehategrey at gmail.com
Thu Jul 27 08:27:07 UTC 2017


Hi,
I'm trying to setup a proxy server using Squid 3.5.23 on Debian 9; I've
successfully setup Kerberos authentication generating the keytab file with
ktutil and manually setting the required SPN on my Windows domain
controller.
The problem I'm encountering is that sometimes (right now I'm the only one
using this proxy and it happens a couple times every day at random times)
while visiting random sites an authentication prompt appears asking for
credentials. Hitting Ok makes the prompt reappear and leads to a loop, while
hitting the cancel button makes the prompt go away and the page display an
error saying "Access denied. Authentication required." (white page with
black font; I'm not 100% sure that's the exact message, I'll come back and
update it as soon as it happens again); refreshing the page lets it load
normally and then everything works ok.

I'm posting the relevant configuration hoping that someone can help me or at
least point me in the right direction. Keep in mind that right now basic
authentication is disabled for testing sake, I'll later enable it when I've
worked out where the problem with Kerberos is.

###

auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -r
auth_param negotiate children 150
auth_param negotiate keep_alive off

acl whitelist dstdomain "/etc/squid/whitelist"
acl blacklist dstdomain "/etc/squid/blacklist"

acl AUTH proxy_auth REQUIRED
http_access deny !AUTH all

http_access deny !Safe_ports all
http_access deny CONNECT !SSL_ports all
http_access allow localhost manager
http_access deny manager all
http_access allow localhost all

acl destsquid dstdomain .squid1 .squid2
http_access allow destsquid all

http_access allow whitelist all
http_access deny blacklist all
acl test_account proxy_auth test_account
http_access allow test_account all
http_access deny all



--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Kerberos-access-denied-and-reauthentication-tp4683224.html
Sent from the Squid - Users mailing list archive at Nabble.com.


More information about the squid-users mailing list