[squid-users] Kerberos access denied and reauthentication

Dijxie dijxie at gmail.com
Thu Jul 27 12:54:02 UTC 2017 

On 2017-07-27 10:27, Grey wrote:
> Hi,
> I'm trying to setup a proxy server using Squid 3.5.23 on Debian 9; I've
> successfully setup Kerberos authentication generating the keytab file with
> ktutil and manually setting the required SPN on my Windows domain
> controller.
> The problem I'm encountering is that sometimes (right now I'm the only one
> using this proxy and it happens a couple times every day at random times)
> while visiting random sites an authentication prompt appears asking for
> credentials. Hitting Ok makes the prompt reappear and leads to a loop, while
> hitting the cancel button makes the prompt go away and the page display an
> error saying "Access denied. Authentication required." (white page with
> black font; I'm not 100% sure that's the exact message, I'll come back and
> update it as soon as it happens again); refreshing the page lets it load
> normally and then everything works ok.
>
> I'm posting the relevant configuration hoping that someone can help me or at
> least point me in the right direction. Keep in mind that right now basic
> authentication is disabled for testing sake, I'll later enable it when I've
> worked out where the problem with Kerberos is.
>
> ###
>
> auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -r
> auth_param negotiate children 150
> auth_param negotiate keep_alive off
>
> acl whitelist dstdomain "/etc/squid/whitelist"
> acl blacklist dstdomain "/etc/squid/blacklist"
>
> acl AUTH proxy_auth REQUIRED
> http_access deny !AUTH all
>
> http_access deny !Safe_ports all
> http_access deny CONNECT !SSL_ports all
> http_access allow localhost manager
> http_access deny manager all
> http_access allow localhost all
>
> acl destsquid dstdomain .squid1 .squid2
> http_access allow destsquid all
>
> http_access allow whitelist all
> http_access deny blacklist all
> acl test_account proxy_auth test_account
> http_access allow test_account all
> http_access deny all
>
>
>
> --
> View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Kerberos-access-denied-and-reauthentication-tp4683224.html
> Sent from the Squid - Users mailing list archive at Nabble.com.
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

Hi,

Could You please check and post a portion of cache.log? You may also 
want to temporary modify squid.conf: by adding -d to this line:

auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -r -d

That should put negotiate_kerberos_auth in debug mode. Be aware that 
kerberos ticket will be added to log, so before posting in You may want 
to alterate your log.
Also, squidklient output for mgr:kerberosauthenticator may be helpful, 
although I'm not sure is that the right name for this module, so check 
mgr:menu for correct name.

-- 
Greets, Dijx

More information about the squid-users mailing list