[squid-users] Kerberos Heimdal Server Authentication

Markus Moeller huaraz at moeller.plus.com
Fri May 11 19:00:51 UTC 2018 

Can you capture the traffic on port 88 ? Heimdal has not helpful messages, so seeing the real traffic may help identifying the issue.

Kinit should create an AS req/rep
the test program creates a TGS req/rep

Example attached if it gets through.

Markus

"Panagiotis Bariamis" <akismpa at gmail.com> wrote in message news:CAPxN_PVp9RETXBPZG6ZX5rzNK6Hu-HLxdAagSfgXVcg=DcdGsw at mail.gmail.com...
Hello my setup is as follows :

Freebsd 11 Heimdal Kerberos Server and DNS properly configured (testlab enviroment for example.com domain) 

Freebsd 11 squid proxy server 

Windows Client 



I have created a keytab from the Kerberos Server for http/squid.example.com

Proxy server machine has no problem kinit ing with the keytab file and gets a ticket 

# klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: http/squid.example.com at EXAMPLE.COM

  Issued                Expires               Principal
May  9 15:38:36 2018  May 10 01:38:37 2018  krbtgt/EXAMPLE.COM at EXAMPLE.COM


My squid.conf is as follows concerning the authentication :
auth_param negotiate program /usr/local/libexec/squid/negotiate_kerberos_auth
auth_param negotiate children 10 startup=1
auth_param negotiate keep_alive on


Trying to use :
# /usr/local/libexec/squid/negotiate_kerberos_auth_test squid.example.com 
| awk '{sub(/Token:/,"YR"); print $0}END{print "QQ"}' 
| /usr/local/libexec/squid/negotiate_kerberos_auth -r -s http/squid.example.com


fails with :
| negotiate_kerberos_auth_test: gss_init_sec_context() failed:  An unsupported mechanism was requested. unknown mech-code 0 for mech unknown
BH gss_accept_sec_context() failed:  A token was invalid. unknown mech-code 0 for mech unknown
BH quit command



Any ideas ?


Thank you , 

Bariamis Panagiotis 





--------------------------------------------------------------------------------
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20180511/91a08ab1/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: krb5.pcap
Type: application/octet-stream
Size: 2865 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20180511/91a08ab1/attachment.obj>

More information about the squid-users mailing list