<div dir="ltr"><div>Windows 7 inside the domain? <br><br></div>Anyway, you should configure a basic auth scheme as a second fallback.<br><br><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Oct 24, 2014 at 9:26 PM, Markus Moeller <span dir="ltr"><<a href="mailto:huaraz@moeller.plus.com" target="_blank">huaraz@moeller.plus.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div dir="ltr">
<div style="FONT-SIZE:12pt;FONT-FAMILY:'Calibri';COLOR:#000000">
<div>Hi Pedro,</div>
<div> </div>
<div>How did you create your keytab ? What does klist –ekt
<squid.keytab> show ( I assume you use MIT Kerberos) ? </div>
<div> </div>
<div>Markus</div>
<div> </div>
<div style="BORDER-TOP-COLOR:#000000;BORDER-BOTTOM-COLOR:#000000;PADDING-LEFT:5px;MARGIN-LEFT:5px;BORDER-LEFT:#000000 4px solid;BORDER-RIGHT-COLOR:#000000">
<div style="FONT-SIZE:small;FONT-FAMILY:'Calibri';FONT-WEIGHT:normal;COLOR:#000000;FONT-STYLE:normal;TEXT-DECORATION:none;DISPLAY:inline">
<div>"Pedro Lobo" <<a href="mailto:palobo@gmail.com" target="_blank">palobo@gmail.com</a>> wrote in message
news:40E1E0E7-50C6-4117-94AA-50B06573430A@gmail.com...</div></div></div>
<div style="BORDER-TOP-COLOR:#000000;BORDER-BOTTOM-COLOR:#000000;PADDING-LEFT:5px;MARGIN-LEFT:5px;BORDER-LEFT:#000000 4px solid;BORDER-RIGHT-COLOR:#000000">
<div style="FONT-SIZE:small;FONT-FAMILY:'Calibri';FONT-WEIGHT:normal;COLOR:#000000;FONT-STYLE:normal;TEXT-DECORATION:none;DISPLAY:inline"><div><div class="h5">
<div>
<p>Hi Squid Gurus,</p>
<p>I'm at my wit's end and in dire need of some squid expertise.</p>
<p>We've got a production environment with a couple of squid 2.7 servers using
NTLM and basic authentication. Recently though, we decided to upgrade and I'm
now setting up squid 3.3 with Kerberos and NTLM Fallback. I've followed just
about every guide I could find and in my testing environment, things were
working great. Now that I've hooked it up to the main domain, things are
awry.</p>
<p>If I use a machine that's not part of the domain, NTLM kicks in and I can
surf the web fine. If I use a Windows XP or Windows Server 2003, kerberos works
just fine, however, if I use a machine Windows 7, 8 or 2008 server, I keep
getting a popup asking me to authenticate and even then, it's and endless loop
until it fails. My cache.log is littered with:</p><pre><code>negotiate_kerberos_auth.cc(200): pid=1607 :2014/10/24 23:03:01| negotiate_kerberos_auth: ERROR: gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information.
2014/10/24 23:03:01| ERROR: Negotiate Authentication validating user. Error returned 'BH gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information. '
</code></pre>
<p>The odd thing, is that this has worked before. Help me Obi Wan... You're my
only hope! :)</p>
<p><strong>Current Setup</strong><br>Squid 3.3 running on Ubuntu 14.04 server.
It's connected to a 2003 server with function level 2000 (I know, we're trying
to fase out the older servers).</p>
<p><strong>krb5.conf</strong></p><pre><code> [libdefaults]
default_realm = <a href="http://FAKE.NET" target="_blank">FAKE.NET</a>
dns_lookup_kdc = yes
dns_lookup_realm = yes
ticket_lifetime = 24h
default_keytab_name = /etc/squid3/PROXY.keytab
; for Windows 2003
default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
[realms]
<a href="http://FAKE.NET" target="_blank">FAKE.NET</a> = {
kdc = <a href="http://srv01.fake.net" target="_blank">srv01.fake.net</a>
kdc = <a href="http://srv02.fake.net" target="_blank">srv02.fake.net</a>
kdc = <a href="http://srv03.fake.net" target="_blank">srv03.fake.net</a>
admin_server = <a href="http://srv01.fake.net" target="_blank">srv01.fake.net</a>
default_domain = <a href="http://fake.net" target="_blank">fake.net</a>
}
[domain_realm]
.<a href="http://fake.net" target="_blank">fake.net</a> = <a href="http://FAKE.NET" target="_blank">FAKE.NET</a>
<a href="http://fake.net" target="_blank">fake.net</a> = <a href="http://FAKE.NET" target="_blank">FAKE.NET</a>
[logging]
kdc = FILE:/var/log/kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
</code></pre>
<p><strong>squid.conf</strong></p><pre><code>auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -d -r -s HTTP/<a href="http://proxy01tst.fake.net" target="_blank">proxy01tst.fake.net</a>
auth_param negotiate children 20 startup=0 idle=1
auth_param negotiate keep_alive off
auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=<a href="http://FAKE.NET" target="_blank">FAKE.NET</a>
auth_param ntlm children 10
auth_param ntlm keep_alive off
</code></pre>
<p>Cheers,<br>Pedro</p></div>
<p>Cumprimentos <br>Pedro Lobo <br><b>Solutions Architect | System Engineer</b>
</p>
<p><a href="mailto:pedro.lobo@pt.clara.net" target="_blank">pedro.lobo@pt.clara.net</a>
<br>Tlm.: <a href="tel:%2B351%20939%20528%20827" value="+351939528827" target="_blank">+351 939 528 827</a> | Tel.: <a href="tel:%2B351%20214%20127%20314" value="+351214127314" target="_blank">+351 214 127 314</a> </p>
<p>Claranet Portugal <br>Ed. Parque Expo <br>Av. D. João II, 1.07-2.1, 4º Piso
<br>1998-014 Lisboa <br><a title="http://www.claranet.pt/" href="http://www.claranet.pt/" target="_blank">www.claranet.pt </a></p>
<table style="COLOR:#000000" border="0" cellpadding="0" cellspacing="0">
<tbody>
<tr>
<td style="PADDING-BOTTOM:4px" valign="bottom"><a href="http://www.claranet.pt/" target="_blank"><img alt="http://www.claranet.co.uk/sites/claranet.co.uk/files/u3/claranet_logo.png" src="http://www.claranet.co.uk/sites/claranet.co.uk/files/u3/claranet_logo.png" border="0" height="26" width="126"> </a></td>
<td style="PADDING-BOTTOM:4px" valign="bottom"><a href="http://www.linkedin.com/groups?home=&gid=3746436" target="_blank"><img alt="http://www.claranet.co.uk/sites/claranet.co.uk/files/u3/email-linkedin-icon.png" src="http://www.claranet.co.uk/sites/claranet.co.uk/files/u3/email-linkedin-icon.png" border="0" height="17" width="30"> </a></td>
<td style="PADDING-BOTTOM:4px" valign="bottom"><a href="https://twitter.com/Claranet_PT" target="_blank"><img alt="http://www.claranet.co.uk/sites/claranet.co.uk/files/u3/email-twitter-icon.png" src="http://www.claranet.co.uk/sites/claranet.co.uk/files/u3/email-twitter-icon.png" border="0" height="17" width="26"> </a></td>
<td style="PADDING-BOTTOM:4px" valign="bottom"><a href="http://www.youtube.com/user/ClaranetPT" target="_blank"><img alt="http://www.claranet.co.uk/sites/claranet.co.uk/files/u3/email-youtube-icon.png" src="http://www.claranet.co.uk/sites/claranet.co.uk/files/u3/email-youtube-icon.png" border="0" height="17" width="26"> </a></td></tr></tbody></table>
<p><span style="FONT-SIZE:10pt;FONT-FAMILY:arial,sans-serif;COLOR:#1f497d"><a href="http://www.claranet.pt/sites/claranet.pt/files/u6/magic_quadrant_for_cloudenab_260243.pdf" target="_blank"><img alt="GARTNER BANNER" src="http://lobo.li/N7Q8+" border="0" height="41" width="324"> </a></span></p>
<p><span style="COLOR:#909090">Empresa certificada ISO 9001, ISO 20000 e ISO
27001 <u></u><u></u></span></p>
<p><u></u><u></u></p>
<div></div>
<div></div>
</div></div><p>
</p><hr>
_______________________________________________<br>squid-users mailing
list<br><a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br><a href="http://lists.squid-cache.org/listinfo/squid-users" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br><p></p></div></div></div></div></div>
<br>_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
<br></blockquote></div><br></div>