<html>

  <head>

    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">

  </head>

  <body bgcolor="#FFFFFF" text="#000000">

    <br>

    -----BEGIN PGP SIGNED MESSAGE----- <br>

    Hash: SHA256 <br>

     <br>

    Man,<br>

    <br>

    did your RTFM?<br>

    <br>

    Kerberos security has perfect manual.<br>

    <br>

    <br>

    14.07.2016 22:07, Sergio Belkin пишет:<br>

    <span style="white-space: pre;">> Hi,<br>

      ><br>

      > Using squid squid-3.5.19-1.el7.centos.x86_64,<br>

      ><br>

      > I obtain a kerberos ticket but I get the following when

      trying to use the proxy:<br>

      ><br>

      > 2016/07/14 12:57:03.711 kid1| 29,4| UserRequest.cc(290)

      authenticate: No Proxy-Auth header and no working alternative.

      Requesting auth header.<br>

      > 2016/07/14 12:57:03.712 kid1| 29,9| UserRequest.cc(487)

      addReplyAuthHeader: headertype:46 authuser:NULL<br>

      > 2016/07/14 12:57:03.712 kid1| 29,9| Config.cc(188) fixHeader:

      Sending type:46 header: 'Negotiate'<br>

      > 2016/07/14 12:57:04.159 kid1| 29,4| UserRequest.cc(290)

      authenticate: No Proxy-Auth header and no working alternative.

      Requesting auth header.<br>

      > 2016/07/14 12:57:04.159 kid1| 29,9| UserRequest.cc(487)

      addReplyAuthHeader: headertype:46 authuser:NULL<br>

      > 2016/07/14 12:57:04.159 kid1| 29,9| Config.cc(188) fixHeader:

      Sending type:46 header: 'Negotiate'<br>

      ><br>

      > My squid.conf is as follows:<br>

      ><br>

      ><br>

      > acl localnet src 10.0.0.0/8 <a class="moz-txt-link-rfc2396E" href="http://10.0.0.0/8"><http://10.0.0.0/8></a><br>

      > acl localnet src 172.16.0.0/12 <a class="moz-txt-link-rfc2396E" href="http://172.16.0.0/12"><http://172.16.0.0/12></a><br>

      > acl localnet src 192.168.0.0/16 <a class="moz-txt-link-rfc2396E" href="http://192.168.0.0/16"><http://192.168.0.0/16></a><br>

      > acl localnet src fc00::/7      <br>

      > acl localnet src fe80::/10     <br>

      > acl SSL_ports port 443<br>

      > acl Safe_ports port 80<br>

      > acl Safe_ports port 21<br>

      > acl Safe_ports port 443<br>

      > acl Safe_ports port 70<br>

      > acl Safe_ports port 210<br>

      > acl Safe_ports port 1025-65535<br>

      > acl Safe_ports port 280<br>

      > acl Safe_ports port 488<br>

      > acl Safe_ports port 591<br>

      > acl Safe_ports port 777<br>

      > acl CONNECT method CONNECT<br>

      > acl step1 at_step SslBump1<br>

      > acl step2 at_step SslBump2<br>

      > acl step3 at_step SslBump3<br>

      > acl nobumpSites ssl::server_name

      "/etc/squid/acls/nobumpSites.txt"<br>

      > http_access deny !Safe_ports<br>

      > http_access deny CONNECT !SSL_ports<br>

      > http_access allow localhost manager<br>

      > http_access deny manager<br>

      > acl social_ips src "/etc/squid/acls/social_ips"<br>

      > acl social_dom dstdomain "/etc/squid/acls/social_dom"<br>

      > auth_param negotiate program

      /usr/lib64/squid/negotiate_kerberos_auth -d -s

      <a class="moz-txt-link-abbreviated" href="mailto:HTTP/proxy.example.local@EXAMPLE.LOCAL">HTTP/proxy.example.local@EXAMPLE.LOCAL</a><br>

      > auth_param negotiate children 10<br>

      > auth_param negotiate keep_alive on<br>

      > acl kerb_auth proxy_auth REQUIRED<br>

      > ssl_bump peek step1 all        <br>

      > ssl_bump splice  nobumpSites  <br>

      > ssl_bump bump                 <br>

      > http_access allow kerb_auth<br>

      > http_access deny social_ips<br>

      > http_access deny social_dom<br>

      > acl numeric_IPs urlpath_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+<br>

      > acl connect method CONNECT<br>

      > http_access deny connect numeric_IPs all<br>

      > http_access allow localnet<br>

      > http_access allow localhost<br>

      > http_access deny all<br>

      > always_direct allow all<br>

      > sslcrtd_program /usr/lib64/squid/ssl_crtd -s

      /var/spool/squid_ssldb -M 4MB<br>

      > visible_hostname proxy.example.local<br>

      > http_port 3128 ssl-bump generate-host-certificates=on

      dynamic_cert_mem_cache_size=6MB cert=/etc/squid/ssl_cert/myCA.pem<br>

      > coredump_dir /var/spool/squid<br>

      > refresh_pattern ^ftp:           1440    20%     10080<br>

      > refresh_pattern ^gopher:        1440    0%      1440<br>

      > refresh_pattern -i (/cgi-bin/|\?) 0     0%      0<br>

      > refresh_pattern .               0       20%     4320<br>

      > url_rewrite_program /usr/sbin/ufdbgclient –l

      /var/ufdbguard/logs<br>

      > url_rewrite_children 64<br>

      > access_log daemon:/var/log/squid/access.log combined<br>

      ><br>

      > And klist output:<br>

      ><br>

      > klist -k /etc/squid/HTTP.keytab<br>

      ><br>

      > Keytab name: <a class="moz-txt-link-freetext" href="FILE:/etc/squid/HTTP.keytab">FILE:/etc/squid/HTTP.keytab</a><br>

      > KVNO Principal<br>

      > ----

--------------------------------------------------------------------------<br>

      >    2 <a class="moz-txt-link-abbreviated" href="mailto:host/proxy.example.local@EXAMPLE.LOCAL">host/proxy.example.local@EXAMPLE.LOCAL</a><br>

      >    2 <a class="moz-txt-link-abbreviated" href="mailto:host/proxy.example.local@EXAMPLE.LOCAL">host/proxy.example.local@EXAMPLE.LOCAL</a><br>

      >    2 <a class="moz-txt-link-abbreviated" href="mailto:host/proxy.example.local@EXAMPLE.LOCAL">host/proxy.example.local@EXAMPLE.LOCAL</a><br>

      >    2 <a class="moz-txt-link-abbreviated" href="mailto:host/proxy.example.local@EXAMPLE.LOCAL">host/proxy.example.local@EXAMPLE.LOCAL</a><br>

      >    2 <a class="moz-txt-link-abbreviated" href="mailto:host/proxy.example.local@EXAMPLE.LOCAL">host/proxy.example.local@EXAMPLE.LOCAL</a><br>

      >    2 <a class="moz-txt-link-abbreviated" href="mailto:host/proxy@EXAMPLE.LOCAL">host/proxy@EXAMPLE.LOCAL</a><br>

      >    2 <a class="moz-txt-link-abbreviated" href="mailto:host/proxy@EXAMPLE.LOCAL">host/proxy@EXAMPLE.LOCAL</a><br>

      >    2 <a class="moz-txt-link-abbreviated" href="mailto:host/proxy@EXAMPLE.LOCAL">host/proxy@EXAMPLE.LOCAL</a><br>

      >    2 <a class="moz-txt-link-abbreviated" href="mailto:host/proxy@EXAMPLE.LOCAL">host/proxy@EXAMPLE.LOCAL</a><br>

      >    2 <a class="moz-txt-link-abbreviated" href="mailto:host/proxy@EXAMPLE.LOCAL">host/proxy@EXAMPLE.LOCAL</a><br>

      >    2 <a class="moz-txt-link-abbreviated" href="mailto:KANBAN$@EXAMPLE.LOCAL">KANBAN$@EXAMPLE.LOCAL</a><br>

      >    2 <a class="moz-txt-link-abbreviated" href="mailto:KANBAN$@EXAMPLE.LOCAL">KANBAN$@EXAMPLE.LOCAL</a><br>

      >    2 <a class="moz-txt-link-abbreviated" href="mailto:KANBAN$@EXAMPLE.LOCAL">KANBAN$@EXAMPLE.LOCAL</a><br>

      >    2 <a class="moz-txt-link-abbreviated" href="mailto:KANBAN$@EXAMPLE.LOCAL">KANBAN$@EXAMPLE.LOCAL</a><br>

      >    2 <a class="moz-txt-link-abbreviated" href="mailto:KANBAN$@EXAMPLE.LOCAL">KANBAN$@EXAMPLE.LOCAL</a><br>

      >    2 <a class="moz-txt-link-abbreviated" href="mailto:HTTP/proxy.example.local@EXAMPLE.LOCAL">HTTP/proxy.example.local@EXAMPLE.LOCAL</a><br>

      >    2 <a class="moz-txt-link-abbreviated" href="mailto:HTTP/proxy.example.local@EXAMPLE.LOCAL">HTTP/proxy.example.local@EXAMPLE.LOCAL</a><br>

      >    2 <a class="moz-txt-link-abbreviated" href="mailto:HTTP/proxy.example.local@EXAMPLE.LOCAL">HTTP/proxy.example.local@EXAMPLE.LOCAL</a><br>

      >    2 <a class="moz-txt-link-abbreviated" href="mailto:HTTP/proxy.example.local@EXAMPLE.LOCAL">HTTP/proxy.example.local@EXAMPLE.LOCAL</a><br>

      >    2 <a class="moz-txt-link-abbreviated" href="mailto:HTTP/proxy.example.local@EXAMPLE.LOCAL">HTTP/proxy.example.local@EXAMPLE.LOCAL</a><br>

      >    2 <a class="moz-txt-link-abbreviated" href="mailto:HTTP/proxy@EXAMPLE.LOCAL">HTTP/proxy@EXAMPLE.LOCAL</a><br>

      >    2 <a class="moz-txt-link-abbreviated" href="mailto:HTTP/proxy@EXAMPLE.LOCAL">HTTP/proxy@EXAMPLE.LOCAL</a><br>

      >    2 <a class="moz-txt-link-abbreviated" href="mailto:HTTP/proxy@EXAMPLE.LOCAL">HTTP/proxy@EXAMPLE.LOCAL</a><br>

      >    2 <a class="moz-txt-link-abbreviated" href="mailto:HTTP/proxy@EXAMPLE.LOCAL">HTTP/proxy@EXAMPLE.LOCAL</a><br>

      >    2 <a class="moz-txt-link-abbreviated" href="mailto:HTTP/proxy@EXAMPLE.LOCAL">HTTP/proxy@EXAMPLE.LOCAL</a><br>

      ><br>

      > End of output,<br>

      ><br>

      > Please could you help me? Am I doing something wrong?<br>

      ><br>

      > Thanks in advance!<br>

      ><br>

      > -- <br>

      > --<br>

      > Sergio Belkin<br>

      > LPIC-2 Certified - <a class="moz-txt-link-freetext" href="http://www.lpi.org">http://www.lpi.org</a><br>

      ><br>

      ><br>

      > _______________________________________________<br>

      > squid-users mailing list<br>

      > <a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br>

      > <a class="moz-txt-link-freetext" href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</a></span><br>

    <br>

    -----BEGIN PGP SIGNATURE-----

<br>

    Version: GnuPG v2

<br>

     <br>

    iQEcBAEBCAAGBQJXh9MbAAoJENNXIZxhPexGP5IIAIUIDvIpeOhK3XMALAEvHlyB

<br>

    qhb2JpcxzPy5VOMA9ED3RPuh3AwBkMaLrZHNU7KgeQ0zM5yO8+ZsbO+n53hEfKCJ

<br>

    Vd/buUaB7DRothajXfz7l6uCCBEl27wdvc4nya59boK86NETD52SS4KHkMDtBhHJ

<br>

    uDwHI/TiQig/moFrSU5SAM7jy4cJp9MgHGTn+pZLRWcqN2OmS/X7uyctacaOqN8w

<br>

    qVUWAzIPoYts/u8kbwbGxjelLrpUHOc3dL6K59phGibz3zyHFBS3htwwQHgHZh14

<br>

    E4PfkaedIRwpyvcgjuS1aY1PNgaFEABGF6m3j3v33t0iwTgN+YX/hiljCxKjFJQ=

<br>

    =PNON

<br>

    -----END PGP SIGNATURE-----

<br>

    <br>

  </body>

</html>