<div dir="ltr"><div><div><div>Hi,<br><br></div>Using squid squid-3.5.19-1.el7.centos.x86_64,<br><br></div>I obtain a kerberos ticket but I get the following when trying to use the proxy:<br><br>2016/07/14 12:57:03.711 kid1| 29,4| UserRequest.cc(290) authenticate: No Proxy-Auth header and no working alternative. Requesting auth header.<br>2016/07/14 12:57:03.712 kid1| 29,9| UserRequest.cc(487) addReplyAuthHeader: headertype:46 authuser:NULL<br>2016/07/14 12:57:03.712 kid1| 29,9| Config.cc(188) fixHeader: Sending type:46 header: 'Negotiate'<br>2016/07/14 12:57:04.159 kid1| 29,4| UserRequest.cc(290) authenticate: No Proxy-Auth header and no working alternative. Requesting auth header.<br>2016/07/14 12:57:04.159 kid1| 29,9| UserRequest.cc(487) addReplyAuthHeader: headertype:46 authuser:NULL<br>2016/07/14 12:57:04.159 kid1| 29,9| Config.cc(188) fixHeader: Sending type:46 header: 'Negotiate'<br><br></div>My squid.conf is as follows:<br><div><br><div><div><div><br>acl localnet src <a href="http://10.0.0.0/8">10.0.0.0/8</a><br>acl localnet src <a href="http://172.16.0.0/12">172.16.0.0/12</a><br>acl localnet src <a href="http://192.168.0.0/16">192.168.0.0/16</a><br>acl localnet src fc00::/7       <br>acl localnet src fe80::/10      <br>acl SSL_ports port 443<br>acl Safe_ports port 80<br>acl Safe_ports port 21<br>acl Safe_ports port 443<br>acl Safe_ports port 70<br>acl Safe_ports port 210<br>acl Safe_ports port 1025-65535<br>acl Safe_ports port 280<br>acl Safe_ports port 488<br>acl Safe_ports port 591<br>acl Safe_ports port 777<br>acl CONNECT method CONNECT<br>acl step1 at_step SslBump1<br>acl step2 at_step SslBump2<br>acl step3 at_step SslBump3<br>acl nobumpSites ssl::server_name "/etc/squid/acls/nobumpSites.txt"<br>http_access deny !Safe_ports<br>http_access deny CONNECT !SSL_ports<br>http_access allow localhost manager<br>http_access deny manager<br>acl social_ips src "/etc/squid/acls/social_ips"<br>acl social_dom dstdomain "/etc/squid/acls/social_dom"<br>auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth -d -s HTTP/proxy.example.local@EXAMPLE.LOCAL<br>auth_param negotiate children 10<br>auth_param negotiate keep_alive on<br>acl kerb_auth proxy_auth REQUIRED<br>ssl_bump peek step1 all         <br>ssl_bump splice  nobumpSites   <br>ssl_bump bump                  <br>http_access allow kerb_auth<br>http_access deny social_ips<br>http_access deny social_dom<br>acl numeric_IPs urlpath_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+<br>acl connect method CONNECT<br>http_access deny connect numeric_IPs all<br>http_access allow localnet<br>http_access allow localhost<br>http_access deny all<br>always_direct allow all<br>sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/spool/squid_ssldb -M 4MB <br>visible_hostname proxy.example.local<br>http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=6MB cert=/etc/squid/ssl_cert/myCA.pem<br>coredump_dir /var/spool/squid<br>refresh_pattern ^ftp:           1440    20%     10080<br>refresh_pattern ^gopher:        1440    0%      1440<br>refresh_pattern -i (/cgi-bin/|\?) 0     0%      0<br>refresh_pattern .               0       20%     4320<br>url_rewrite_program /usr/sbin/ufdbgclient –l /var/ufdbguard/logs<br>url_rewrite_children 64<br>access_log daemon:/var/log/squid/access.log combined<br><br></div><div>And klist output:<br></div><div><br>klist -k /etc/squid/HTTP.keytab <br><br>Keytab name: FILE:/etc/squid/HTTP.keytab<br>KVNO Principal<br>---- --------------------------------------------------------------------------<br>   2 host/proxy.example.local@EXAMPLE.LOCAL<br>   2 host/proxy.example.local@EXAMPLE.LOCAL<br>   2 host/proxy.example.local@EXAMPLE.LOCAL<br>   2 host/proxy.example.local@EXAMPLE.LOCAL<br>   2 host/proxy.example.local@EXAMPLE.LOCAL<br>   2 host/proxy@EXAMPLE.LOCAL<br>   2 host/proxy@EXAMPLE.LOCAL<br>   2 host/proxy@EXAMPLE.LOCAL<br>   2 host/proxy@EXAMPLE.LOCAL<br>   2 host/proxy@EXAMPLE.LOCAL<br>   2 KANBAN$@EXAMPLE.LOCAL<br>   2 KANBAN$@EXAMPLE.LOCAL<br>   2 KANBAN$@EXAMPLE.LOCAL<br>   2 KANBAN$@EXAMPLE.LOCAL<br>   2 KANBAN$@EXAMPLE.LOCAL<br>   2 HTTP/proxy.example.local@EXAMPLE.LOCAL<br>   2 HTTP/proxy.example.local@EXAMPLE.LOCAL<br>   2 HTTP/proxy.example.local@EXAMPLE.LOCAL<br>   2 HTTP/proxy.example.local@EXAMPLE.LOCAL<br>   2 HTTP/proxy.example.local@EXAMPLE.LOCAL<br>   2 HTTP/proxy@EXAMPLE.LOCAL<br>   2 HTTP/proxy@EXAMPLE.LOCAL<br>   2 HTTP/proxy@EXAMPLE.LOCAL<br>   2 HTTP/proxy@EXAMPLE.LOCAL<br>   2 HTTP/proxy@EXAMPLE.LOCAL<br><br></div><div>End of output,<br><br></div><div>Please could you help me? Am I doing something wrong?<br><br></div><div>Thanks in advance!<br></div><div><br>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr">--<br>Sergio Belkin<br>LPIC-2 Certified - <a href="http://www.lpi.org" target="_blank">http://www.lpi.org</a></div></div></div></div>
</div></div></div></div></div>