<HTML><HEAD></HEAD>
<BODY dir=ltr>
<DIV dir=ltr>
<DIV style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial'; COLOR: #000000">
<DIV> </DIV>
<DIV>HI Marcio,</DIV>
<DIV> </DIV>
<DIV> The helper need a Kerberos token as input. Please have a look
at test_negotiate_auth.sh which is in src/auth/negotiate/kerberos of the
trunk version. The squid hostname must match the entry in your keytab and you
must have done kinit to authenticate against a Kerberos server (e.g. AD) as user
first.</DIV>
<DIV> </DIV>
<DIV>Regards</DIV>
<DIV>Markus </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV
style="BORDER-TOP-COLOR: #000000; BORDER-BOTTOM-COLOR: #000000; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 4px solid; BORDER-RIGHT-COLOR: #000000">
<DIV
style='FONT-SIZE: small; TEXT-DECORATION: none; FONT-FAMILY: "Calibri"; FONT-WEIGHT: normal; COLOR: #000000; FONT-STYLE: normal; DISPLAY: inline'>
<DIV>"Marcio Demetrio Bacci" <marciobacci@gmail.com> wrote in message
news:CA+0TdyqEAt4L5KO4zrJNJ1aUe64mY2Re7z95KFdqW7Y8SV_qbg@mail.gmail.com...</DIV></DIV></DIV>
<DIV
style="BORDER-TOP-COLOR: #000000; BORDER-BOTTOM-COLOR: #000000; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 4px solid; BORDER-RIGHT-COLOR: #000000">
<DIV
style='FONT-SIZE: small; TEXT-DECORATION: none; FONT-FAMILY: "Calibri"; FONT-WEIGHT: normal; COLOR: #000000; FONT-STYLE: normal; DISPLAY: inline'>
<DIV dir=ltr>
<DIV>
<DIV>I have trouble to authenticate Squid3 with kerberos in Samba4 domain. I'm
using CentOS 7 and Squid 3.3.8 (yum install squid)<BR><BR></DIV>
<DIV>When I type the bellow command in terminal:
<BR>/usr/lib64/squid/negotiate_kerberos_auth -d -i -s
HTTP/<A>proxy.cms.ensino.br@CMS.ENSINO.BR</A><BR>john xyz@12345<BR><BR>I have
the following error:<BR>negotiate_kerberos_auth.cc(315): pid=6364 :2016/08/27
10:44:33| negotiate_kerberos_auth: DEBUG: Got 'john xyz@12345' from squid
(length: 14).<BR>negotiate_kerberos_auth.cc(362): pid=6364 :2016/08/27 10:44:33|
negotiate_kerberos_auth: ERROR: Invalid request [john xyz@12345]<BR>BH invalid
request <BR><BR><BR>Here are my files
configuration:<BR><BR>/etc/krb5.conf<BR>[libdefaults]<BR>
default_realm = <A
href="http://CMS.ENSINO.BR">CMS.ENSINO.BR</A><BR>[realms]<BR>
<A href="http://CMS.ENSINO.BR">CMS.ENSINO.BR</A> = {<BR> kdc =
<A
href="http://dc1.cms.ensino.br:88">dc1.cms.ensino.br:88</A><BR>
admin_server = <A
href="http://dc1.cms.ensino.br">dc1.cms.ensino.br</A><BR>
default_domain = <A href="http://CMS.ENSINO.BR">CMS.ENSINO.BR</A>
<BR> }<BR>[domain_realm]<BR> .<A
href="http://cms.ensino.br">cms.ensino.br</A> = <A
href="http://CMS.ENSINO.BR">CMS.ENSINO.BR</A><BR> <A
href="http://cms.ensino.br">cms.ensino.br</A> = <A
href="http://CMS.ENSINO.BR">CMS.ENSINO.BR</A><BR><BR><BR><BR>Keytab name:
FILE:/etc/krb5.keytab<BR>KVNO Principal<BR>----
--------------------------------------------------------------------------<BR>
1 proxy-k$@<A href="http://CMS.ENSINO.BR">CMS.ENSINO.BR</A><BR> 1
proxy-k$@<A href="http://CMS.ENSINO.BR">CMS.ENSINO.BR</A><BR> 1
proxy-k$@<A href="http://CMS.ENSINO.BR">CMS.ENSINO.BR</A><BR> 1
HTTP/<A>proxy.cms.ensino.br@CMS.ENSINO.BR</A><BR> 1
HTTP/<A>proxy.cms.ensino.br@CMS.ENSINO.BR</A><BR> 1
HTTP/<A>proxy.cms.ensino.br@CMS.ENSINO.BR</A><BR> 1
host/<A>proxy.cms.ensino.br@CMS.ENSINO.BR</A><BR> 1
host/<A>proxy.cms.ensino.br@CMS.ENSINO.BR</A><BR> 1
host/<A>proxy.cms.ensino.br@CMS.ENSINO.BR</A><BR> 1
host/<A>proxy.cms.ensino.br@CMS.ENSINO.BR</A><BR> 1
host/<A>proxy.cms.ensino.br@CMS.ENSINO.BR</A><BR> 1
host/<A>PROXY@CMS.ENSINO.BR</A><BR> 1
host/<A>PROXY@CMS.ENSINO.BR</A><BR> 1
host/<A>PROXY@CMS.ENSINO.BR</A><BR> 1
host/<A>PROXY@CMS.ENSINO.BR</A><BR> 1
host/<A>PROXY@CMS.ENSINO.BR</A><BR> 1 PROXY$@<A
href="http://CMS.ENSINO.BR">CMS.ENSINO.BR</A><BR> 1 PROXY$@<A
href="http://CMS.ENSINO.BR">CMS.ENSINO.BR</A><BR> 1 PROXY$@<A
href="http://CMS.ENSINO.BR">CMS.ENSINO.BR</A><BR> 1 PROXY$@<A
href="http://CMS.ENSINO.BR">CMS.ENSINO.BR</A><BR> 1 PROXY$@<A
href="http://CMS.ENSINO.BR">CMS.ENSINO.BR</A><BR> 1 proxy-k$@<A
href="http://CMS.ENSINO.BR">CMS.ENSINO.BR</A><BR> 1 proxy-k$@<A
href="http://CMS.ENSINO.BR">CMS.ENSINO.BR</A><BR> 1
HTTP/<A>proxy.cms.ensino.br@CMS.ENSINO.BR</A><BR> 1
HTTP/<A>proxy.cms.ensino.br@CMS.ENSINO.BR</A><BR> 1
HTTP/<A>PROXY@CMS.ENSINO.BR</A><BR> 1
HTTP/<A>PROXY@CMS.ENSINO.BR</A><BR> 1
HTTP/<A>PROXY@CMS.ENSINO.BR</A><BR> 1
HTTP/<A>PROXY@CMS.ENSINO.BR</A><BR> 1
HTTP/<A>PROXY@CMS.ENSINO.BR</A><BR><BR><BR>Keytab name:
FILE:/etc/squid/PROXY.keytab<BR>KVNO Principal<BR>----
--------------------------------------------------------------------------<BR>
1 proxy-k$@<A href="http://CMS.ENSINO.BR">CMS.ENSINO.BR</A><BR> 1
proxy-k$@<A href="http://CMS.ENSINO.BR">CMS.ENSINO.BR</A><BR> 1
proxy-k$@<A href="http://CMS.ENSINO.BR">CMS.ENSINO.BR</A><BR> 1
HTTP/<A>proxy.cms.ensino.br@CMS.ENSINO.BR</A><BR> 1
HTTP/<A>proxy.cms.ensino.br@CMS.ENSINO.BR</A><BR> 1
HTTP/<A>proxy.cms.ensino.br@CMS.ENSINO.BR</A><BR> 1
host/<A>proxy.cms.ensino.br@CMS.ENSINO.BR</A><BR> 1
host/<A>proxy.cms.ensino.br@CMS.ENSINO.BR</A><BR> 1
host/<A>proxy.cms.ensino.br@CMS.ENSINO.BR</A><BR><BR><BR>/etc/sysconfig/squid<BR>#
default squid options<BR>SQUID_OPTS=""<BR># Time to wait for Squid to shut down
when asked. Should not be necessary<BR># most of the
time.<BR>SQUID_SHUTDOWN_TIMEOUT=100<BR># default squid conf
file<BR>SQUID_CONF="/etc/squid/squid.conf"<BR><BR>KRB5_KTNAME=/etc/squid/PROXY.keytab<BR>export
KRB5_KTNAME<BR><BR><BR></DIV>
<DIV>kinit and klist commands are OK.<BR></DIV>
<DIV> </DIV>Best Regards,<BR><BR></DIV>Márcio<BR>
<DIV>
<DIV>
<DIV> </DIV></DIV></DIV></DIV>
<P>
<HR>
_______________________________________________<BR>squid-users mailing
list<BR>squid-users@lists.squid-cache.org<BR>http://lists.squid-cache.org/listinfo/squid-users<BR></DIV></DIV></DIV></DIV></BODY></HTML>