[squid-users] Kerberos Authentication Failing for Windows 7+ with BH gss_accept_sec_context() failed

Pedro Lobo palobo at gmail.com
Fri Oct 24 22:26:48 UTC 2014 

Hi Squid Gurus,

I'm at my wit's end and in dire need of some squid expertise.

We've got a production environment with a couple of squid 2.7 servers 
using NTLM and basic authentication. Recently though, we decided to 
upgrade and I'm now setting up squid 3.3 with Kerberos and NTLM 
Fallback. I've followed just about every guide I could find and in my 
testing environment, things were working great. Now that I've hooked it 
up to the main domain, things are awry.


If I use a machine that's not part of the domain, NTLM kicks in and I 
can surf the web fine. If I use a Windows XP or Windows Server 2003, 
kerberos works just fine, however, if I use a machine Windows 7, 8 or 
2008 server, I keep getting a popup asking me to authenticate and even 
then, it's and endless loop until it fails. My cache.log is littered 
with:

     negotiate_kerberos_auth.cc(200): pid=1607 :2014/10/24 23:03:01| 
negotiate_kerberos_auth: ERROR: gss_accept_sec_context() failed: 
Unspecified GSS failure.  Minor code may provide more information.
	2014/10/24 23:03:01| ERROR: Negotiate Authentication validating user. 
Error returned 'BH gss_accept_sec_context() failed: Unspecified GSS 
failure.  Minor code may provide more information. '

The odd thing, is that this has worked before. Help me Obi Wan... You're 
my only hope! :)


**Current Setup**
Squid 3.3 running on Ubuntu 14.04 server. It's connected to a 2003 
server with function level 2000 (I know, we're trying to fase out the 
older servers).

**krb5.conf**

  	[libdefaults]
             default_realm = FAKE.NET
             dns_lookup_kdc = yes
             dns_lookup_realm = yes
             ticket_lifetime = 24h
             default_keytab_name = /etc/squid3/PROXY.keytab

     ; for Windows 2003
             default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
             default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
             permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5

     [realms]
             FAKE.NET = {
                     kdc = srv01.fake.net
                     kdc = srv02.fake.net
                     kdc = srv03.fake.net
                     admin_server = srv01.fake.net
                     default_domain = fake.net
             }

     [domain_realm]
             .fake.net = FAKE.NET
             fake.net = FAKE.NET


     [logging]
       kdc = FILE:/var/log/kdc.log
       admin_server = FILE:/var/log/kadmin.log
       default = FILE:/var/log/krb5lib.log


**squid.conf**

	auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -d 
-r -s HTTP/proxy01tst.fake.net
	auth_param negotiate children 20 startup=0 idle=1
	auth_param negotiate keep_alive off

	auth_param ntlm program /usr/bin/ntlm_auth --diagnostics 
--helper-protocol=squid-2.5-ntlmssp --domain=FAKE.NET
	auth_param ntlm children 10
	auth_param ntlm keep_alive off


Cheers,
Pedro

Cumprimentos
Pedro Lobo
Solutions Architect | System Engineer

pedro.lobo at pt.clara.net
Tlm.: +351 939 528 827 | Tel.: +351 214 127 314

Claranet Portugal
Ed. Parque Expo
Av. D. João II, 1.07-2.1, 4º Piso
1998-014 Lisboa
www.claranet.pt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20141024/38421f18/attachment.html>

More information about the squid-users mailing list