[squid-users] Kerberos authentication problem - squid 3.4.11

Ludovit Koren ludovit.koren at gmail.com
Mon Feb 9 14:19:42 UTC 2015



Hi,

I have setup kerberos according to:

http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory

# klist 
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: HTTP/squid1.mdpt.local at MDPT.LOCAL

  Issued                Expires               Principal
Feb  9 14:55:18 2015  Feb 10 00:55:18 2015  krbtgt/MDPT.LOCAL at MDPT.LOCAL
Feb  9 14:55:20 2015  Feb 10 00:55:18 2015  HTTP/squid1.mdpt.local at MDPT.LOCAL

# klist -v
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: HTTP/squid1.mdpt.local at MDPT.LOCAL
    Cache version: 4

Server: krbtgt/MDPT.LOCAL at MDPT.LOCAL
Client: HTTP/squid1.mdpt.local at MDPT.LOCAL
Ticket etype: aes256-cts-hmac-sha1-96, kvno 3
Session key: aes128-cts-hmac-sha1-96
Ticket length: 1081
Auth time:  Feb  9 14:55:18 2015
End time:   Feb 10 00:55:18 2015
Ticket flags: enc-pa-rep, pre-authent, initial, forwardable
Addresses: addressless

Server: HTTP/squid1.mdpt.local at MDPT.LOCAL
Client: HTTP/squid1.mdpt.local at MDPT.LOCAL
Ticket etype: arcfour-hmac-md5, kvno 8
Ticket length: 1090
Auth time:  Feb  9 14:55:18 2015
Start time: Feb  9 14:55:20 2015
End time:   Feb 10 00:55:18 2015
Ticket flags: enc-pa-rep, pre-authent
Addresses: addressless



# ktutil -k /etc/krb5.keytab list
/etc/krb5.keytab:

Vno  Type                     Principal                          Aliases
  8  aes128-cts-hmac-sha1-96  HTTP/squid1.mdpt.local at MDPT.LOCAL  


When I try to test it with the following command I get the error:

# /usr/local/libexec/squid/negotiate_kerberos_auth_test squid1.mdpt.local | awk '{sub(/Token:/,"YR"); print $0}END{print "QQ"}' | /usr/local/libexec/squid/negotiate_kerberos_auth -r -s HTTP/squid1.mdpt.local
BH gss_accept_sec_context() failed:  Miscellaneous failure (see text). unknown mech-code 2529639093 for mech unknown
BH quit command


I cannot find anything suitable for the error code. Could you, please,
point me in the right direction? Any hint appreciated.

regards,

lk


More information about the squid-users mailing list