[squid-users] Kerberos authentication problem - squid 3.4.11

Markus Moeller huaraz at moeller.plus.com
Tue Feb 10 20:46:06 UTC 2015


Hi Ludovit,

  Which Kerberos library version do you use ?    Is it possible that the 
encryption types don't match ?  I saw in your first email the following:

Your klist shows a HTTP ticket for arcfour

Server: HTTP/squid1.mdpt.local at MDPT.LOCAL
Client: HTTP/squid1.mdpt.local at MDPT.LOCAL
Ticket etype: arcfour-hmac-md5, kvno 8
Ticket length: 1090
Auth time:  Feb  9 14:55:18 2015
Start time: Feb  9 14:55:20 2015
End time:   Feb 10 00:55:18 2015
Ticket flags: enc-pa-rep, pre-authent
Addresses: addressless

but the keytab has aes128.

# ktutil -k /etc/krb5.keytab list
/etc/krb5.keytab:

Vno  Type                     Principal                          Aliases
  8  aes128-cts-hmac-sha1-96  HTTP/squid1.mdpt.local at MDPT.LOCAL

Markus

"Ludovit Koren"  wrote in message news:86d25i9plr.fsf at gmail.com...

>>>>> Markus Moeller <huaraz at moeller.plus.com> writes:

    > Hi Ludovit,
    >  I haven't seen that error before either, but when you test you sould
    > have your own user credentials in the cache.  You should use kinit
    > <user>@MDPT.LOCAL and then try again the test. is the hostname
    > correctly set to squid1.mdpt.local ? If not try

    >   /usr/local/libexec/squid/negotiate_kerberos_auth_test
    > squid1.mdpt.local | awk '{sub(/Token:/,"YR"); print $0}END{print
    > "QQ"}' | /usr/local/libexec/squid/negotiate_kerberos_auth -r -s
    > GSS_C_NO_NAME


Hello,

still no progress...


# klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: xkoren at MDPT.LOCAL

  Issued                Expires               Principal
Feb 10 08:41:06 2015  Feb 10 18:41:06 2015  krbtgt/MDPT.LOCAL at MDPT.LOCAL
Feb 10 08:42:17 2015  Feb 10 18:41:06 2015 
HTTP/squid1.mdpt.local at MDPT.LOCAL

# hostname
squid1.mdpt.local

# /usr/local/libexec/squid/negotiate_kerberos_auth_test squid1.mdpt.local | 
awk '{sub(/Token:/,"YR"); print $0}END{print "QQ"}' | 
/usr/local/libexec/squid/otiate_kerberos_auth -r -s HTTP/squid1.mdpt.local
BH gss_accept_sec_context() failed:  Miscellaneous failure (see text). 
unknown mech-code 2529639093 for mech unknown
BH quit command

# /usr/local/libexec/squid/negotiate_kerberos_auth_test squid1.mdpt.local | 
awk '{sub(/Token:/,"YR"); print $0}END{print "}' | 
/usr/local/libexec/squid/negotiate_kerberos_auth -r -s GSS_C_NO_NAME
BH gss_accept_sec_context() failed:  Miscellaneous failure (see text). 
unknown mech-code 2529639094 for mech unknown
BH quit command

regards,

lk
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users 




More information about the squid-users mailing list