Re: [squid-users] Re: squid with kerberos authentication

2011-07-20 Thread Markus Moeller
ver Proxy -> proxyservername Port 8080

On KerbTray List there is the following Ticket:

HTTP:/proxyservername
Client name : usern...@xx.yy.zz.net
Servicename : HTTP:/proxyservern...@xx.yy.zz.net
Target name : HTTP:/proxyservern...@xx.yy.zz.net
Checked Flags are: Forwardable, Renewable, Preauthenticated




-Messaggio originale-
Da: Markus Moeller [mailto:hua...@moeller.plus.com]
Inviato: martedì 19 luglio 2011 23:15
A: squid-users@squid-cache.org
Oggetto: [squid-users] Re: squid with kerberos authentication

What does the cache.log file say if you add -d to

auth_param negotiate program /usr/lib/squid/squid_kerb_auth

i.e.
auth_param negotiate program /usr/lib/squid/squid_kerb_auth -d

How did you configure IE ?

Can you see a ticket for HTTP/ in kerbtray
(http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=23018)?

Regards
Markus


"Franco, Battista"  wrote in message
news:0b0bf3f65f960a4b8be340e64290f4cd0696d...@a00exgec23.za.if.atcsg.net...
Hello

On Centos 6 I want used squid (version 3.1.4) with Kerberos
authentication so only AD Windows 2003 authenticated users can surfing.
Well I perform the steps (explained at link
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos)

but when users tried to surfing the IE require user and password and
didn't surfing.
Why?
Can you help me.

 MORE INFO 

I did the following steps:

Install  and configure samba
modify krb5.conf
net ads join -U DOMAIN\administrator
kinit administrator@DOMAIN
export KRB5_KTNAME=FILE:/etc/squid/HTTP.keytab
net ads keytab CREATE -U DOMAIN\administrator
net ads keytab ADD HTTP -U DOMAIN\administrator
unset KRB5_KTNAME
chgrp squid /etc/squid/HTTP.keytab
chmod g+r /etc/squid/HTTP.keytab
modify squid startup file with :
   KRB5_KTNAME=/etc/squid/HTTP.keytab
   export KRB5_KTNAME



below squid.conf file:


auth_param negotiate program /usr/lib/squid/squid_kerb_auth
auth_param negotiate children 10
auth_param negotiate keep_alive on
acl auth proxy_auth REQUIRED
...
http_access deny !auth
http_access allow auth
http_access deny all



With command :
/usr/lib/squid/squid_kerb_auth_test proxyserver
The token was displayed.








[squid-users] R: [squid-users] Re: squid with kerberos authentication

2011-07-20 Thread Franco, Battista
Hello

The cache.log file are below:

2011/07/20 09:49:08| Starting Squid Cache version 3.1.4 for i686-pc-linux-gnu...
2011/07/20 09:49:08| Process ID 6027
2011/07/20 09:49:08| With 1024 file descriptors available
2011/07/20 09:49:08| Initializing IP Cache...
2011/07/20 09:49:08| DNS Socket created at [::], FD 7
2011/07/20 09:49:08| Adding domain xx.yy.zz.net from /etc/resolv.conf
2011/07/20 09:49:08| Adding nameserver 10.239.56.3 from /etc/resolv.conf
2011/07/20 09:49:08| helperOpenServers: Starting 10/10 'squid_kerb_auth' 
processes
2011/07/20 09:49:08| squid_kerb_auth: INFO: Starting version 1.0.5
2011/07/20 09:49:08| squid_kerb_auth: INFO: Starting version 1.0.5
2011/07/20 09:49:08| squid_kerb_auth: INFO: Starting version 1.0.5
2011/07/20 09:49:08| squid_kerb_auth: INFO: Starting version 1.0.5
2011/07/20 09:49:09| User-Agent logging is disabled.
2011/07/20 09:49:09| Referer logging is disabled.
2011/07/20 09:49:09| squid_kerb_auth: INFO: Starting version 1.0.5
2011/07/20 09:49:09| squid_kerb_auth: INFO: Starting version 1.0.5
2011/07/20 09:49:09| squid_kerb_auth: INFO: Starting version 1.0.5
2011/07/20 09:49:09| squid_kerb_auth: INFO: Starting version 1.0.5
2011/07/20 09:49:09| squid_kerb_auth: INFO: Starting version 1.0.5
2011/07/20 09:49:09| squid_kerb_auth: INFO: Starting version 1.0.5
2011/07/20 09:49:09| Unlinkd pipe opened on FD 32
2011/07/20 09:49:09| Local cache digest enabled; rebuild/rewrite every 
3600/3600 sec
2011/07/20 09:49:09| Store logging disabled
2011/07/20 09:49:09| Swap maxSize 0 + 262144 KB, estimated 20164 objects
2011/07/20 09:49:09| Target number of buckets: 1008
2011/07/20 09:49:09| Using 8192 Store buckets
2011/07/20 09:49:09| Max Mem  size: 262144 KB
2011/07/20 09:49:09| Max Swap size: 0 KB
2011/07/20 09:49:09| Using Least Load store dir selection
2011/07/20 09:49:09| Set Current Directory to /var/spool/squid
2011/07/20 09:49:09| Loaded Icons.
2011/07/20 09:49:09| Accepting  HTTP connections at [::]:8080, FD 33.
2011/07/20 09:49:09| Accepting  HTTP connections at [::]:8084, FD 34.
2011/07/20 09:49:09| HTCP Disabled.
2011/07/20 09:49:09| Squid modules loaded: 0
2011/07/20 09:49:09| Adaptation support is off.
2011/07/20 09:49:09| Ready to serve requests.
2011/07/20 09:49:09| Configuring Parent parent.xx.yy.zz.net/8084/0
2011/07/20 09:49:09| Configuring Parent parent1.xx.yy.zz.net/8080/0
2011/07/20 09:49:10| storeLateRelease: released 0 objects
2011/07/20 09:50:33| squid_kerb_auth: DEBUG: Got 'YR 
YIII4QYGKwYBBQUCoIII1TCCCNGgJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCCKcEggijYIIInwYJKoZIhvcSAQIC
 

2011/07/20 09:50:33| squid_kerb_auth: DEBUG: Decode 
'YIII4QYGKwYBBQUCoIII1TCCCNGgJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCCKcEggijYIIInwYJKoZIhvcSAQI

2011/07/20 09:50:35| squid_kerb_auth: ERROR: gss_acquire_cred() failed: 
Unspecified GSS failure.  Minor code may provide more information. Key table 
entry not found
2011/07/20 09:50:35| authenticateNegotiateHandleReply: Error validating user 
via Negotiate. Error returned 'BH gss_acquire_cred() failed: Unspecified GSS 
failure.  Minor code may provide more information. Key table entry not found'


IE 8 was configurated with :
"Enable Integrated Windows Authentication" checked
Connection | Lan Setting | Server Proxy -> proxyservername Port 8080

On KerbTray List there is the following Ticket:

HTTP:/proxyservername
Client name : usern...@xx.yy.zz.net
Servicename : HTTP:/proxyservern...@xx.yy.zz.net
Target name : HTTP:/proxyservern...@xx.yy.zz.net
Checked Flags are: Forwardable, Renewable, Preauthenticated




-Messaggio originale-
Da: Markus Moeller [mailto:hua...@moeller.plus.com] 
Inviato: martedì 19 luglio 2011 23:15
A: squid-users@squid-cache.org
Oggetto: [squid-users] Re: squid with kerberos authentication

What does the cache.log file say if you add -d to

auth_param negotiate program /usr/lib/squid/squid_kerb_auth

i.e.
auth_param negotiate program /usr/lib/squid/squid_kerb_auth -d

How did you configure IE ?

Can you see a ticket for HTTP/ in kerbtray 
(http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=23018)?

Regards
Markus


"Franco, Battista"  wrote in message 
news:0b0bf3f65f960a4b8be340e64290f4cd0696d...@a00exgec23.za.if.atcsg.net...
Hello

On Centos 6 I want used squid (version 3.1.4) with Kerberos
authentication so only AD Windows 2003 authenticated users can surfing.
Well I perform the steps (explained at link
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos)

but when users tried to surfing the IE require user and password and
didn't surfing.
Why?
Can you help me.

 MORE INFO 

I did the following steps:

Install  and configure samba
modify krb5.conf
net ads join -U DOMAIN\administrator
kinit administrator@DOMAIN
export KRB5_KTNAME=FILE:/etc/squid/HTTP.keytab
net ads keytab CREATE -U DOMAIN\administrator
net ads keytab ADD HTTP -U DOMAIN\administrator
unset

[squid-users] Re: squid with kerberos authentication

2011-07-19 Thread Markus Moeller

What does the cache.log file say if you add -d to

auth_param negotiate program /usr/lib/squid/squid_kerb_auth

i.e.
auth_param negotiate program /usr/lib/squid/squid_kerb_auth -d

How did you configure IE ?

Can you see a ticket for HTTP/ in kerbtray 
(http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=23018)?


Regards
Markus


"Franco, Battista"  wrote in message 
news:0b0bf3f65f960a4b8be340e64290f4cd0696d...@a00exgec23.za.if.atcsg.net...

Hello

On Centos 6 I want used squid (version 3.1.4) with Kerberos
authentication so only AD Windows 2003 authenticated users can surfing.
Well I perform the steps (explained at link
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos)

but when users tried to surfing the IE require user and password and
didn't surfing.
Why?
Can you help me.

 MORE INFO 

I did the following steps:

Install  and configure samba
modify krb5.conf
net ads join -U DOMAIN\administrator
kinit administrator@DOMAIN
export KRB5_KTNAME=FILE:/etc/squid/HTTP.keytab
net ads keytab CREATE -U DOMAIN\administrator
net ads keytab ADD HTTP -U DOMAIN\administrator
unset KRB5_KTNAME
chgrp squid /etc/squid/HTTP.keytab
chmod g+r /etc/squid/HTTP.keytab
modify squid startup file with :
   KRB5_KTNAME=/etc/squid/HTTP.keytab
   export KRB5_KTNAME



below squid.conf file:


auth_param negotiate program /usr/lib/squid/squid_kerb_auth
auth_param negotiate children 10
auth_param negotiate keep_alive on
acl auth proxy_auth REQUIRED
...
http_access deny !auth
http_access allow auth
http_access deny all



With command :
/usr/lib/squid/squid_kerb_auth_test proxyserver
The token was displayed.