A new problem popped up in the last couple of days in an otherwise working
environment.
Active Directory running on 2008r2
Windows 10 client
Squid 3.5.12
# squid -v
Squid Cache: Version 3.5.12
Service Name: squid
Ubuntu linux
configure options: '--build=x86_64-linux-gnu' '--prefix=/usr'
'--includedir=${prefix}/include' '--mandir=${prefix}/share/man'
'--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var'
'--libexecdir=${prefix}/lib/squid3' '--srcdir=.' '--disable-maintainer-mode'
'--disable-dependency-tracking' '--disable-silent-rules' 'BUILDCXXFLAGS=-g -O2
-fPIE -fstack-protector-strong -Wformat -Werror=format-security
-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now'
'--datadir=/usr/share/squid' '--sysconfdir=/etc/squid'
'--libexecdir=/usr/lib/squid' '--mandir=/usr/share/man' '--enable-inline'
'--disable-arch-native' '--enable-async-io=8'
'--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap'
'--enable-delay-pools' '--enable-cache-digests' '--enable-icap-client'
'--enable-follow-x-forwarded-for'
'--enable-auth-basic=DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB'
'--enable-auth-digest=file,LDAP' '--enable-auth-negotiate=kerberos,wrapper'
'--enable-auth-ntlm=fake,smb_lm'
'--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,unix_group,wbinfo_group'
'--enable-url-rewrite-helpers=fake' '--enable-eui' '--enable-esi'
'--enable-icmp' '--enable-zph-qos' '--enable-ecap' '--disable-translation'
'--with-swapdir=/var/spool/squid' '--with-logdir=/var/log/squid'
'--with-pidfile=/var/run/squid.pid' '--with-filedescriptors=65536'
'--with-large-files' '--with-default-user=proxy' '--enable-build-info=Ubuntu
linux' '--enable-linux-netfilter' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2
-fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wall'
'LDFLAGS=-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now'
'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fPIE
-fstack-protector-strong -Wformat -Werror=format-security'
I have a working krb5.conf and keytab file and running wbinfo (for example to
test) works fine.
A given workstation, using IE, Firefox, Chrome (really anything) is not able to
use Kerberos for authentication. I believe a sample error reported in
cache.log :
negotiate_kerberos_auth.cc(610): pid=3033 :2018/02/22 13:23:46|
negotiate_kerberos_auth: DEBUG: Got 'YR removed' from squid (length: 219).
negotiate_kerberos_auth.cc(663): pid=3033 :2018/02/22 13:23:46|
negotiate_kerberos_auth: DEBUG: Decode 'removed' (decoded length: 161).
negotiate_kerberos_auth.cc(180): pid=3033 :2018/02/22 13:23:46|
negotiate_kerberos_auth: ERROR: gss_accept_sec_context() failed: An unsupported
mechanism was requested. Unknown error
It would be helpful if the error included the client IP, so I'm going on best
guess. I'm not sure what additional information to provide. Any one with some
thoughts on whats not working?
Joey
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
