Thanks Paul, I'll surely look into that too, but given that authentication seems o work for a day or so and then stop (was working Saturday, no longer today) I highly doubt it's related. Still worth checking I'm sure.
Pedro Lobo > On 27 Oct 2014, at 21:12, Paul Freeman <paul.free...@emlchem.com.au> wrote: > > Pedro, > This sounds similar to a problem I had a couple of years ago when using > Kerberos authentication with Squid (3.1.x) on Ubuntu (10.04 at that stage). > (see RE: [squid-users] Re: Authentication using squid_kerb_auth with Internet > Explorer 8 on Windows Server 2008 R2, squid-users group Nov 3 2010) > > What I discovered after debugging the Kerberos authentication process with > gdb was the MIT Kerberos version distributed with that version of Ubuntu did > not support one of the encryption types requested by the newer versions of > Windows (7, 2008). This was a reported issue with the version of Kerberos > used in Ubuntu. I ended up patching the Ubuntu MIT Kerberos source (a > trivial patch) and compiling the packages manually. This corrected the > problem. > > I am unsure whether this is the root cause of your issue though but thought > it might be worth mentioning. I have not kept up with the MIT Kerberos > packages included with Ubuntu 12.04 and 14.04 to know whether the patch is > included in the later versions. > > Regards > > Paul > > From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On > Behalf Of Pedro Lobo > Sent: Tuesday, 28 October 2014 7:26 AM > To: Markus Moeller > Cc: squid-us...@squid-cache.org > Subject: Re: [squid-users] Kerberos Authentication Failing for Windows 7+ > with BH gss_accept_sec_context() failed > > Hi Markus Moeller, > > > Hi Markus, > > Yeah, I'm currently using that option and permissions are correct too. > > On 27 Oct 2014 19:47, Markus Moeller wrote: > > Hi Pedro, > > Did you try the –s GSS_C_NO_NAME option ? > > Markus > > "Pedro Lobo" <pal...@gmail.com> wrote in message > news:94f74226-f24b-4910-95b7-b86ace815...@gmail.com... > Hey Everybody, > > Seems as though I celebrated too soon on Saturday. Today things are back to > not working for Windows 7+ machines and XP/2003 machines are working just > fine. > > I've also checked the permissions on the keytab file and they haven't changed > since Saturday, so it's not that... ARGH!!!! > > Craving ideas and solutions right now... Pilot users are less than satisfied > ;) > > Cheers, > Pedro > > On 25 Oct 2014, at 14:13, Markus Moeller wrote: > > Hi Pedro, > > I wonder if he upper case in the name is a problem. Can you try > > auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -d -r -s > GSS_C_NO_NAME > > instead of > > auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -d -r -s > HTTP/proxy01tst.fake.net > > Markus > > "Pedro Lobo" pal...@gmail.com wrote in message > news:fd6832b9-3f1f-48c6-a76f-47a224f16...@gmail.com... > Hi Markus, > > I used msktutil to create the keytab. > > msktutil -c -s HTTP/proxy01tst.fake.net -h proxy01tst.fake.net -k > /etc/squid3/PROXY.keytab --computer-name proxy01-tst --upn > HTTP/proxy01tst.fake.net --server srv01.fake.net --verbose > Output of klist -ekt: > > 2 10/24/2014 22:59:50 proxy01-tst$@FAKE.NET (arcfour-hmac) > 2 10/24/2014 22:59:50 proxy01-tst$@FAKE.NET (aes128-cts-hmac-sha1-96) > 2 10/24/2014 22:59:50 proxy01-tst$@FAKE.NET (aes256-cts-hmac-sha1-96) > 2 10/24/2014 22:59:50 HTTP/proxy01tst.fake....@fake.net (arcfour-hmac) > 2 10/24/2014 22:59:50 HTTP/proxy01tst.fake....@fake.net > (aes128-cts-hmac-sha1-96) > 2 10/24/2014 22:59:50 HTTP/proxy01tst.fake....@fake.net > (aes256-cts-hmac-sha1-96) > 2 10/24/2014 22:59:50 host/proxy01tst.fake....@fake.net (arcfour-hmac) > 2 10/24/2014 22:59:50 host/proxy01tst.fake....@fake.net > (aes128-cts-hmac-sha1-96) > 2 10/24/2014 22:59:50 host/proxy01tst.fake....@fake.net > (aes256-cts-hmac-sha1-96) > Yep, using MIT Kerberos > > Thanks in advance for any help. > > Cheers, > Pedro > > On 25 Oct 2014, at 1:26, Markus Moeller wrote: > > Hi Pedro, > > How did you create your keytab ? What does klist –ekt <squid.keytab> show ( I > assume you use MIT Kerberos) ? > > Markus > > "Pedro Lobo" pal...@gmail.com wrote in message > news:40e1e0e7-50c6-4117-94aa-50b065734...@gmail.com... > Hi Squid Gurus, > > I'm at my wit's end and in dire need of some squid expertise. > > We've got a production environment with a couple of squid 2.7 servers using > NTLM and basic authentication. Recently though, we decided to upgrade and I'm > now setting up squid 3.3 with Kerberos and NTLM Fallback. I've followed just > about every guide I could find and in my testing environment, things were > working great. Now that I've hooked it up to the main domain, things are awry. > > If I use a machine that's not part of the domain, NTLM kicks in and I can > surf the web fine. If I use a Windows XP or Windows Server 2003, kerberos > works just fine, however, if I use a machine Windows 7, 8 or 2008 server, I > keep getting a popup asking me to authenticate and even then, it's and > endless loop until it fails. My cache.log is littered with: > > negotiate_kerberos_auth.cc(200): pid=1607 :2014/10/24 23:03:01| > negotiate_kerberos_auth: ERROR: gss_accept_sec_context() failed: Unspecified > GSS failure. Minor code may provide more information. > 2014/10/24 23:03:01| ERROR: Negotiate Authentication validating user. Error > returned 'BH gss_accept_sec_context() failed: Unspecified GSS failure. Minor > code may provide more information. ' > The odd thing, is that this has worked before. Help me Obi Wan... You're my > only hope! :) > > Current Setup > Squid 3.3 running on Ubuntu 14.04 server. It's connected to a 2003 server > with function level 2000 (I know, we're trying to fase out the older servers). > > krb5.conf > > [libdefaults] > default_realm = FAKE.NET > dns_lookup_kdc = yes > dns_lookup_realm = yes > ticket_lifetime = 24h > default_keytab_name = /etc/squid3/PROXY.keytab > > ; for Windows 2003 > default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 > default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 > permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 > > [realms] > FAKE.NET = { > kdc = srv01.fake.net > kdc = srv02.fake.net > kdc = srv03.fake.net > admin_server = srv01.fake.net > default_domain = fake.net > } > > [domain_realm] > .fake.net = FAKE.NET > fake.net = FAKE.NET > > [logging] > kdc = FILE:/var/log/kdc.log > admin_server = FILE:/var/log/kadmin.log > default = FILE:/var/log/krb5lib.log > squid.conf > > auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -d -r -s > HTTP/proxy01tst.fake.net > auth_param negotiate children 20 startup=0 idle=1 > auth_param negotiate keep_alive off > > auth_param ntlm program /usr/bin/ntlm_auth --diagnostics > --helper-protocol=squid-2.5-ntlmssp --domain=FAKE.NET > auth_param ntlm children 10 > auth_param ntlm keep_alive off > Cheers, > Pedro > > Cumprimentos > Pedro Lobo > Solutions Architect | System Engineer > > pedro.l...@pt.clara.net > Tlm.: +351 939 528 827 | Tel.: +351 214 127 314 > > Claranet Portugal > Ed. Parque Expo > Av. D. João II, 1.07-2.1, 4º Piso > 1998-014 Lisboa > www.claranet.pt > > Empresa certificada ISO 9001, ISO 20000 e ISO 27001 > > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > > Cumprimentos > Pedro Lobo > Solutions Architect | System Engineer > > pedro.l...@pt.clara.net > Tlm.: +351 939 528 827 | Tel.: +351 214 127 314 > > Claranet Portugal > Ed. Parque Expo > Av. D. João II, 1.07-2.1, 4º Piso > 1998-014 Lisboa > www.claranet.pt > > Empresa certificada ISO 9001, ISO 20000 e ISO 27001 > > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > > > __________ Information from ESET Smart Security, version of virus signature > database 10628 (20141027) __________ > > The message was checked by ESET Smart Security. > > http://www.eset.com > > > __________ Information from ESET Smart Security, version of virus signature > database 10628 (20141027) __________ > > The message was checked by ESET Smart Security. > > http://www.eset.com
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
