BTW In the squid config just use -d and not -d 9. I have implemented only
a -i for informational messages and -d for debug messages.
Markus
"Brian Kirk" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
I have done the following:
1. created a key on the KDC with the following command:
ktpass -princ HTTP/[EMAIL PROTECTED] -pass password
-mapuser squidtest -out c:\temp\squidtest.HTTP.keytab
2. Setup the /etc/krb5.conf for our domain and realm.
3. I then copied the key to the linux box, set the permissions so it
is read only by squid, and ran the kutil command:
ktutil: rkt /opt/squid/etc/squidtest.HTTP.keytab
ktutil: wkt /etc/krb5.keytab
ktutil: q
4. I ran the kinit command and it seemed not to error:
kinit -k -t /opt/squid/etc/squidtest.HTTP.keytab
HTTP/squidtest.hdq.xyz.com
5. Output from the klist is as follows:
klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: HTTP/[EMAIL PROTECTED]
Valid starting Expires Service principal
07/11/08 19:08:55 07/12/08 05:08:55 krbtgt/[EMAIL PROTECTED]
renew until 07/12/08 05:08:55
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
6. I created a token with the squid_kerb_auth_test.c program and
authenticated with it:
[EMAIL PROTECTED] tmp]# /opt/squid/libexec/squid_kerb_auth -d -i -s
HTTP/squidtest.hdq.xyz.com </tmp/kir1864.token
2008/07/11 19:13:31| squid_kerb_auth: Got 'YR
YIIP1QYJKoZIhvcSAQICAQBugg/EMIIPwKADAgEFoQMCAQ6iBwMFAAAAAACjgg74YYI.............................................................................................................................................pfdL/itMByBZYZshBJQgRViHFQgCsPdrJGRE4ePTRwS25ejLg=='
from squid (length: 5415).
AF AA== [EMAIL PROTECTED]
2008/07/11 19:13:31| squid_kerb_auth: AF AA== [EMAIL PROTECTED]
2008/07/11 19:13:31| squid_kerb_auth: User [EMAIL PROTECTED]
authenticated
7. I recompiled squid_kerb_auth with the -DHAVE_SPNEGO:
gcc -o squid_kerb_auth -DHAVE_SPNEGO -D__LITTLE_ENDIAN__ -Ispnegohelp
squid_kerb_auth.c base64.c spnegohelp/derparse.c spnegohelp/spnego.c
spnegohelp/spnegohelp.c spnegohelp/spnegoparse.c -lgssapi_krb5 -lkrb5
-lcom_err
8. Added this to my squid startup script and restarted squid, note I
have the auth_param in my squid.conf also below:
/etc/init.d/squid:export
KRB5_KTNAME=FILE:/opt/squid/etc/squidtest.HTTP.keytab
/etc/squid.conf:auth_param negotiate program
/opt/squid/libexec/squid_kerb_auth -d 9
/etc/squid.conf:auth_param negotiate children 1
/etc/squid.conf:auth_param negotiate keep_alive on
9. When I authenticate with IE 6, it goes to the basic authentication,
even with the "Enable Integrated Windows Authentication" checked, I
think I found that there is no way to do proxy kerberos authentication
with IE 6, if someone know differently let me know how. With IE 7 I
do get the following in the cache.log:
2008/07/11 17:55:12| squid_kerb_auth: Got 'YR
YIIQHwYGKwYBBQUCoIIQEzCCEA+gJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKK..............................................................................................................................................bfhfphT7/Qu6CVQNdsKIK5Neq/ULSjfWmDdhxag4ZFDH6/V9/EJnNoNS/BQPwIqEgyzK5+nkg'
from squid (length: 5511).
2008/07/11 17:55:12| squid_kerb_auth: gss_accept_sec_context() failed:
A token was invalid. Mechanism is incorrect
Can anyone help with this problem?
Thank you,
Brian Kirk