[squid-users] Problem with kerberos against AD

Wed, 03 Feb 2010 03:36:55 -0800 

Hi,

we want to use squid with kerberos authentication and ldap authorization in the 
future. We use ntlm with windbind for a few years and it worked great, but now 
it´s time for kerberos.

We have squid-3.0.STABLE9-1.el5 running CentOS 5.4. The rpm is from this 
website: http://www.osnets.de/wordpress/squid/squid-proxy-authentifizierung/

We created a keytab using ktpass on the DC with the following command:

ktpass –princ 
http/[email protected] –mapuser 
DNT1\proxy-kerberos_kerb –crypto All –pass PASSWORD –ptype KRB5_NT_SRV_HST –out 
c:\http.keytab

The keytab-file is generated without any errors and we copied it to the centos 
running squid.

The krb5.file looks like described in many postings I´ve read:

[logging]
 Default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 deafult_realm = HEIDELBERG.BW-ONLINE.DE  dns_lookup_realm = true  
dns_lookup_kdc = 24h  ticket_lifetime = 24h  forwardable = yes

[realms]
 HEIDELBERG.BW-ONLINE.DE = {
  kdc = dc3.heidelberg.bw-online.de:88
  admin_server = dc3.heidelberg.bw-online.de:749
  default_domain = heidelberg.bw-online.de  }

[domain_realm]
 .heidelberg.bw-online.de = HEIDELBERG.BW-ONLINE.DE  heidelberg.bw-online.de = 
HEIDELBERG.BW-ONLINE.DE


I can kinit USER, he asks fort he password and I get a ticket.

I can also do a kinit –V –k –t /etc/http.keytab 
HTTP/proxy-kerberos.heidelberg.bw-online.de and I get the message 
„Authenticated to Kerberos v5“.

The problem ist, that sometimes I get authenticated in the proxy, the client 
(WinXP, IE 7) doens´t ask für credentials, but when I then reboot the machine 
with squid, the client asks for credentials and will not get authenticated. I 
can then see the following entry in /var/log/squid/cache.log:

squid_kerb_auth: gss_acquire_cred() failed: Unspecified GSS faliure. Minor code 
may provide more information. No such file or directory


I also get the following message in cache.log, even when the auth works:, so I 
think, this is not the great problem:

squid_kerb_auth: parseNegTokenInit failed with rc=102


After undefined time, the authentication works again. I thought, it works again 
when I delete the client from the AD and joined again, but it was not 
reproduceable.

Has anyone an idea ?


Best regards

Ralf Lutz

Reply via email to