Hi Tom, I´ve read about the importance of synchronous times, but we´re using ntp and all machines have the same time.
Kind Regards, Ralf -----Ursprüngliche Nachricht----- Von: Tom Tux [mailto:[email protected]] Gesendet: Mittwoch, 3. Februar 2010 13:34 An: Lutz, Ralf Betreff: Re: [squid-users] Problem with kerberos against AD Hi Is it possible that you had a time difference between your centos-box and the domain-controller? I know, that a domain-joined-client don't feel happy (and could not be authenticated on the domain), if the time-drift between the kerberos-client and the domain-controller is bigger than 5 minutes. Regards, Tom 2010/2/3 <[email protected]>: > Hi, > > we want to use squid with kerberos authentication and ldap authorization in > the future. We use ntlm with windbind for a few years and it worked great, > but now it´s time for kerberos. > > We have squid-3.0.STABLE9-1.el5 running CentOS 5.4. The rpm is from this > website: http://www.osnets.de/wordpress/squid/squid-proxy-authentifizierung/ > > We created a keytab using ktpass on the DC with the following command: > > ktpass -princ > http/[email protected] -mapuser > DNT1\proxy-kerberos_kerb -crypto All -pass PASSWORD -ptype KRB5_NT_SRV_HST > -out c:\http.keytab > > The keytab-file is generated without any errors and we copied it to the > centos running squid. > > The krb5.file looks like described in many postings I´ve read: > > [logging] > Default = FILE:/var/log/krb5libs.log > kdc = FILE:/var/log/krb5kdc.log > admin_server = FILE:/var/log/kadmind.log > > [libdefaults] > deafult_realm = HEIDELBERG.BW-ONLINE.DE > dns_lookup_realm = true > dns_lookup_kdc = 24h > ticket_lifetime = 24h > forwardable = yes > > [realms] > HEIDELBERG.BW-ONLINE.DE = { > kdc = dc3.heidelberg.bw-online.de:88 > admin_server = dc3.heidelberg.bw-online.de:749 > default_domain = heidelberg.bw-online.de > } > > [domain_realm] > .heidelberg.bw-online.de = HEIDELBERG.BW-ONLINE.DE > heidelberg.bw-online.de = HEIDELBERG.BW-ONLINE.DE > > > I can kinit USER, he asks fort he password and I get a ticket. > > I can also do a kinit -V -k -t /etc/http.keytab > HTTP/proxy-kerberos.heidelberg.bw-online.de and I get the message > "Authenticated to Kerberos v5". > > The problem ist, that sometimes I get authenticated in the proxy, the client > (WinXP, IE 7) doens´t ask für credentials, but when I then reboot the machine > with squid, the client asks for credentials and will not get authenticated. I > can then see the following entry in /var/log/squid/cache.log: > > squid_kerb_auth: gss_acquire_cred() failed: Unspecified GSS faliure. Minor > code may provide more information. No such file or directory > > > I also get the following message in cache.log, even when the auth works:, so > I think, this is not the great problem: > > squid_kerb_auth: parseNegTokenInit failed with rc=102 > > > After undefined time, the authentication works again. I thought, it works > again when I delete the client from the AD and joined again, but it was not > reproduceable. > > Has anyone an idea ? > > > Best regards > > Ralf Lutz > > >
