[squid-users] Re: Negotiate on 3.2.1

[Markus Moeller]

Hi Paul,

  Does squid running user have read access to the keytab ?  Did you use
export KRB5_KTNAME to point to the keytab in the startup script ?  What is
the hostname of your squid host ? Did you get a minor code message ?
Check also my page for some further hints 
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos

Markus


"Paul Carew" <beavatro...@gmail.com> wrote in message 
news:CAPHJSn3cN0uj3fsM1mD0iKkS4CTavBHQMu7ya=w8ojsp_tw...@mail.gmail.com...
Hi!

I'm following the guide here
http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory
...to get Negotiate authentication working with Squid 3.2.1. NTLM
works fine but I when using Negotiate I am getting this in my
cache.log...

2012/08/17 17:31:01 kid1| ERROR: Negotiate Authentication validating
user. Error returned 'BH gss_accept_sec_context() failed: Unspecified
GSS failure.  Minor code may provide more information. '

"kinit -V -kt /etc/squid/HTTP.keytab HTTP/proxy01.domain.local" 
produces...

Using default cache: /tmp/krb5cc_0
Using principal: HTTP/proxy01.domain.local@DOMAIN.LOCAL
Using keytab: /etc/squid/HTTP.keytab
kinit: Preauthentication failed while getting initial credentials

"klist -ekt /etc/squid/HTTP.keytab" produces...

Keytab name: WRFILE:/etc/squid/HTTP.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
  2 08/17/12 17:18:03 proxy01-h$@DOMAIN.LOCAL (arcfour-hmac)
  2 08/17/12 17:18:04 proxy01-h$@DOMAIN.LOCAL (aes128-cts-hmac-sha1-96)
  2 08/17/12 17:18:04 proxy01-h$@DOMAIN.LOCAL (aes256-cts-hmac-sha1-96)
  2 08/17/12 17:18:04 HTTP/proxy01.domain.local@DOMAIN.LOCAL 
(arcfour-hmac)
  2 08/17/12 17:18:04 HTTP/proxy01.domain.local@DOMAIN.LOCAL
(aes128-cts-hmac-sha1-96)
  2 08/17/12 17:18:04 HTTP/proxy01.domain.local@DOMAIN.LOCAL
(aes256-cts-hmac-sha1-96)
  3 08/17/12 17:18:57 proxy01-h$@DOMAIN.LOCAL (arcfour-hmac)
  3 08/17/12 17:18:57 proxy01-h$@DOMAIN.LOCAL (aes128-cts-hmac-sha1-96)
  2 08/17/12 17:18:04 host/proxy01.domain.local@DOMAIN.LOCAL 
(arcfour-hmac)
  3 08/17/12 17:18:57 proxy01-h$@DOMAIN.LOCAL (aes256-cts-hmac-sha1-96)
  2 08/17/12 17:18:04 host/proxy01.domain.local@DOMAIN.LOCAL
(aes128-cts-hmac-sha1-96)
  2 08/17/12 17:18:04 host/proxy01.domain.local@DOMAIN.LOCAL
(aes256-cts-hmac-sha1-96)

auth_params are...

auth_param negotiate program /usr/lib/squid/negotiate_kerb_auth
auth_param negotiate children 30 startup=10 idle=5
auth_param negotiate keep_alive on

Can anyone help? I'm guessing I've not done something rather important?

Thank you.

Paul