Hi Mohamed,
Is /etc/squid/HTTP.keytab readable by the squid process owner ?
Did you include exprot KRB5_KTNAME=/etc/squid/HTTP.keytab to the startup
script ?
What is the content of /etc/squid/HTTP.keytab ? You can check with
kinit -ekt /etc/squid/HTTP.keytab (if you use MIT Kerberos)
Markus
"Mohamed Navas" <vmnavas_at_gmail.com> wrote in message
news:CAJa81O4wH1==vKn3iSnV2Z=6w6OH9Zs+BDNPaPGeGL2gSuSHHA_at_mail.gmail.com...
> Following is my krb5.conf details,
> I tried both msktutil and ktpass in the active directory domain
> server. The thing is working well with NTLM.
>
> krb5.conf
> =======
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> default_realm = ACCT.SYSNET.LOCAL
> dns_lookup_realm = false
> dns_lookup_kdc = false
> ticket_lifetime = 24h
> renew_lifetime = 7d
> forwardable = true
> #default_keytab_name = /etc/squid/HTTP.keytab
> #allow_weak_crypto = yes
>
>
> ; for Windows 2003
> default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
> default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
> permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
>
> [realms]
> ACCT.SYSNET.LOCAL = {
> kdc = ad01.acct.sysnet.local
> admin_server = ad01.acct.sysnet.local
> kdc = 192.168.8.122
> }
>
> [domain_realm]
> .acct.sysnet.local = DXBPET.SYSNET.LOCAL
> acct.sysnet.local = DXBPET.SYSNET.LOCAL
>
>
> from squid.conf
> ===========
>
> #
> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
> #
> #auth_param negotiate program /usr/sbin/squid_kerb_auth -d
> auth_param negotiate program /usr/local/bin/negotiate_wrapper -d
> --ntlm /usr/bin/ntlm_auth --diagnostics
> --helper-protocol=squid-2.5-ntlmssp --domain=ACCT.SYSNET.LOCAL
> --kerberos /usr/sbin/squid_kerb_auth -d -s GSS_C_NO_NAME
> auth_param negotiate children 10
> auth_param negotiate keep_alive on
>
> ### pure ntlm authentication
> auth_param ntlm program /usr/bin/ntlm_auth --diagnostics
> --helper-protocol=squid-2.5-ntlmssp --domain=ACCT.SYSNET.LOCAL
> auth_param ntlm children 10
> auth_param ntlm keep_alive off
> acl auth proxy_auth REQUIRED
>
>
> On Tue, Jul 3, 2012 at 1:39 AM, Markus Moeller <huaraz_at_moeller.plus.com>
> wrote:
>> How does your configuration look like ? How did you create the keytab
>> file ?
>>
>> Markus
>>
>>
>> "Mohamed Navas" <vmnavas_at_gmail.com> wrote in message
>> news:CAJa81O71_pG63hu7XGW2om6EOBGTS8y-=xDbSRAyaZgCANaJgw_at_mail.gmail.com...
>>
>>> Hi,
>>>
>>> I have setup the squid authentication with windows 2003 Domain
>>> controller. But it's working well with NTLM, but failed with kerberso
>>> ..getting following error:-
>>>
>>> =====================================================================
>>> 2012/07/02 15:07:17| squid_kerb_auth: ERROR: gss_accept_sec_context()
>>> failed: Unspecified GSS failure. Minor code may provide more
>>> information.
>>> 2012/07/02 15:07:17| negotiate_wrapper: Return 'BH
>>> gss_accept_sec_context() failed: Unspecified GSS failure. Minor code
>>> may provide more information.
>>> '
>>> 2012/07/02 15:07:17| authenticateNegotiateHandleReply: Error
>>> validating user via Negotiate. Error returned 'BH
>>> gss_accept_sec_context() failed: Unspecified GSS failure. Minor code
>>> may provide more information
>>>
>>> =======================================================================
>>>
>>>
>>
>
Received on Tue Jul 03 2012 - 20:33:30 MDT
This archive was generated by hypermail 2.2.0 : Wed Jul 04 2012 - 12:00:02 MDT