Hi,
we want to use squid with kerberos authentication and ldap authorization in the future. We use ntlm with windbind for a few years and it worked great, but now it´s time for kerberos.
We have squid-3.0.STABLE9-1.el5 running CentOS 5.4. The rpm is from this website: http://www.osnets.de/wordpress/squid/squid-proxy-authentifizierung/
We created a keytab using ktpass on the DC with the following command:
ktpass -princ http/proxy-kerberos.heidelberg.bw-online.de_at_HEIDELBERG.BW-ONLINE.DE -mapuser DNT1\proxy-kerberos_kerb -crypto All -pass PASSWORD -ptype KRB5_NT_SRV_HST -out c:\http.keytab
The keytab-file is generated without any errors and we copied it to the centos running squid.
The krb5.file looks like described in many postings I´ve read:
[logging]
Default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
deafult_realm = HEIDELBERG.BW-ONLINE.DE
dns_lookup_realm = true
dns_lookup_kdc = 24h
ticket_lifetime = 24h
forwardable = yes
[realms]
HEIDELBERG.BW-ONLINE.DE = {
kdc = dc3.heidelberg.bw-online.de:88
admin_server = dc3.heidelberg.bw-online.de:749
default_domain = heidelberg.bw-online.de
}
[domain_realm]
.heidelberg.bw-online.de = HEIDELBERG.BW-ONLINE.DE
heidelberg.bw-online.de = HEIDELBERG.BW-ONLINE.DE
I can kinit USER, he asks fort he password and I get a ticket.
I can also do a kinit -V -k -t /etc/http.keytab HTTP/proxy-kerberos.heidelberg.bw-online.de and I get the message "Authenticated to Kerberos v5".
The problem ist, that sometimes I get authenticated in the proxy, the client (WinXP, IE 7) doens´t ask für credentials, but when I then reboot the machine with squid, the client asks for credentials and will not get authenticated. I can then see the following entry in /var/log/squid/cache.log:
squid_kerb_auth: gss_acquire_cred() failed: Unspecified GSS faliure. Minor code may provide more information. No such file or directory
I also get the following message in cache.log, even when the auth works:, so I think, this is not the great problem:
squid_kerb_auth: parseNegTokenInit failed with rc=102
After undefined time, the authentication works again. I thought, it works again when I delete the client from the AD and joined again, but it was not reproduceable.
Has anyone an idea ?
Best regards
Ralf Lutz
Received on Wed Feb 03 2010 - 10:46:28 MST
This archive was generated by hypermail 2.2.0 : Wed Feb 03 2010 - 12:00:02 MST