Further upon this i have updated to 3.1.19 and i get the same errors. I
have fresh installed the machine back to how it was when the first email
when out.
On Mon, 2012-04-16 at 08:25 +1000, Simon Dwyer wrote:
> Hi All,
>
> Have been banging my head against this for a few weeks now.
>
> I have a fresh install of centos 6.2 and have installed squid 3.1.10.
>
> I have copied the kerberos keytab file from our ad server. It was
> created with the command:
>
> ktpass -princ HTTP/proxy-dev-k.domain.example_at_DOMAIN.EXAMPLE -mapuser
> proxy-dev-k$@DOMAIN.EXAMPLE /rndpass -ptype KRB5_NT_PRINCIPAL -out c:
> \krb5.keytab
>
> When thats on my server i can run
>
> [root_at_proxy-dev ~]# klist -ke
> Keytab name: WRFILE:/etc/krb5.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------------------
> 7 HTTP/proxy-dev-k.domain.example_at_DOMAIN.EXAMPLE (arcfour-hmac)
>
> I can run kinit -k HTTP/proxy-dev-k.domain.example_at_DOMAIN.EXAMPLE
>
> and that comes up in klist correctly.
>
>
> My squid config is been cut down to be simple:
>
> visible_hostname proxy-dev.domain.example
>
> auth_param negotiate program /usr/lib64/squid/squid_kerb_auth -i -d -s
> HTTP/proxy-dev-k.domain.example_at_DOMAIN.EXAMPLE
> auth_param negotiate children 10
> auth_param negotiate keep_alive off
>
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> acl AUTHENTICATED proxy_auth REQUIRED
>
> # Deny requests to certain unsafe ports
> http_access deny !Safe_ports
> # Deny CONNECT to other than secure SSL ports
> http_access deny CONNECT !SSL_ports
> http_access deny !AUTHENTICATED
> http_access allow AUTHENTICATED
> http_access deny all
>
> http_port 8080
>
>
> When i have a user try and connect with kerberos i get this error
> message in cache.log
>
> 2012/04/16 08:12:12| squid_kerb_auth: ERROR: gss_accept_sec_context()
> failed: Unspecified GSS failure. Minor code may provide more
> information.
> 2012/04/16 08:12:12| authenticateNegotiateHandleReply: Error validating
> user via Negotiate. Error returned 'BH gss_accept_sec_context() failed:
> Unspecified GSS failure. Minor code may provide more information. '
> 2012/04/16 08:12:12| squid_kerb_auth: INFO: User not authenticated
>
> Any help would be awesome,
>
> Cheers,
>
> Simon Dwyer
>
>
Received on Sun Apr 15 2012 - 23:41:29 MDT
This archive was generated by hypermail 2.2.0 : Mon Apr 16 2012 - 12:00:05 MDT