[squid-users] Error with Squid proxy to Kerberos authentication

Hiya,

I'm trying to get my squid to authenticate users for web access through
kerberos but it ain't working.
I keep getting the 407 message.

This is what I used to make the keytab file :

ktpass /out proxy.squid.example.keytab /princ
host/proxy.example.nl_at_example.LOCAL /mapuser svc-squid-da /pass xxxxxx
/crypto all /ptype KRB5_NT_PRINCIPAL /mapop add /target
example.example.local

Here is the squid.conf :

http_port 3128
ftp_passive off

hierarchy_stoplist cgi-bin ?

acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY

#auth_param basic realm proxy.snt.nl: Log in met uw EIGEN windows
gebruikersnaam en wachtwoord
#auth_param basic program /usr/sbin/squid_kerb_auth
#auth_param basic program /usr/sbin/msnt_auth
#auth_param basic children 1
#auth_param basic credentialsttl 2 hours
#acl password proxy_auth REQUIRED

auth_param negotiate program /usr/sbin/squid_kerb_auth -d -s
host/proxy.example.nl_at_example.LOCAL
auth_param negotiate children 1
auth_param negotiate keep_alive on
acl password proxy_auth REQUIRED

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320

acl mymime req_mime_type application/x-msn-messenger
acl video req_header User-Agent NSPlayer
acl video req_header User-Agent NextWare
acl video req_header User-Agent Windows-Media-Player
acl video req_header User-Agent Mozilla.*Google.Desktop
acl video req_header User-Agent kh_lt/LT
acl video req_header User-Agent uvnx
acl video req_header User-Agent contype
acl video req_header User-Agent BW-C-2.0
acl video req_header User-Agent AutoUpdateAgent
acl video req_header User-Agent Tioga
acl proxy urlpath_regex anoniem
acl proxy urlpath_regex mozilla.exe
acl proxy urlpath_regex vancouver
acl proxy urlpath_regex winterspel
acl proxy urlpath_regex wintergame
acl proxy urlpath_regex winter-spel
acl proxy urlpath_regex winter-game

acl manager proto cache_object
acl localhost src 127.0.0.1
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 21
acl SSL_ports port 443
acl SSL_ports port 1935 # rtmp voor studiemeter
acl SSL_ports port 6667
acl SSL_ports port 11438 # xxxxxxxxxx
acl Safe_ports port 80 # http
acl Safe_ports port 82 # 83.163.161.48 (webeasy klimaatbeheersing)
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 1935 # rtmp voor studiemeter
acl Safe_ports port 2222 # Marcel Wobbes server
acl Safe_ports port 6667 # Martin Ayttm
acl Safe_ports port 6969 # Martin Ayttm
acl Safe_ports port 11438 # Remote-support-Centric
acl Safe_ports port 8888 # kpn: CRM-SDF
acl CONNECT method CONNECT

acl net0 src 10.0.200.0/24
acl net30 src 10.30.0.0/16
acl net301 src 10.30.1.0/24
acl net40 src 10.40.0.0/16
acl net401 src 10.40.1.0/24
acl net80 src 10.80.0.0/16
acl net801 src 10.80.1.0/24
acl net110 src 10.110.1.0/24
acl net137 src 10.137.80.0/20
acl net1371 src 10.137.80.0/24
acl net128 src 128.1.0.0/16
acl net1281 src 128.1.1.0/24
acl net140 src 140.140.0.0/16
acl net1401 src 140.140.2.0/24
acl net1409 src 140.140.9.0/24
acl net192 src 192.168.0.0/16
acl our_networks src 140.140.0.0/16 10.0.200.0/24 10.30.0.0/16 10.40.0.0/16
10.80.0.0/16 10.110.0.0/16 10.137.80.0/20 192.168.0.0/16

http_access allow net0
http_access allow net301
http_access allow net401
http_access allow net801
http_access allow net110
http_access allow net1281
http_access allow net1371
http_access allow net1401
http_access allow net1409

http_access deny proxy
http_access deny mymime
http_access deny video
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

http_access allow manager localhost
http_access deny manager

http_access allow password
http_access allow our_networks
http_access allow localhost

http_reply_access allow all
icp_access allow all
reply_body_max_size 400 MB
cache_mgr dcc_at_nl.example.com

acl alw_direct dstdomain .teezir.com .custhelp.com .rightnowtech.com
.rightnow.com .dhl.com .arflexit.nl .helptu.nl .ottobv.nl .twitter.com

no_cache deny alw_direct
always_direct allow alw_direct

snmp_port 0

delay_pools 11

delay_class 1 3
delay_class 2 3
delay_class 3 3
delay_class 4 3
delay_class 5 3
delay_class 6 3
delay_class 7 3
delay_class 8 3
delay_class 9 3
delay_class 10 3
delay_class 11 3

delay_parameters 1 -1/-1 1250000/1250000 500000/500000
delay_parameters 2 -1/-1 1250000/1250000 500000/500000
delay_parameters 3 -1/-1 1250000/1250000 250000/250000
delay_parameters 4 -1/-1 1250000/1250000 500000/500000
delay_parameters 5 -1/-1 1250000/1250000 125000/125000
delay_parameters 6 -1/-1 1250000/1250000 375000/375000
delay_parameters 7 -1/-1 1250000/1250000 125000/125000
delay_parameters 8 -1/-1 1250000/1250000 750000/750000
delay_parameters 9 -1/-1 1250000/1250000 125000/125000
delay_parameters 10 -1/-1 1250000/1250000 125000/125000
delay_parameters 11 -1/-1 1250000/1250000 125000/125000

delay_access 1 allow net1401
delay_access 2 allow net1409
delay_access 3 allow net140
delay_access 4 allow net0
delay_access 5 allow net30
delay_access 6 allow net40
delay_access 7 allow net80
delay_access 8 allow net110
delay_access 9 allow net128
delay_access 10 allow net192
delay_access 11 allow net137

delay_access 1 deny all
delay_access 2 deny all
delay_access 3 deny all
delay_access 4 deny all
delay_access 5 deny all
delay_access 6 deny all
delay_access 7 deny all
delay_access 8 deny all
delay_access 9 deny all
delay_access 10 deny all
delay_access 11 deny all

http_access allow net1401
http_access allow net1409
http_access allow net140
http_access allow net0
http_access allow net30
http_access allow net40
http_access allow net80
http_access allow net110
http_access allow net128
http_access allow net192
http_access allow net137
http_access deny all

And here is the krb5.conf

[libdefaults]
        default_realm = EXAMPLE.LOCAL
        dns_lookup_realm = true
        dns_lookup_kdc = true
        ticket_lifetime = 24h
        forwardable = true

[realms]
        EXAMPLE.LOCAL = {
                kdc = example.example.local
                admin_server = example.example.local
                default_domain = EXAMPLE.LOCAL
        
        }

[logging]
        kdc = FILE:/var/log/krb5/krb5kdc.log
        admin_server = FILE:/var/log/krb5/kadmind.log
        default = SYSLOG:NOTICE:DAEMON

[appdefaults]
        pam = {
                debug = false
                ticket_lifetime = 36000
                renew_lifetime = 36000
                forwardable = true
                krb4_convert = false
        }

Any input would be gratefull...

Thnx Vaelenor

--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Error-with-Squid-proxy-to-Kerberos-authentication-tp4656265.html
Sent from the Squid - Users mailing list archive at Nabble.com.