Hi Markus,
I built a new Centos server at version 6.5 and redo all the configuration on
the new server in the same way.
Magic happened: everything is working now.
Thank you very much for your help and guidance.
--
View this message in context:
Hi Flypast,
Are you using the RPM or from source?
(My RPM is not designed to compile external_acl and other helpers)
Thanks,
Eliezer
On 30/12/13 02:30, flypast wrote:
Hi Markus,
I built a new Centos server at version 6.5 and redo all the configuration on
the new server in the same way.
I assume the *s are not in the real file. Can you run a strace against the
auth helper to verify the right keytab is used ?
Markus
flypast wrote in message news:1387953737367-4664034.p...@n4.nabble.com...
Hi Marcus,
Please see my current /etc/init.d/squid file. I had added your suggested
How do you start the service ? Do you use systemctl ? If so you may need
to add KRB5_KTNAME=/etc/squid/squid.keytab to
/etc/sysconfig/squid
Markus
flypast wrote in message news:1387845981524-4664010.p...@n4.nabble.com...
hi Markus,
Please see the below. I just temporally change access
Hi Marcus,
Please see my current /etc/init.d/squid file. I had added your suggested
content.
[root@proxy01 ~]# cd /etc/init.d/
[root@proxy01 init.d]# more squid
#!/bin/bash
# chkconfig: - 90 25
# pidfile: /var/run/squid.pid
# config: /etc/squid/squid.conf
#
### BEGIN INIT INFO
# Provides: squid
Hi ,
Are you sure your squid user has read access to the keytab ? If the KVNO
and HTTP/... name in the ticket match wht it is in the keytab it should
work.
If your AD entry has also the userprincipalname set to HTTP/proxy
you can test with kinit -kt keytab HTTP/proxy02... It
hi Markus,
Please see the below. I just temporally change access control of keytab
file. Still no lucky
[root@proxy01 squid]# ls -al
total 76
drwxr-xr-x. 2 root root 4096 Dec 23 14:24 .
drwxr-xr-x. 105 root root 12288 Dec 24 11:18 ..
-rw-r--r--. 1 root squid 419 Oct 1 23:40
Hi
Can you try
auth_param negotiate program /usr/lib/squid/squid_kerb_auth -d -i -s
GSS_C_NO_NAME
instead of
auth_param negotiate program /usr/lib/squid/squid_kerb_auth -d -i -s
HTTP/proxy02.deeplayer@deeplayer.com
I wonder if the kerberos library get confused having hostname proxy01
Hi Markus,
Firstly, Thank you very much and Merry Christmas!!!
Tried as your suggestion.
But still no lucky.
The logs as below:
2013/12/23 14:27:47| squid_kerb_auth: DEBUG: Got 'YR
What is the KVNO and encryption type you see in the capture ? You may need
to clear the cache on the XP machine by either lock/unlock the PC pr
logging off/on or using kerbtray. It could be that XP had an old key cached.
Markus
flypast wrote in message
HI Markus,
Thank you very much!
Sorry that I read the capture wrongly.
Looks like the KVNO version and encryption type match between the client XP
PC and squid proxy.
http://squid-web-proxy-cache.1019090.n4.nabble.com/file/n4663966/03.png
[root@proxy01 squid]# klist -ekt squid.keytab
Keytab
Hi,
BTW, below is the latest alert log
== /var/log/squid/cache.log ==
2013/12/22 08:39:39| squid_kerb_auth: DEBUG: Got 'YR
TlRMTVNTUAABt4II4gAFASgKDw==' from squid
(length: 59).
2013/12/22 08:39:39| squid_kerb_auth: DEBUG: Decode
Hi,
If you get an NTLM token form the client it usually means that the client
can not get the service principal for HTTP/proxy where proxy is the
string (yes string if it is an IP it is used as a string) of the configured
Browser proxy. If you take a wireshark capture on the client you
Hi Markus,
As suggested, I perform a packet capture by wireshark on proxy client.
I can get the TGS-REP packet with no error. The ticket KVNO (version 15)and
encryption type (RC4-hmac)match proxy end.
Please see the below:
latest log:
2013/12/22 12:26:24| squid_kerb_auth: ERROR: gss_acquire_cred() failed:
Unspecified GSS failure. Minor code may provide more information.
2013/12/22 12:26:24| squid_kerb_auth: INFO: User not authenticated
2013/12/22 12:26:24| authenticateNegotiateHandleReply: Error validating user
Hi Markus.
my proxy hostname is
[root@proxy01 squid]# hostname -f
proxy01.deeplayer.com
I use the CLI below to create the keytab.
msktutil -c -b CN=COMPUTERS -s HTTP/proxy02.deeplayer.com -k
/etc/squid/squid.keytab --computer-name proxy02 --upn
HTTP/proxy02.deeplayer.com --server
On 22/12/2013 3:22 p.m., flypast wrote:
Hi Markus.
my proxy hostname is
[root@proxy01 squid]# hostname -f
proxy01.deeplayer.com
I use the CLI below to create the keytab.
msktutil -c -b CN=COMPUTERS -s HTTP/proxy02.deeplayer.com -k
/etc/squid/squid.keytab --computer-name proxy02
thx for your confirmation(i did the right. thing ). let us go back to my
issue. cld you pls help ?
--
View this message in context:
http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-proxy-kerberos-authentication-failure-Help-tp4663964p4663976.html
Sent from the Squid - Users mailing
18 matches
Mail list logo