Hi Marcio,
That looks OK. TT means the helper requires additional data from the client
which I did not prepare a test for. In my case I get the AF response.
# /opt/squid-trunk/sbin/negotiate_kerberos_auth_test opensuse42.suse.home |
awk '{sub(/Token:/,"YR"); print $0}END{print "QQ"}' |
/opt/squid-trunk/sbin/negotiate_kerberos_auth -r -k squid.keytab -s
HTTP/opensuse42.suse.home
AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg== markus group=
BH quit command
Anyway the basic check looks good. You now just need to run the helper with
squid. I will see if I can create a test which deals with the TT response too.
Regards
Markus
"Marcio Demetrio Bacci" <[email protected]> wrote in message
news:CA+0Tdyr+2jEL7p09yrtJQ516M-2uE-q=Zayd3F5J0A=25zc...@mail.gmail.com...
Hi Markus, thank you for help me.
When I type the klist command, the result is:
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]
Valid starting Expires Service principal
28-08-2016 22:40:53 29-08-2016 08:40:53 krbtgt/[email protected]
renew until 29-08-2016 22:40:41
But, I have the following result to command bellow:
/usr/lib64/squid/negotiate_kerberos_auth_test proxy.cms.ensino.br| awk
'{sub(/Token:/,"YR"); print $0}END{print "QQ"}' |
/usr/lib64/squid/negotiate_kerberos_auth -r -s HTTP/proxy.cms.ensino.br
Result:
TT
oYGbMIGYoAMKAQGhCAYGKwYBBQIFooGGBIGDBQEwFKESBBBDTUIuRU5TSU5PLkVCLkJSfmkwZ6ADAgEFoQMCAR6iERgPMjAxNjA4MjkwMTM2MDVaowUCAwK7P6QRGA8yMDE2MDgyOTAxMzYwNVqlBQIDBhpppgMCAQepFRsTPHVuc3BlY2lmaWVkIHJlYWxtPqoLMAmgAwIBAKECMAA=
BH quit command
The HTTP/proxy.cms.ensino.br is in keytab files
I don't have the "test_negotiate_auth.sh" file in src/auth/negotiate/kerberos,
but I have /usr/lib64/squid/negotiate_kerberos_auth_test, thus I'm using it.
My Linux distribution is CentOS 7
Regards,
Márcio
2016-08-28 15:24 GMT-03:00 Markus Moeller <[email protected]>:
HI Marcio,
The helper need a Kerberos token as input. Please have a look at
test_negotiate_auth.sh which is in src/auth/negotiate/kerberos of the trunk
version. The squid hostname must match the entry in your keytab and you must
have done kinit to authenticate against a Kerberos server (e.g. AD) as user
first.
Regards
Markus
"Marcio Demetrio Bacci" <[email protected]> wrote in message
news:ca+0tdyqeat4l5ko4zrjnj1aue64my2re7z95kfdqw7y8sv_...@mail.gmail.com...
I have trouble to authenticate Squid3 with kerberos in Samba4 domain. I'm
using CentOS 7 and Squid 3.3.8 (yum install squid)
When I type the bellow command in terminal:
/usr/lib64/squid/negotiate_kerberos_auth -d -i -s
HTTP/[email protected]
john xyz@12345
I have the following error:
negotiate_kerberos_auth.cc(315): pid=6364 :2016/08/27 10:44:33|
negotiate_kerberos_auth: DEBUG: Got 'john xyz@12345' from squid (length: 14).
negotiate_kerberos_auth.cc(362): pid=6364 :2016/08/27 10:44:33|
negotiate_kerberos_auth: ERROR: Invalid request [john xyz@12345]
BH invalid request
Here are my files configuration:
/etc/krb5.conf
[libdefaults]
default_realm = CMS.ENSINO.BR
[realms]
CMS.ENSINO.BR = {
kdc = dc1.cms.ensino.br:88
admin_server = dc1.cms.ensino.br
default_domain = CMS.ENSINO.BR
}
[domain_realm]
.cms.ensino.br = CMS.ENSINO.BR
cms.ensino.br = CMS.ENSINO.BR
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
1 [email protected]
1 [email protected]
1 [email protected]
1 HTTP/[email protected]
1 HTTP/[email protected]
1 HTTP/[email protected]
1 host/[email protected]
1 host/[email protected]
1 host/[email protected]
1 host/[email protected]
1 host/[email protected]
1 host/[email protected]
1 host/[email protected]
1 host/[email protected]
1 host/[email protected]
1 host/[email protected]
1 [email protected]
1 [email protected]
1 [email protected]
1 [email protected]
1 [email protected]
1 [email protected]
1 [email protected]
1 HTTP/[email protected]
1 HTTP/[email protected]
1 HTTP/[email protected]
1 HTTP/[email protected]
1 HTTP/[email protected]
1 HTTP/[email protected]
1 HTTP/[email protected]
Keytab name: FILE:/etc/squid/PROXY.keytab
KVNO Principal
----
--------------------------------------------------------------------------
1 [email protected]
1 [email protected]
1 [email protected]
1 HTTP/[email protected]
1 HTTP/[email protected]
1 HTTP/[email protected]
1 host/[email protected]
1 host/[email protected]
1 host/[email protected]
/etc/sysconfig/squid
# default squid options
SQUID_OPTS=""
# Time to wait for Squid to shut down when asked. Should not be necessary
# most of the time.
SQUID_SHUTDOWN_TIMEOUT=100
# default squid conf file
SQUID_CONF="/etc/squid/squid.conf"
KRB5_KTNAME=/etc/squid/PROXY.keytab
export KRB5_KTNAME
kinit and klist commands are OK.
Best Regards,
Márcio
------------------------------------------------------------------------------
_______________________________________________
squid-users mailing list
[email protected]
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[email protected]
http://lists.squid-cache.org/listinfo/squid-users
--------------------------------------------------------------------------------
_______________________________________________
squid-users mailing list
[email protected]
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[email protected]
http://lists.squid-cache.org/listinfo/squid-users
