[squid-users] Squid 3.2 kerberos authentication

[Ludovit Koren]

Hi,

I am using FreeBSD 8.1, samba 3.6.9 and squid 3.2.6.

The /etc/krb5.conf file:

[logging]
default = FILE:/var/log/krb.log
kdc = FILE:/var/log/krb.log
admin_server = FILE:/var/log/krb.log
default_keytab_name = /usr/local/etc/squid/HTTP.keytab

[libdefaults]
default_realm = MDPT.LOCAL
dns_lookup_realm = no
dns_lookup_kdc = no
ticket_lifetime = 24h
forwardable = yes
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5

[realms]
 EXAMPLE.LOCAL = {
  kdc = ads01.example.local:88
  admin_server = ads01.example.local:464
  default_domain = EXAMPLE.LOCAL
 }

[domain_realm]
.domain.local = EXAMPLE.LOCAL
domain.local = EXAMPLE.LOCAL

[appdefaults]
pam = {
 ticket_lifetime = 1d
 renew_lifetime = 1d
 forwardable = true
 proxiable = false
 retain_after_close = false
 minimum_uid = 1
}



# klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: xkoren@EXAMPLE.LOCAL

  Issued           Expires          Principal
Jan 29 13:26:54  Jan 29 23:26:54  HTTP/squid2@EXAMPLE.LOCAL


and I get the following error:

2013/01/29 13:36:30 kid1| Starting new negotiateauthenticator helpers...
2013/01/29 13:36:30 kid1| helperOpenServers: Starting 1/32 
'negotiate_wrapper_auth' processes
2013/01/29 13:36:30 kid1| WARNING: no_suid: setuid(0): (1) Operation not 
permitted
2013/01/29 13:36:30| negotiate_wrapper: Starting version 1.0.1
2013/01/29 13:36:30| negotiate_wrapper: NTLM command: /usr/local/bin/ntlm_auth 
--diagnostics --helper-protocol=squid-2.5-ntlmssp 
2013/01/29 13:36:30| negotiate_wrapper: Kerberos command: 
/usr/local/libexec/squid/negotiate_kerberos_auth -d -s GSS_C_NO_NAME 
2013/01/29 13:36:30| negotiate_wrapper: Got 'YR 
TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==' from squid (length: 
59).
2013/01/29 13:36:30| negotiate_wrapper: Decode 
'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==' (decoded length: 40).
2013/01/29 13:36:30| negotiate_wrapper: received type 1 NTLM token
negotiate_kerberos_auth.cc(271): pid=93059 :2013/01/29 13:36:30| 
negotiate_kerberos_auth: INFO: Starting version 3.0.4sq
2013/01/29 13:36:30| negotiate_wrapper: Return 'TT 
TlRMTVNTUAACAAAACAAIADgAAAAVgoniY4vxELxfaaEAAAAAAAAAAG4AbgBAAAAABgEAAAAAAA9NAEQAUABUAAIACABNAEQAUABUAAEADABTAFEAVQBJAEQAMgAEABwAdABlAGwAZQBjAG8AbQAuAGcAbwB2AC4AcwBrAAMAKgBzAHEAdQBpAGQAMgAuAHQAZQBsAGUAYwBvAG0ALgBnAG8AdgAuAHMAawAAAAAA
'
2013/01/29 13:36:30| negotiate_wrapper: Got 'KK 
TlRMTVNTUAADAAAAGAAYAHwAAAAGAQYBlAAAAAgACABYAAAAEAAQAGAAAAAMAAwAcAAAABAAEACaAQAAFYKI4gYBsR0AAAAPgUvYFXzvBnilZfvLSfLzUE0ARABQAFQAdQB6AGkAdgBhAHQAZQBsAE8AUABJAFMATgBCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOVyvgVb93T48t/OT6r29XQBAQAAAAAAAF/s0kMd/s0BRgY0Vi13cR0AAAAAAgAIAE0ARABQAFQAAQAMAFMAUQBVAEkARAAyAAQAHAB0AGUAbABlAGMAbwBtAC4AZwBvAHYALgBzAGsAAwAqAHMAcQB1AGkAZAAyAC4AdABlAGwAZQBjAG8AbQAuAGcAbwB2AC4AcwBrAAgAMAAwAAAAAAAAAAEAAAAAEAAAlgAoFHA9U+vb8UFwVQMvpx50bpEtKKqtZSzHIFFAsDkKABAAAAAAAAAAAAAAAAAAAAAAAAkAHABIAFQAVABQAC8AMQAwAC4AMQAuADgALgAzADEAAAAAAAAAAAD9G0LzjgxFX4gXbxAPqzuD'
 from squid (length: 571).
2013/01/29 13:36:30| negotiate_wrapper: Decode 
'TlRMTVNTUAADAAAAGAAYAHwAAAAGAQYBlAAAAAgACABYAAAAEAAQAGAAAAAMAAwAcAAAABAAEACaAQAAFYKI4gYBsR0AAAAPgUvYFXzvBnilZfvLSfLzUE0ARABQAFQAdQB6AGkAdgBhAHQAZQBsAE8AUABJAFMATgBCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOVyvgVb93T48t/OT6r29XQBAQAAAAAAAF/s0kMd/s0BRgY0Vi13cR0AAAAAAgAIAE0ARABQAFQAAQAMAFMAUQBVAEkARAAyAAQAHAB0AGUAbABlAGMAbwBtAC4AZwBvAHYALgBzAGsAAwAqAHMAcQB1AGkAZAAyAC4AdABlAGwAZQBjAG8AbQAuAGcAbwB2AC4AcwBrAAgAMAAwAAAAAAAAAAEAAAAAEAAAlgAoFHA9U+vb8UFwVQMvpx50bpEtKKqtZSzHIFFAsDkKABAAAAAAAAAAAAAAAAAAAAAAAAkAHABIAFQAVABQAC8AMQAwAC4AMQAuADgALgAzADEAAAAAAAAAAAD9G0LzjgxFX4gXbxAPqzuD'
 (decoded length: 426).
2013/01/29 13:36:30| negotiate_wrapper: received type 3 NTLM token
2013/01/29 13:36:30| negotiate_wrapper: Return 'NA = NT_STATUS_UNSUCCESSFUL

I tried google, but I cannot resolve the problem. Please could you be
so kind as far as to point me in the right direction?

Thank you very much in advance.

regards,

lk