Hi Markus, Thanks for your input. I ended up completely removing everything and recreating my key tab and it works great now.
One more question for you or the list: Is it possible to do machine based AD auth to squid? We have a use case here where we would want to allow a machine access to a resource but not necessarily specifically allow the users who are logged in to it. Thanks again, -Scott Scott Finlon, CISSP GCIA GCIH ----------------------------------- Information Security Engineer The University of Scranton email : scott.fin...@scranton.edu phone : 570-941-6168 ----------------------------------- On 8/21/14, 3:20 PM, "Markus Moeller" <hua...@moeller.plus.com> wrote: >Hi Scott, > > So from what see in your first log you have a user MYSUER with a >domain/realm MYDOMAIN, but squid belongs to SUBDOMAIN.DOMAIN.COM. >squid_kerb_ldap tries to authenticate to the domain MYDOMAIN using the >keytab but does not find any entry for MYDOMAIN in the keytab. Then >squid_kerb_ldap tries to find an entry in the keytab of a domain which >trusts MYDOMAIN and fails. It seems there is no Kerberos trust between >MYDOMAIN and SUBDOMAIN.DOMAIN.COM. > > The second log looks better, but the password stored in the keytab for >SQUIDPROXY-K$ is incorrect (Preauthentication failed). > > >Markus > >"Scott Finlon" wrote in message >news:d01b8481.36d86%scott.fin...@scranton.edu... > >Hi All, > > >I have squid_kerb_auth working and authenticating via my key tab file. >However, when trying to lock it down to users that are in a group in AD, >I¹m seeing a weird issue. >I put my sanitized output here: http://pastebin.com/wGc3RC0h >But basically if I use this "./squid_kerb_ldap -d -g proxy_allow -D >MYDOMAIN² it is able to auth to AD and eventually attempts to use a bind >path of dc=MYDOMAIN instead of dc=MYDOMAIN,dc=DOMAIN,dc=COM, and then it >gives a referral error. > >So seeing that, I tried to use my full domain as the default domain, like >this "./squid_kerb_ldap -d -g proxy_allow -D MYDOMAIN.MYDOMAIN.COM² it >gives a Preauthentication failed error and doesn¹t even make it in to AD, >full output here: http://pastebin.com/Gk1ci0nt > >That makes me think it¹s an issue with the key tab file, but it works >appropriately with kerb auth just not kerb ldap. Any ideas? >I am going to try and make a key tab file with ktpass instead of msktutil >and see if that has any affect. >Thanks, >-Scott > > > > >
