Hi Markus,
Thanks for your input. I ended up completely removing everything and
recreating my key tab and it works great now.

One more question for you or the list: Is it possible to do machine based
AD auth to squid?
We have a use case here where we would want to allow a machine access to a
resource but not necessarily specifically allow the users who are logged
in to it.
Thanks again,

Information Security Engineer
The University of Scranton
email : scott.fin...@scranton.edu
phone : 570-941-6168

On 8/21/14, 3:20 PM, "Markus Moeller" <hua...@moeller.plus.com> wrote:

>Hi Scott,
>   So from what see in your first log you have a user MYSUER with a
>domain/realm MYDOMAIN, but squid belongs to SUBDOMAIN.DOMAIN.COM.
>squid_kerb_ldap tries to authenticate to  the domain MYDOMAIN  using the
>keytab but does not find any entry for MYDOMAIN in the keytab.   Then
>squid_kerb_ldap tries to find an entry in the keytab of a domain which
>trusts MYDOMAIN and fails.  It seems there is no Kerberos trust between
>  The second log looks better, but the password stored in the keytab for
>SQUIDPROXY-K$ is incorrect (Preauthentication failed).
>"Scott Finlon"  wrote in message
>Hi All,
>I have squid_kerb_auth working and authenticating via my key tab file.
>However, when trying to lock it down to users that are in a group in AD,
>I¹m seeing a weird issue.
>I put my sanitized output here: http://pastebin.com/wGc3RC0h
>But basically if I use this "./squid_kerb_ldap -d -g proxy_allow -D
>MYDOMAIN² it is able to auth to AD and eventually attempts to use a bind
>path of dc=MYDOMAIN instead of dc=MYDOMAIN,dc=DOMAIN,dc=COM, and then it
>gives a referral error.
>So seeing that, I tried to use my full domain as the default domain, like
>this "./squid_kerb_ldap -d -g proxy_allow -D MYDOMAIN.MYDOMAIN.COM² it
>gives a Preauthentication failed error and doesn¹t even make it in to AD,
>full output here: http://pastebin.com/Gk1ci0nt
>That makes me think it¹s an issue with the key tab file, but it works
>appropriately with kerb auth just not kerb ldap. Any ideas?
>I am going to try and make a key tab file with ktpass instead of msktutil
>and see if that has any affect.

Reply via email to