Windows 7 inside the domain? Anyway, you should configure a basic auth scheme as a second fallback.
On Fri, Oct 24, 2014 at 9:26 PM, Markus Moeller <hua...@moeller.plus.com> wrote: > Hi Pedro, > > How did you create your keytab ? What does klist –ekt <squid.keytab> show > ( I assume you use MIT Kerberos) ? > > Markus > > "Pedro Lobo" <pal...@gmail.com> wrote in message > news:40e1e0e7-50c6-4117-94aa-50b065734...@gmail.com... > > Hi Squid Gurus, > > I'm at my wit's end and in dire need of some squid expertise. > > We've got a production environment with a couple of squid 2.7 servers > using NTLM and basic authentication. Recently though, we decided to upgrade > and I'm now setting up squid 3.3 with Kerberos and NTLM Fallback. I've > followed just about every guide I could find and in my testing environment, > things were working great. Now that I've hooked it up to the main domain, > things are awry. > > If I use a machine that's not part of the domain, NTLM kicks in and I can > surf the web fine. If I use a Windows XP or Windows Server 2003, kerberos > works just fine, however, if I use a machine Windows 7, 8 or 2008 server, I > keep getting a popup asking me to authenticate and even then, it's and > endless loop until it fails. My cache.log is littered with: > > negotiate_kerberos_auth.cc(200): pid=1607 :2014/10/24 23:03:01| > negotiate_kerberos_auth: ERROR: gss_accept_sec_context() failed: Unspecified > GSS failure. Minor code may provide more information. > 2014/10/24 23:03:01| ERROR: Negotiate Authentication validating user. Error > returned 'BH gss_accept_sec_context() failed: Unspecified GSS failure. Minor > code may provide more information. ' > > The odd thing, is that this has worked before. Help me Obi Wan... You're > my only hope! :) > > *Current Setup* > Squid 3.3 running on Ubuntu 14.04 server. It's connected to a 2003 server > with function level 2000 (I know, we're trying to fase out the older > servers). > > *krb5.conf* > > [libdefaults] > default_realm = FAKE.NET > dns_lookup_kdc = yes > dns_lookup_realm = yes > ticket_lifetime = 24h > default_keytab_name = /etc/squid3/PROXY.keytab > > ; for Windows 2003 > default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 > default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 > permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 > > [realms] > FAKE.NET = { > kdc = srv01.fake.net > kdc = srv02.fake.net > kdc = srv03.fake.net > admin_server = srv01.fake.net > default_domain = fake.net > } > > [domain_realm] > .fake.net = FAKE.NET > fake.net = FAKE.NET > > > [logging] > kdc = FILE:/var/log/kdc.log > admin_server = FILE:/var/log/kadmin.log > default = FILE:/var/log/krb5lib.log > > *squid.conf* > > auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -d -r -s > HTTP/proxy01tst.fake.net > auth_param negotiate children 20 startup=0 idle=1 > auth_param negotiate keep_alive off > > auth_param ntlm program /usr/bin/ntlm_auth --diagnostics > --helper-protocol=squid-2.5-ntlmssp --domain=FAKE.NET > auth_param ntlm children 10 > auth_param ntlm keep_alive off > > Cheers, > Pedro > > Cumprimentos > Pedro Lobo > *Solutions Architect | System Engineer* > > pedro.l...@pt.clara.net > Tlm.: +351 939 528 827 | Tel.: +351 214 127 314 > > Claranet Portugal > Ed. Parque Expo > Av. D. João II, 1.07-2.1, 4º Piso > 1998-014 Lisboa > www.claranet.pt > [image: > http://www.claranet.co.uk/sites/claranet.co.uk/files/u3/claranet_logo.png] > <http://www.claranet.pt/> [image: > http://www.claranet.co.uk/sites/claranet.co.uk/files/u3/email-linkedin-icon.png] > <http://www.linkedin.com/groups?home=&gid=3746436> [image: > http://www.claranet.co.uk/sites/claranet.co.uk/files/u3/email-twitter-icon.png] > <https://twitter.com/Claranet_PT> [image: > http://www.claranet.co.uk/sites/claranet.co.uk/files/u3/email-youtube-icon.png] > <http://www.youtube.com/user/ClaranetPT> > > [image: GARTNER BANNER] > <http://www.claranet.pt/sites/claranet.pt/files/u6/magic_quadrant_for_cloudenab_260243.pdf> > > Empresa certificada ISO 9001, ISO 20000 e ISO 27001 > > ------------------------------ > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > > > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > >
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
