Hi Pedro, Did you try the –s GSS_C_NO_NAME option ?
Markus "Pedro Lobo" <pal...@gmail.com> wrote in message news:94f74226-f24b-4910-95b7-b86ace815...@gmail.com... Hey Everybody, Seems as though I celebrated too soon on Saturday. Today things are back to not working for Windows 7+ machines and XP/2003 machines are working just fine. I've also checked the permissions on the keytab file and they haven't changed since Saturday, so it's not that... ARGH!!!! Craving ideas and solutions right now... Pilot users are less than satisfied ;) Cheers, Pedro On 25 Oct 2014, at 14:13, Markus Moeller wrote: Hi Pedro, I wonder if he upper case in the name is a problem. Can you try auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -d -r -s GSS_C_NO_NAME instead of auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -d -r -s HTTP/proxy01tst.fake.net Markus "Pedro Lobo" pal...@gmail.com wrote in message news:fd6832b9-3f1f-48c6-a76f-47a224f16...@gmail.com... Hi Markus, I used msktutil to create the keytab. msktutil -c -s HTTP/proxy01tst.fake.net -h proxy01tst.fake.net -k /etc/squid3/PROXY.keytab --computer-name proxy01-tst --upn HTTP/proxy01tst.fake.net --server srv01.fake.net --verbose Output of klist -ekt: 2 10/24/2014 22:59:50 proxy01-tst$@FAKE.NET (arcfour-hmac) 2 10/24/2014 22:59:50 proxy01-tst$@FAKE.NET (aes128-cts-hmac-sha1-96) 2 10/24/2014 22:59:50 proxy01-tst$@FAKE.NET (aes256-cts-hmac-sha1-96) 2 10/24/2014 22:59:50 HTTP/proxy01tst.fake....@fake.net (arcfour-hmac) 2 10/24/2014 22:59:50 HTTP/proxy01tst.fake....@fake.net (aes128-cts-hmac-sha1-96) 2 10/24/2014 22:59:50 HTTP/proxy01tst.fake....@fake.net (aes256-cts-hmac-sha1-96) 2 10/24/2014 22:59:50 host/proxy01tst.fake....@fake.net (arcfour-hmac) 2 10/24/2014 22:59:50 host/proxy01tst.fake....@fake.net (aes128-cts-hmac-sha1-96) 2 10/24/2014 22:59:50 host/proxy01tst.fake....@fake.net (aes256-cts-hmac-sha1-96) Yep, using MIT Kerberos Thanks in advance for any help. Cheers, Pedro On 25 Oct 2014, at 1:26, Markus Moeller wrote: Hi Pedro, How did you create your keytab ? What does klist –ekt <squid.keytab> show ( I assume you use MIT Kerberos) ? Markus "Pedro Lobo" pal...@gmail.com wrote in message news:40e1e0e7-50c6-4117-94aa-50b065734...@gmail.com... Hi Squid Gurus, I'm at my wit's end and in dire need of some squid expertise. We've got a production environment with a couple of squid 2.7 servers using NTLM and basic authentication. Recently though, we decided to upgrade and I'm now setting up squid 3.3 with Kerberos and NTLM Fallback. I've followed just about every guide I could find and in my testing environment, things were working great. Now that I've hooked it up to the main domain, things are awry. If I use a machine that's not part of the domain, NTLM kicks in and I can surf the web fine. If I use a Windows XP or Windows Server 2003, kerberos works just fine, however, if I use a machine Windows 7, 8 or 2008 server, I keep getting a popup asking me to authenticate and even then, it's and endless loop until it fails. My cache.log is littered with: negotiate_kerberos_auth.cc(200): pid=1607 :2014/10/24 23:03:01| negotiate_kerberos_auth: ERROR: gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information. 2014/10/24 23:03:01| ERROR: Negotiate Authentication validating user. Error returned 'BH gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information. ' The odd thing, is that this has worked before. Help me Obi Wan... You're my only hope! :) Current Setup Squid 3.3 running on Ubuntu 14.04 server. It's connected to a 2003 server with function level 2000 (I know, we're trying to fase out the older servers). krb5.conf [libdefaults] default_realm = FAKE.NET dns_lookup_kdc = yes dns_lookup_realm = yes ticket_lifetime = 24h default_keytab_name = /etc/squid3/PROXY.keytab ; for Windows 2003 default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 [realms] FAKE.NET = { kdc = srv01.fake.net kdc = srv02.fake.net kdc = srv03.fake.net admin_server = srv01.fake.net default_domain = fake.net } [domain_realm] .fake.net = FAKE.NET fake.net = FAKE.NET [logging] kdc = FILE:/var/log/kdc.log admin_server = FILE:/var/log/kadmin.log default = FILE:/var/log/krb5lib.log squid.conf auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -d -r -s HTTP/proxy01tst.fake.net auth_param negotiate children 20 startup=0 idle=1 auth_param negotiate keep_alive off auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=FAKE.NET auth_param ntlm children 10 auth_param ntlm keep_alive off Cheers, Pedro Cumprimentos Pedro Lobo Solutions Architect | System Engineer pedro.l...@pt.clara.net Tlm.: +351 939 528 827 | Tel.: +351 214 127 314 Claranet Portugal Ed. Parque Expo Av. D. João II, 1.07-2.1, 4º Piso 1998-014 Lisboa www.claranet.pt Empresa certificada ISO 9001, ISO 20000 e ISO 27001 ------------------------------------------------------------------------------ ------------------------------------------------------------------------------ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ------------------------------------------------------------------------------ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users Cumprimentos Pedro Lobo Solutions Architect | System Engineer pedro.l...@pt.clara.net Tlm.: +351 939 528 827 | Tel.: +351 214 127 314 Claranet Portugal Ed. Parque Expo Av. D. João II, 1.07-2.1, 4º Piso 1998-014 Lisboa www.claranet.pt Empresa certificada ISO 9001, ISO 20000 e ISO 27001 ------------------------------------------------------------------------------ ------------------------------------------------------------------------------ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ------------------------------------------------------------------------------ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users -------------------------------------------------------------------------------- _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
