Hi Joao, OK now you use the authentication rule.
How did you create the keytab ? Does the hostname match the keytab entry ? Can you run the helper with –d to get more debug ? Markus From: Joao Paulo Monticelli Gaspar Sent: Thursday, March 19, 2015 12:41 AM To: Markus Moeller Subject: Re: [squid-users] Squid + AD + Kerb auth question gettin access denied now watch the logs ==> /var/log/squid/squid.out <== ==> /var/log/squid/access.log <== 1426725527.219 1 192.168.1.251 TCP_DENIED/407 4509 GET http://www.eset.com.br/download/business - NONE/- text/html ==> /var/log/squid/cache.log <== 2015/03/18 21:38:47| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information. ' guess my SOO isnt working right? 2015-03-18 20:46 GMT-03:00 Markus Moeller <hua...@moeller.plus.com>: Hi Joao Then you hit http_access allow localnet and not http_access allow ad_auth Comment out the following line in squid.conf http_access allow localnet and try again. Markus From: Joao Paulo Monticelli Gaspar Sent: Wednesday, March 18, 2015 11:38 PM To: Markus Moeller Subject: Re: [squid-users] Squid + AD + Kerb auth question yes, I'm using localnet, this is a virtual test lab enviorment, here are some log entries 1426694349.225 59653 192.168.1.251 TCP_MISS/200 4775 CONNECT p5-ib4juqow2smme-qg5sbffb457kogr5-505177-i2-v6exp3-ds.metric.gstatic.com:443 - DIRECT/216.58.222.35 - 1426694352.258 62686 192.168.1.251 TCP_MISS/200 4774 CONNECT p5-ib4juqow2smme-qg5sbffb457kogr5-505177-i1-v6exp3-v4.metric.gstatic.com:443 - DIRECT/216.58.222.46 - 1426694613.543 58996 192.168.1.251 TCP_MISS/200 1112 CONNECT safebrowsing.google.com:443 - DIRECT/173.194.42.133 - when I looked at the access.log manual pages I saw that if squid cant get user info, he uses the - sign on the access, and we can see it there, but why he cant get the user info? 2015-03-18 20:20 GMT-03:00 Markus Moeller <hua...@moeller.plus.com>: Hi, From which network do you surf ? From localnet ? Can you send sample log entries ? Markus From: Joao Paulo Monticelli Gaspar Sent: Wednesday, March 18, 2015 9:18 PM To: Markus Moeller Subject: Re: [squid-users] Squid + AD + Kerb auth question squid.conf visible_hostname proxy.joznet.local auth_param negotiate program /usr/lib64/squid/squid_kerb_auth auth_param negotiate children 10 auth_param negotiate keep_alive on auth_param basic credentialsttl 2 hours acl ad_auth proxy_auth REQUIRED acl manager proto cache_object acl localhost src 127.0.0.1/32 ::1 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 acl localnet src 192.168.1.0/24 # RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localnet http_access allow localhost http_access allow ad_auth http_access deny all http_port 3128 hierarchy_stoplist cgi-bin ? coredump_dir /var/spool/squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 **************************************************************************************** krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = JOZNET.LOCAL dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true ; for Windows 2008 with AES ; default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 ; default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 ; permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 ; for MIT/Heimdal kdc no need to restrict encryption type [realms] JOZNET.LOCAL = { kdc = srvjoznt.joznet.local:88 admin_server = srvjoznt.joznet.local:749 default_domain = joznet.local } [domain_realm] .joznet.local= JOZNET.LOCAL joznet.local= JOZNET.LOCAL [pam] debuf = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false 2015-03-18 17:54 GMT-03:00 Markus Moeller <hua...@moeller.plus.com>: How does the config file look like ? Markus "Joao Paulo Monticelli Gaspar" <jaumsh...@gmail.com> wrote in message news:CAFjXhx=idbdxeqxbzy56tr5m3fztasu2tqgwlclydi_s-s3...@mail.gmail.com... Hey people I have a doubt and couldn't find the answer anywhere yet, I'm using SQUID integrate to a W2K8 AD server with kerb auth, and everything works fine, the main reason of chosing this setup is for the SingleSignOn capabilities of the configuration, but on my ACCESS.LOG I cant see the users that are visitating the sites... is possible to show that info with this setup, or by any other setup use maintain the SOO? Thx in advance. -------------------------------------------------------------------------- _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
