You are not logged in.
I'm putting together a squid proxy within a test environment. When sending a request to the proxy (from a vanilla Windows 7 PC running IE8) authentication fails and the following lines appear in /var/log/squid/cache.log:
negotiate_kerberos_auth.cc(199): pid=508 :2013/02/04 19:19:28| negotiate_kerberos_auth: ERROR: gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information.
2013/02/04 19:19:28 kid1| ERROR: Negotiate Authentication validating user. Error returned 'BH gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information. 'To install squid, I added the following lines to the squid PKGBUILD ./configure line:
--enable-basic-auth-helpers="LDAP"
--enable-negotiate-auth-helpers="squid_kerb_auth"
--enable-external-acl-helpers="LDAP_group"Squid compiled, installed and starts fine. Below are my configuration files:
- /etc/krb5.conf
- /etc/squid/squid.conf
I have added the KRB5_KTNAME environment variable to the squid.service unit and made sure it is pointing to /etc/squid/squid.keytab. I've confirmed that the environment variable is set by looking at /proc/<PID>/environ:
$ systemctl status squid
squid.service - Web Proxy Cache Server
Loaded: loaded (/etc/systemd/system/squid.service; disabled)
Active: active (running) since Mon 2013-02-04 16:25:03 WST; 3h 6min ago
Process: 495 ExecStop=/usr/sbin/squid -k shutdown (code=exited, status=0/SUCCESS)
Process: 498 ExecStart=/usr/sbin/squid -sYC (code=exited, status=0/SUCCESS)
Main PID: 501 (squid)
CGroup: name=systemd:/system/squid.service
├─499 /usr/sbin/squid -sYC
├─501 (squid-1) -sYC
├─502 (ext_ldap_group_acl) -R -K -b dc=test,dc=local -D squid@test.local -W /etc/squid/ldappass.txt -f (&(objectclass=p...
├─503 (ext_ldap_group_acl) -R -K -b dc=test,dc=local -D squid@test.local -W /etc/squid/ldappass.txt -f (&(objectclass=p...
├─504 (ext_ldap_group_acl) -R -K -b dc=test,dc=local -D squid@test.local -W /etc/squid/ldappass.txt -f (&(objectclass=p...
├─505 (ext_ldap_group_acl) -R -K -b dc=test,dc=local -D squid@test.local -W /etc/squid/ldappass.txt -f (&(objectclass=p...
├─506 (ext_ldap_group_acl) -R -K -b dc=test,dc=local -D squid@test.local -W /etc/squid/ldappass.txt -f (&(objectclass=p...
├─508 (negotiate_kerberos_auth) -d -i
└─649 (ntlm_auth) --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=TEST
$ cat /proc/501/environ | grep -o --binary-files=text 'KRB5_KTNAME=[^A-Z]\+'
KRB5_KTNAME=/etc/squid/squid.keytab
$ cat /proc/508/environ | grep -o --binary-files=text 'KRB5_KTNAME=[^A-Z]\+'
KRB5_KTNAME=/etc/squid/squid.keytabPermissions for the keytab file as as follows:
$ ll /etc/squid/squid.keytab
-rw-r----- 1 root proxy 1.3K Feb 4 14:50 /etc/squid/squid.keytabFrom what I can tell the keytab file was created properly:
$ klist -kt /etc/squid/squid.keytab
Keytab name: FILE:/etc/squid/squid.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
2 04/02/13 14:49:43 SQUID-K$@TEST.LOCAL
2 04/02/13 14:49:43 SQUID-K$@TEST.LOCAL
2 04/02/13 14:49:43 SQUID-K$@TEST.LOCAL
2 04/02/13 14:49:43 HTTP/squid.test.local@TEST.LOCAL
2 04/02/13 14:49:43 HTTP/squid.test.local@TEST.LOCAL
2 04/02/13 14:49:43 HTTP/squid.test.local@TEST.LOCAL
2 04/02/13 14:49:43 host/squid.test.local@TEST.LOCAL
2 04/02/13 14:49:43 host/squid.test.local@TEST.LOCAL
2 04/02/13 14:49:43 host/squid.test.local@TEST.LOCAL
4 04/02/13 14:50:40 squid-k$@TEST.LOCAL
4 04/02/13 14:50:40 squid-k$@TEST.LOCAL
4 04/02/13 14:50:40 squid-k$@TEST.LOCAL
4 04/02/13 14:50:40 host/squid.test.local@TEST.LOCAL
4 04/02/13 14:50:40 host/squid.test.local@TEST.LOCAL
4 04/02/13 14:50:40 host/squid.test.local@TEST.LOCAL
4 04/02/13 14:50:40 HTTP/squid.test.local@TEST.LOCAL
4 04/02/13 14:50:40 HTTP/squid.test.local@TEST.LOCAL
4 04/02/13 14:50:40 HTTP/squid.test.local@TEST.LOCAL
$ kinit -kt /etc/squid/squid.keytab HTTP/squid.test.local
$ klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: HTTP/squid.test.local@TEST.LOCAL
Valid starting Expires Service principal
04/02/13 19:40:56 05/02/13 05:40:56 krbtgt/TEST.LOCAL@TEST.LOCAL
renew until 05/02/13 19:40:59The domain controller is running a vanilla Server 2008 install, winbind/samba appear to be working fine:
$ wbinfo -t
checking the trust secret for domain TEST via RPC calls succeeded
$ wbinfo -a TEST\\joe.bloggs
Enter TEST\joe.bloggs's password:
plaintext password authentication succeeded
Enter TEST\joe.bloggs's password:
challenge/response password authentication succeededAll my googling for the error message seem to point to the keytab file being unreadable/inaccessible by the negotitate_kerberos_auth or squid_kerb_auth binaries however as abvoe I have confirmed the proper KRB5_KTNAME environment variable is set and that it has correct permissions. The test binaries for negotitate_kerberos_auth or squid_kerb_auth gives the following output:
$ /usr/bin/squid_kerb_auth_test -d -s GSS_C_NO_NAME squid.test.local
2013/02/04 19:58:46| squid_kerb_auth_test: gss_init_sec_context() failed: Unspecified GSS failure. Minor code may provide more information. SPNEGO cannot find mechanisms to negotiate
Token: NULL
QQ
$ /usr/lib/squid/negotiate_kerberos_auth_test -d -s GSS_C_NO_NAME squid.text.local
2013/02/04 19:58:50| negotiate_kerberos_auth_test: gss_init_sec_context() failed: Unspecified GSS failure. Minor code may provide more information. SPNEGO cannot find mechanisms to negotiate
Token: NULLGoogle results for that error message aren't yielding any helpful clues.
I'm sure I'm missing something simple... is anyone able to assist?
Last edited by boak (2013-02-04 12:20:04)
Offline
I worked out what was wrong. The problem was with krb5.conf - i had specified enctypes twice instead of commenting out either the Windows 2003 or Windows 2008 sections. Once I commented out the 2003 section (my domain is 2008) kerberos authentication began working
Offline