mentby.com
Blog | Jobs | Help | Signup | Login

squid_kerb_auth (parseNegTokenInit failed with rc=102)



Hi all=2C

I am unable to do kerberos authentication in my live enviroment as appose o the test enviroment where it was successful. My environment is Active Diecory Single Forest Multidomain with each domain having multiple domain cotrollers.

SPN was created through:

msktutil -c -b "OU=UNIXOU" -s HTTP/squidlhr1.v.local -h squidlhr1.v.loca -k /etc/squid/HTTP.keytab --computer-name squid-http --upn HTTP/squidlhr1v.local --server ldc-ms-dc2.v.local --verbose

Through ADSIEDIT & setspn tools SPN is confirmed in the Active Directory.

My kerb5.conf Settings:
[libdefaults]
default_realm = MAILSERVER.V.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
default_keytab_name = /etc/krb5.keytab
=3B for windows 2003 encryption type configuration.
default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
[realms]
V.LOCAL = {
kdc = ldc-v-dc2.v.local
admin_server = ldc-v-dc2.v.local
}
MAILSERVER.V.LOCAL = {
kdc = ldc-ms-dc2.mailserver.v.local
admin_server = ldc-ms-dc2.mailserver.v.local
}
# BT.V.LOCAL = {
# kdc = dc.bt.v.local
# admin_server = dc.bt.v.local
#}
[domain_realm]
.linux.home = MAILSERVER.V.LOCAL
.v.local = V.LOCAL
v.local = V.LOCAL
.mailserver.v.local = MAILSERVER.V.LOCAL
mailserver.v.local = MAILSERVER.V.LOCAL
#.bt.v.local= BT.V.LOCAL
#bt.v.local = BT.V.LOCAL
[logging]
kdc = FILE:/var/log/kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/kdc.log

I have tried this on multiple client computers but not seem to be working...
Below are the files for your reference.

Dump through wire shark :
-------------------------

Hypertext Transfer Protocol
GET  http://www.google.com/  HTTP/1.1\r\n
Accept: */*\r\n
Accept-Language: en-us\r\n
User-Agent: Mozilla/4.0 (compatible=3B MSIE 7.0=3B Windows NT 5.1=3B Tridet/4.0=3B .NET CLR 1.1.4322=3B .NET CLR 2.0.50727=3B .NET CLR 3.0.4506.215=3B .NET CLR
3.5.30729=3B InfoPath.2=3B AskTB5.5)\r\n
Accept-Encoding: gzip=2C deflate\r\n
Proxy-Connection: Keep-Alive\r\n
[truncated] Cookie: PREF=ID=dfcab88fe782b2f3:U=8cc1a776c84c55e1:TM==
1273578259:LM=1273579194:S=ec2wG6BXReYHZvWe=3B
NID=36=iQ9ZARYGAQQvkpoAjK1OHFtg7BF7IE9hh-E__mxd9S8cV8EcNVq_M_9qMHZPatpiifFPpdWYqJMmTtBxuCdoQMknggCTHJKkJkNigy5I6kewAQTepVnZ0Pb
[truncated] Proxy-Authorization: Negotiate
YIIFTwYGKwYBBQUCoIIFQzCCBT gJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwCCqKCBRUEggURYIIFDQYJKoZIhvcSAQICAQBuggT8MIIE KADAgEFoQMCAQ6iBwMFACAAAACjgQVYYIEE
TCCBA2gAwIBBaEXGxVNQUlMU0VSVkVSLk1DQi5D
GSS-API Generic Security Service Application Program Interface
OID: 1.3.6.1.5.5.2 (SPNEGO - Simple Protected Negotiation)
SPNEGO
negTokenInit
mechTypes: 3 items
MechType: 1.2.840.48018.1.2.2 (MS KRB5 - Microsoft Kerberos 5)
MechType: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
MechType: 1.3.6.1.4.1.311.2.2.10 (NTLMSSP - Microsoft NTLM Security Suppor Provider)
mechToken: 6082050D06092A864886F71201020201006E8204FC308204...
krb5_blob: 6082050D06092A864886F71201020201006E8204FC308204...
KRB5 OID: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
krb5_tok_id: KRB5_AP_REQ (0x0001)
Kerberos AP-REQ
Pvno: 5
MSG Type: AP-REQ (14)
Padding: 0
APOptions: 20000000 (Mutual required)
.0.. .... .... .... .... .... .... .... = Use Session Key: Do NOT use th session key to encrypt the ticket
..1. .... .... .... .... .... .... .... = Mutual required: MUTUAL authenication is REQUIRED
Ticket
Tkt-vno: 5
Realm: MAILSERVER.V.LOCAL
Server Name (Service and Instance): HTTP/squidlhr1.v.local
Name-type: Service and Instance (2)
Name: HTTP
Name: squidlhr1.v.local
enc-part rc4-hmac
Encryption type: rc4-hmac (23)
Kvno: 2
enc-part: 60082AD63370B0B25657BB713A74B080C21E261079263809...
Authenticator rc4-hmac
Encryption type: rc4-hmac (23)
Authenticator data: A7B9567AB0F52FD022CD130905ACD67DA268C8222AC6ED97...
Host: www.google.com\r\n
\r\n

Hypertext Transfer Protocol
HTTP/1.0 407 Proxy Authentication Required\r\n
Server: squid\r\n
Content-Type: text/html\r\n
Content-Length: 1295\r\n
Content length: 1295
X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0\r\n
Proxy-Authenticate: Negotiate\r\n
Proxy-Authenticate: Negotiate gss_acquire_cred()\r\n
GSS-API Generic Security Service Application Program Interface
[Malformed Packet: GSS-API]
Expert Info (Error/Malformed): Malformed Packet (Exception occurred)
Message: Malformed Packet (Exception occurred)
Severity level: Error
Group: Malformed
X-Cache: MISS from squidlhr1\r\n
X-Cache-Lookup: NONE from squidlhr1:8080\r\n
Via: 1.0 squidlhr1main:8080 (squid)\r\n
Connection: close\r\n
\r\n

squid_kerb_auth -d output:
---------------------------


Please your help will be required

regards=2C

Bilal


GIGO . Mon, 28 Jun 2010 00:57:52 -0700

Hi,

I think you might be interested by this thread :

http://www.squid-cache.org/mail-archive/squid-users/201006/0[..]

Le Mon, 28 Jun 2010 07:57:38  0000,
"GIGO ." <gigoz*******> a écrit :

--
Emmanuel Lesouef


Emmanuel Lesouef Mon, 28 Jun 2010 01:34:19 -0700

I have read the thread advised by you however i dont think that it is relaed to my environment (Active directory with parent&child domains having ful trust two ways between each with a Single Squid Server and not a cluster)=
.

So i think that registering SPN on a single domain should work. And as i sid that previously in my test environments i have tested it many a times ad it works.

If you you could explain in detail then i may get better idea about what umean.


regards=2C

Bilal

----------------------------------------

Hotmail: Free=2C trusted and rich email service. https://signup.live.com/signup.aspx?id=6096


GIGO . Mon, 28 Jun 2010 03:21:22 -0700

Make sure the reverse DNS lookup of the proxy matches the expected
service name. This is one of the more common sources to confusion.

Also make sure you specify the right keytab to squid_kerb_auth and that
it's readable by your cache_effective_user.

Regards
Henrik


Henrik Nordstrom Mon, 28 Jun 2010 12:33:29 -0700

Make sure the squid servers hostname matches squidhr1.v.local. If not use -s
HTTP/squidhr1.v.local as an option to squid_kerb_auth.

Regards
Markus

news:SNT134-w64257C53609757CD3CF006B9CA0*******...

Hi all,

I am unable to do kerberos authentication in my live enviroment as appose to
the test enviroment where it was successful. My environment is Active
Direcory Single Forest Multidomain with each domain having multiple domain
controllers.

SPN was created through:

msktutil -c -b "OU=UNIXOU" -s HTTP/squidlhr1.v.local -h squidlhr1.v.local -k
/etc/squid/HTTP.keytab --computer-name squid-http --upn
HTTP/squidlhr1.v.local --server ldc-ms-dc2.v.local --verbose

Through ADSIEDIT & setspn tools SPN is confirmed in the Active Directory.

My kerb5.conf Settings:
[libdefaults]
default_realm = MAILSERVER.V.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
default_keytab_name = /etc/krb5.keytab
; for windows 2003 encryption type configuration.
default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
[realms]
V.LOCAL = {
kdc = ldc-v-dc2.v.local
admin_server = ldc-v-dc2.v.local
}
MAILSERVER.V.LOCAL = {
kdc = ldc-ms-dc2.mailserver.v.local
admin_server = ldc-ms-dc2.mailserver.v.local
}
# BT.V.LOCAL = {
# kdc = dc.bt.v.local
# admin_server = dc.bt.v.local
#}
[domain_realm]
.linux.home = MAILSERVER.V.LOCAL
.v.local = V.LOCAL
v.local = V.LOCAL
.mailserver.v.local = MAILSERVER.V.LOCAL
mailserver.v.local = MAILSERVER.V.LOCAL
#.bt.v.local= BT.V.LOCAL
#bt.v.local = BT.V.LOCAL
[logging]
kdc = FILE:/var/log/kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/kdc.log

I have tried this on multiple client computers but not seem to be
working....
Below are the files for your reference.

Dump through wire shark :
-------------------------

Hypertext Transfer Protocol
GET  http://www.google.com/  HTTP/1.1\r\n
Accept: */*\r\n
Accept-Language: en-us\r\n
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0;
.NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR
3.5.30729; InfoPath.2; AskTB5.5)\r\n
Accept-Encoding: gzip, deflate\r\n
Proxy-Connection: Keep-Alive\r\n
[truncated] Cookie:
PREF=ID=dfcab88fe782b2f3:U=8cc1a776c84c55e1:TM=1273578259:LM=1273579194:S=ec2wG6BXReYHZvWe;
NID=36=iQ9ZARYGAQQvkpoAjK1OHFtg7BF7IE9hh-E__mxd9S8cV8EcNVq_M_9qMHZPatpJiifFPpdWYqJMmTtBxuCdoQMknggCTHJKkJkNigy5I6kewAQTepVnZ0Pb
[truncated] Proxy-Authorization: Negotiate
YIIFTwYGKwYBBQUCoIIFQzCCBT+gJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBRUEggURYIIFDQYJKoZIhvcSAQICAQBuggT8MIIE+KADAgEFoQMCAQ6iBwMFACAAAACjggQVYYIEE
TCCBA2gAwIBBaEXGxVNQUlMU0VSVkVSLk1DQi5D
GSS-API Generic Security Service Application Program Interface
OID: 1.3.6.1.5.5.2 (SPNEGO - Simple Protected Negotiation)
SPNEGO
negTokenInit
mechTypes: 3 items
MechType: 1.2.840.48018.1.2.2 (MS KRB5 - Microsoft Kerberos 5)
MechType: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
MechType: 1.3.6.1.4.1.311.2.2.10 (NTLMSSP - Microsoft NTLM Security Support
Provider)
mechToken: 6082050D06092A864886F71201020201006E8204FC308204...
krb5_blob: 6082050D06092A864886F71201020201006E8204FC308204...
KRB5 OID: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
krb5_tok_id: KRB5_AP_REQ (0x0001)
Kerberos AP-REQ
Pvno: 5
MSG Type: AP-REQ (14)
Padding: 0
APOptions: 20000000 (Mutual required)
.0.. .... .... .... .... .... .... .... = Use Session Key: Do NOT use the
session key to encrypt the ticket
..1. .... .... .... .... .... .... .... = Mutual required: MUTUAL
authentication is REQUIRED
Ticket
Tkt-vno: 5
Realm: MAILSERVER.V.LOCAL
Server Name (Service and Instance): HTTP/squidlhr1.v.local
Name-type: Service and Instance (2)
Name: HTTP
Name: squidlhr1.v.local
enc-part rc4-hmac
Encryption type: rc4-hmac (23)
Kvno: 2
enc-part: 60082AD63370B0B25657BB713A74B080C21E261079263809...
Authenticator rc4-hmac
Encryption type: rc4-hmac (23)
Authenticator data: A7B9567AB0F52FD022CD130905ACD67DA268C8222AC6ED97...
Host: www.google.com\r\n
\r\n

Hypertext Transfer Protocol
HTTP/1.0 407 Proxy Authentication Required\r\n
Server: squid\r\n
Content-Type: text/html\r\n
Content-Length: 1295\r\n
Content length: 1295
X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0\r\n
Proxy-Authenticate: Negotiate\r\n
Proxy-Authenticate: Negotiate gss_acquire_cred()\r\n
GSS-API Generic Security Service Application Program Interface
[Malformed Packet: GSS-API]
Expert Info (Error/Malformed): Malformed Packet (Exception occurred)
Message: Malformed Packet (Exception occurred)
Severity level: Error
Group: Malformed
X-Cache: MISS from squidlhr1\r\n
X-Cache-Lookup: NONE from squidlhr1:8080\r\n
Via: 1.0 squidlhr1main:8080 (squid)\r\n
Connection: close\r\n
\r\n

squid_kerb_auth -d output:
---------------------------

YIIFTgYGKwYBBQUCoIIFQjCCBT6gJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBRQEggUQYIIFDAYJKoZIhvcSAQICAQBuggT7MIIE96ADAgEFoQMCAQ6iBwMFACAAAACjggQVYYIEETCCBA2gAwIBBaEXGxVNQUlMU0VSVkVSLk1DQi5DT00uUEuiMjAwoAMCAQKhKTAnGwRIVFRQGx9zcXVpZGxocjEubWFpbHNlcnZlci5tY2IuY29tLnBro4IDtzCCA7OgAwIBF6EDAgECooIDpQSCA6HbSpgWaybiErloUupurbZsJqE/Frw2OkXksREX3nh6Nx3kZyKSLkO0P0ey+SF8KSn/bHPagvN8fLo7tUMgIXY2Q6Ok1UJkryz7HO+vztztxDYvir3vkzyc67kaV2xug4cZEPlu7FJJYwVGvgmwl3b3UGMprG+TC59GN9M5AKFq97blDGfCoKv2tSO4TaeOC5hG6Qa/KJUMVOh4U8k/fb92XzcrkOWPZOpySLVDfgXHGEpaIrsnzZ4dFTL2hrfd5bswjAGXmWmcSF57LY7BW0sD2HoNyNDkge6GtprrCMtEmaiqZUrsP6PosH9lMDplZWDNlfsKJb2lFRJh1gO0g9Drin4tX/UTAQNY2meu5urFQfHh4goVVyav2rjmdFQPvo16hiwHtrLOElK7Sa/XhiL2Lon/TrDu/0OYvXmNUMWcHCmMPo2JlYBetEMRX4EWMBxwy15cILOFx1b0zFwC3OQ59rk2eZz4ZI0cECaSLK0OVAxHAELL+xIgCaOn72RoyX4Zph3sjjTKzaxMiHMkkoo3flWODARLT6xJZ/FzjOUcEWNPlJaQhbp4HRba9AwzdSyjUT1VGzNDdYQeNfQU6qnDQQdTG8rTkb9ojv4uP4rjK7sjUyQOtOZDkxbr0rFo/8ilaXwgTOJyhZHps8fpW/6s1UzDs2AwbhCGjQVj4a7dnzfbYvzttrx8MRGX0iLVUt2Ugv9GxcOY+RT8U0PT7DvbeRkEdVQL6oy2E74CauMSxL/3ID3Bjh5B/YNB8bkOub5crSisnWQ+hB9DD4ABMTOubyAND06lDmeOewDkmwU3HYVAQhCcSpdbTGrGylXH5MBkEZPx9p0amGmPdqm5SVloE+qNFwsKiNkoUE8/24l8dGka2kYGP1e9/UaC5oMzTPRVVd2aHIDHcrv82eBZfRq6FL00jtZKKSIlZLEZ/m89p7Gfzafh3Ahh/7RZUOlx6zyXJYsRpa/Re/QouqoQ4igwxXWqtDLntncNKtPN/ksZmLYEF80DJZ7HfUR5s82ZRmfZgxojOnF7iGeX31dF6wSpbQX5G+TMIfZ9vHU123zJu1coJsQlJHjOurdFfm2Bb4v+aOL+U3U8XRH5ykKiAXagfopdWOOTV5BVnsMuO5fayZB2HIUGSEgdCY7PWxvUWy1Wv90j6jrvBdKDNzEQz8FAENlqVBCGYXa1nVQAoRmbgod8o2kyBRaXtbh+ut3lPFiwyafNUMSzIklpweBb4Bp6FKSByDCBxaADAgEXooG9BIG6QYc3eYt+8W+X0Zjiedx4J7FxcY+qZexmLowJf8JWFaXNS8vcDhCNnZU5oNYau2E8H78yzgPzPLJV3+ci/apcksEqrgbwPi9vmywxKyGhTW9CXXWIJmyftYSb5bIXnOHx0bfINJAqNFjoaaIQfwIJgUE4ZxWiUdfNNHcuYZoB3OdDg8LU8WheWZpyj64WCBUeaLz2JsVpefG3i3pDYgX6PpAaGRKwTqgDbrHDln8uLhSvwlHSheRSLmHQ'
from squid (length: 1819).
GSS failure. Minor code may provide more information. No principal in keytab
matches desired name

Please your help will be required

regards,

Bilal


Markus Moeller Mon, 28 Jun 2010 15:59:25 -0700

!Þž¸¤üÆ«’ë?Y


GIGO . Tue, 29 Jun 2010 10:23:33 -0700

Can you add the option -d -i to squid_kerb_auth and squid_kerb_ldap to
create more debut output and send the cache.log extract

Regards
Markus

news:SNT134-w34626D5C8EC65F9D8495B1B9CB0*******...

Hi Henrik/Markus/All

Every setting(keeping in view your recommendation) was correct i many a
times confirmed that.Even i tried re-creating the SPN but in vain. However i
just realized that most of the users were required to logoff and login to
get authenticated through squid. I wonder why a user even with a valid TGT
was require to do that as he should be able to get the TGS for every new
kerberized service???

Anyways of the few users i tried only one was able to access it without
re-login. Bottom line is that its working.

Now the authorization portion is not seems like behaving properly can you
please check the syntax for correctness before i probe further. I have
appended at the bottom my squid.conf portion relevant to this.

e.g. After the authorization few of the clients were showing this wheter in
the group or not:
--------------------------------------------------------------
           Internet explorer cannot display the webpage
           what you can try:
           Diagnose connection problems
           More Info
--------------------------------------------------------------

Further i think IE7(and latest) and FireFox 3.6.x above are supportive for
kerberos. Am i right? is there any special configuration required on the
client side(other than the proxy settings).??

#After allowing IP based clients and the access controls related to them.
http_access allow ipbc
# Part 2 Authentication/Authorization
auth_param negotiate program
/usr/libexec/squid/squid_kerb_auth/squid_kerb_auth
auth_param negotiate children 10
auth_param negotiate keep_alive on
# basic auth ACL controls to make use of it are.(if and only if
squid_kerb_ldap(authorization) is not used)
#acl auth proxy_auth REQUIRED
#http_access deny !auth
#http_access allow auth
#Groups fom Mailserver Domain:
external_acl_type squid_kerb_ldap_ms_group1 ttl=3600  negative_ttl=3600
%LOGIN /usr/libexec/squid/squid_kerb_ldap -g
INETGRLHR1*******
external_acl_type squid_kerb_ldap_ms_group2 ttl=3600  negative_ttl=3600
%LOGIN /usr/libexec/squid/squid_kerb_ldap -g
INETGRLHR2*******
external_acl_type squid_kerb_ldap_ms_group3 ttl=3600  negative_ttl=3600
%LOGIN /usr/libexec/squid/squid_kerb_ldap -g
INETGRLHR3*******
acl ms_group1 external squid_kerb_ldap_ms_group1
acl ms_group2 external squid_kerb_ldap_ms_group2
acl ms_group3 external squid_kerb_ldap_ms_group3
http_access deny  ms_group2 msnd
http_access deny  ms_group3 msnd
http_access deny  ms_group2 msn
http_access deny  ms_group3 msn
http_access deny  ms_group2 msn1
http_access deny  ms_group3 msn1
http_access deny  ms_group2 numeric_IPs
http_access deny  ms_group3 numeric_IPs
http_access deny  ms_group2 Skype_UA
http_access deny  ms_group3 Skype_UA
http_access deny  ms_group2 ym
http_access deny  ms_group3 ym
http_access deny  ms_group2 ymregex
http_access deny  ms_group3 ymregex
###----Most Restricted settings Exclusive for Normal users......###
http_access deny  ms_group3 Movies
http_access deny  ms_group3 MP3s
http_access deny  ms_group3 FTP
http_access deny  ms_group3 MP3url
http_reply_access deny ms_group3 deny_rep_mime_flashvideo
http_access deny  ms_group3 youtube_domains
http_access deny  ms_group3 facebook_sites
http_access deny  ms_group3 BIP
http_access deny  ms_group3 downloads
http_access deny  ms_group3 torrentSeeds
http_access deny  ms_group3 dlSites
##----- Time based ACLs--------------------
http_access deny  ms_group2 youtube_domains wh
http_access deny  ms_group2 BIP wh
http_access deny  ms_group2 facebook_sites wh
http_access allow ms_group1
http_access allow ms_group2
http_access allow ms_group3

http_access deny all

Squid version: squid 2.7 stable 9 on CENTOS 5.4 64 bit.

Hotmail: Trusted email with Microsoft’s powerful SPAM protection. https://signup.live.com/signup.aspx?id=60969


Markus Moeller Tue, 29 Jun 2010 15:39:19 -0700

The error message says it:

GSS failure. Minor code may provide more information. No such file or
directory

Which means you did not set the environment variable KRB5_KTNAME in the
startup script. See http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerb[..]

Regards
Markus

news:SNT134-w1253F4526C3CE839AEC160B9CC0*******...

Hi Markus/Henrik,

Below is the information for your reference. Now even the authentication
portion is not working at all for any single client. Tried hard recreating
SPN using different accounts etc. but with no success. please help

1.-----------------------Output of
cache.log----------------------------------
'squid_kerb_auth' processes
processes
processes
INETGRLHR1*******
MAILSERVER.v.local
INETGRLHR1*******
MAILSERVER.v.local
INETGRLHR1*******
MAILSERVER.v.local
INETGRLHR1*******
MAILSERVER.v.local
INETGRLHR1*******
MAILSERVER.v.local
INETGRLHR2*******
MAILSERVER.v.local
INETGRLHR2*******
MAILSERVER.v.local
processes
INETGRLHR2*******
MAILSERVER.v.local
INETGRLHR2*******
MAILSERVER.v.local
INETGRLHR3*******
MAILSERVER.v.local
INETGRLHR2*******
MAILSERVER.v.local
INETGRLHR3*******
MAILSERVER.v.local
INETGRLHR3*******
MAILSERVER.v.local
INETGRLHR3*******
MAILSERVER.v.local
INETGRLHR3*******
MAILSERVER.v.local
YIIFXwYGKwYBBQUCoIIFUzCCBU+gJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBSUEggUhYIIFHQYJKoZIhvcSAQICAQBuggUMMIIFCKADAgEFoQMCAQ6iBwMFACAAAACjggQlYYIEITCCBB2gAwIBBaEXGxVNQUlMU0VSVkVSLk1DQi5DT00uUEuiMjAwoAMCAQKhKTAnGwRIVFRQGx9zcXVpZGxocjEubWFpbHNlcnZlci5tY2IuY29tLnBro4IDxzCCA8OgAwIBF6EDAgECooIDtQSCA7E6xFAU7tV+87z/uGC3I2o/u8IWx1hZr4ZoH/ePUXC6NcjhSFxnzR5f5shMtNH6rycrqToIYceyfJc9PqEt7o2mvi7Q6yEYEidruuEJBHEbOWpDtR928ej30EABy2p5bktDEY6/BvATUkCkXgzpytnCwkVPLwF8CYsyrjSTk8tAjqz7HZYQeV5M3l8MHxj6aJdEAAcSPjJKUQaipWt7/5HXAGyte6uQea18n+kmv6yEuXHc8uLQeX1Quh9QHQsfvueJrFccLkAsNK+GcpfYeTT71tJk4Jxrk0RPBDbEhCl35uU2G+f8tQkNxKieRfUIWGwrEktk8Wt6tDYk19bYR7oYR/e+A3qKtc4563iEnocJgFJnFkX2PTM9Q+357tFpUqp4SxcErpuxQXOjzmGMsUBFZaWCVG8IKitgN5QKYHFXqUwaUrXEKvnc4EDOvsqZ5H/hsKHJJGR6sY0isToBBHHPic1R/bnsf2DfTw2ptftMKaRX3gXKBahSVHKOx9eN2kgMYbRS2bHHXYPvXl/JVKF6NsnQRmC24StCY2NfdADc/1vhtGPpl2vaFM6HdMaaNwjiWubZ9//DXgYKJtjP+jKla+KB3w/Xuz3yZPvDzSmBFmlfSnO0bpc841oiz1hX17bwzq3Pvbjg6M8VzDfP7WFGhxtxUcNxh/Rzjxc1RjGVlDzX4M4EoQGycSw/OzowBOlrn4xUaNQzjPOgezEL04StbEMxcKltN1xHTSYs9mcpa8g3rXRds6Z02qASW5p24wDSnkJfa3TWzIZipYO3n5yoog+jhqy8iOsbnyD4G08FYXwwXZHmI3E/F8wqGThpqpxjSC8WTzAr8swup0NjgZSb8NY2XVxixbqxYDaP6NdvMEZfGL+NLyynlyjWy+ke5/tDxJvEVKjqqrsyl47TtLEgxH9MhMJKm2QRgRvWJaMkvxni37BA1ouKDwfSRQs+D9SRVjTPnq4TxmQl79hEUyhtT4EZgtSqTqnPYbQevrox3fEjHq/7QLwaP2EOepINWdmo8pSerSPhvij4L7wdqKe9e5VAMoOXrSdQI1wbUVLyp/w8eosRMvs5sgZMZ4fNX4k7sd4Txj95/s52eoMERzBGEApk0ZQd2Q8trcDHamjK7AFBkHeFgqXEciDRlqgFaWrhpINXXKMdSgSbgv1UKzqGYcAqCM5rgLDbWsXQHt2eXxCUq27dGHgSvJIVD3cEsGPoF70/EirvxzhR0AIRxaR9aJ/EKeYHS8OVPoUm86vxgKGkgckwgcagAwIBF6KBvgSBu9MVxum4R6bwUDB+yGLvvr3rqAWJ90mScdcAHPEoLHR/piuUGdmxDDV5UfBShsmKtEwEWcIWbfVhBuAIL27otPGGZI6cy3wT4aNgfwKRxvl5VySdfogDk2kjEkigmJQsSLkkYqAGVW40JNJWj/sd9EuIKrjTQetwBEHjpfHUrx8ccXKGslYR8WHcXYEbZNUMGObeATqls9aZKThYvnANhOaa0BRkKjJNx1C/NtZqazEFhY03ctEDKeIySXg='
from squid (length: 1843).
GSS failure. Minor code may provide more information. No such file or
directory
YIIFXwYGKwYBBQUCoIIFUzCCBU+gJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBSUEggUhYIIFHQYJKoZIhvcSAQICAQBuggUMMIIFCKADAgEFoQMCAQ6iBwMFACAAAACjggQlYYIEITCCBB2gAwIBBaEXGxVNQUlMU0VSVkVSLk1DQi5DT00uUEuiMjAwoAMCAQKhKTAnGwRIVFRQGx9zcXVpZGxocjEubWFpbHNlcnZlci5tY2IuY29tLnBro4IDxzCCA8OgAwIBF6EDAgECooIDtQSCA7E6xFAU7tV+87z/uGC3I2o/u8IWx1hZr4ZoH/ePUXC6NcjhSFxnzR5f5shMtNH6rycrqToIYceyfJc9PqEt7o2mvi7Q6yEYEidruuEJBHEbOWpDtR928ej30EABy2p5bktDEY6/BvATUkCkXgzpytnCwkVPLwF8CYsyrjSTk8tAjqz7HZYQeV5M3l8MHxj6aJdEAAcSPjJKUQaipWt7/5HXAGyte6uQea18n+kmv6yEuXHc8uLQeX1Quh9QHQsfvueJrFccLkAsNK+GcpfYeTT71tJk4Jxrk0RPBDbEhCl35uU2G+f8tQkNxKieRfUIWGwrEktk8Wt6tDYk19bYR7oYR/e+A3qKtc4563iEnocJgFJnFkX2PTM9Q+357tFpUqp4SxcErpuxQXOjzmGMsUBFZaWCVG8IKitgN5QKYHFXqUwaUrXEKvnc4EDOvsqZ5H/hsKHJJGR6sY0isToBBHHPic1R/bnsf2DfTw2ptftMKaRX3gXKBahSVHKOx9eN2kgMYbRS2bHHXYPvXl/JVKF6NsnQRmC24StCY2NfdADc/1vhtGPpl2vaFM6HdMaaNwjiWubZ9//DXgYKJtjP+jKla+KB3w/Xuz3yZPvDzSmBFmlfSnO0bpc841oiz1hX17bwzq3Pvbjg6M8VzDfP7WFGhxtxUcNxh/Rzjxc1RjGVlDzX4M4EoQGycSw/OzowBOlrn4xUaNQzjPOgezEL04StbEMxcKltN1xHTSYs9mcpa8g3rXRds6Z02qASW5p24wDSnkJfa3TWzIZipYO3n5yoog+jhqy8iOsbnyD4G08FYXwwXZHmI3E/F8wqGThpqpxjSC8WTzAr8swup0NjgZSb8NY2XVxixbqxYDaP6NdvMEZfGL+NLyynlyjWy+ke5/tDxJvEVKjqqrsyl47TtLEgxH9MhMJKm2QRgRvWJaMkvxni37BA1ouKDwfSRQs+D9SRVjTPnq4TxmQl79hEUyhtT4EZgtSqTqnPYbQevrox3fEjHq/7QLwaP2EOepINWdmo8pSerSPhvij4L7wdqKe9e5VAMoOXrSdQI1wbUVLyp/w8eosRMvs5sgZMZ4fNX4k7sd4Txj95/s52eoMERzBGEApk0ZQd2Q8trcDHamjK7AFBkHeFgqXEciDRlqgFaWrhpINXXKMdSgSbgv1UKzqGYcAqCM5rgLDbWsXQHt2eXxCUq27dGHgSvJIVD3cEsGPoF70/EirvxzhR0AIRxaR9aJ/EKeYHS8OVPoUm86vxgKGkgckwgcagAwIBF6KBvgSBuzd/55NTV07Vjq7xFngCfgVnUjLrbR2KTIIBIL7XUrmtB0wFFrX3tRutT4CwZapATOjYoZj4lWgKH6vyDMzfikGoA3QIV6OZgixWyc7fGPsiXipU4Ad1xYcJHBwQl9QGwkMlg+dvX6BhM3ItFRaky/BEDKxS7s0W1Nznje9uPzx090aXoKWkOcbVEk2Sq6EeMQ0JMFtY77vV0tOc60o2LKhldvcbLEPakbmpko4auX/LNXidgofZ+MQbp0o='
from squid (length: 1843).
GSS failure. Minor code may provide more information. No such file or
directory

2.--------------------------hosts
file-----------------------------------------------
[root@squidlhr1 ~]# cat /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 localhost.localdomain localhost
#10.1.82.53 squidlhr1.mailserver.v.local squidlhr1

#Mailserver Domain:
10.1.82.201 ldc-ms-dc1.mailserver.v.local
10.1.82.202 ldc-ms-dc2.mailserver.v.local
10.25.88.163 kdc-ms-dc2.mailserver.v.local
10.25.88.162 kdc-ms-dc1.mailserver.v.local
10.32.11.11 isbitcdc03051.mailserver.v.local
10.32.11.10 isbitc-dc2.mailserver.v.local

::1 localhost6.localdomain6 localhost6

3.-------------------------host.conf-------------------------------------
[root*******
order bind,hosts

4.-------------------------network file-------------------------
[root@squidlhr1 ~]# cat /etc/sysconfig/network
NETWORKING=yes
NETWORKING_IPV6=no
HOSTNAME=squidlhr1

5.------------------------nslookup-------------------------------
[root@squidlhr1 ~]# nslookup
Server: 10.1.82.204
Address: 10.1.82.204#53
Name: squidlhr1.mailserver.v.local
Address: 10.1.82.53
Server: 10.1.82.204
Address: 10.1.82.204#53
53.82.1.10.in-addr.arpa name = squidlhr1.mailserver.v.local.
Server: 10.1.82.204
Address: 10.1.82.204#53
Name: ldc-ms-dc2.mailserver.v.local
Address: 10.1.82.202

6--------------------------------------hostname----------------------------------------
[root@squidlhr1 ~]# hostname -s
squidlhr1
[root@squidlhr1 ~]# hostname -f
squidlhr1.mailserver.mcb.com.pk
[root@squidlhr1 ~]#

7-------------------------------------krb5.conf---------------------------------------
[libdefaults]
default_realm = MAILSERVER.v.local
dns_lookup_realm = true
dns_lookup_kdc = true
default_keytab_name = /etc/krb5.keytab
; for windows 2003 encryption type configuration.
default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
[realms]
v.local = {
kdc = ldc-mcb-dc2.v.local
admin_server = ldc-mcb-dc2.v.local
}
MAILSERVER.v.local = {
kdc = ldc-ms-dc2.mailserver.v.local
admin_server = ldc-ms-dc2.mailserver.v.local
}
# BT.v.local = {
# kdc = dc.bt.v.local
# admin_server = dc.bt.v.local
#}
[domain_realm]
.linux.home = MAILSERVER.v.local
.v.local = v.local
v.local = v.local
.mailserver.v.local = MAILSERVER.v.local
mailserver.v.local = MAILSERVER.v.local
#.bt.v.local = BT.v.local
#bt.v.local = BT.v.local
[logging]
kdc = FILE:/var/log/kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/kdc.log

8.----------------------------------------squid.conf relevant
portion--------------------------------
# Part 2 Authentication/Authorization
auth_param negotiate program
/usr/libexec/squid/squid_kerb_auth/squid_kerb_auth -d -i
auth_param negotiate children 10
auth_param negotiate keep_alive on
# basic auth ACL controls to make use of it are.(if and only if
squid_kerb_ldap(authorization) is not used)
#acl auth proxy_auth REQUIRED
#http_access deny !auth
#http_access allow auth
#Groups fom Mailserver Domain:
external_acl_type squid_kerb_ldap_msgroup1 ttl=3600 negative_ttl=3600 %LOGIN
/usr/libexec/squid/squid_kerb_ldap -g INETGRLHR1*******-i -d
external_acl_type squid_kerb_ldap_msgroup2 ttl=3600 negative_ttl=3600 %LOGIN
/usr/libexec/squid/squid_kerb_ldap -g INETGRLHR2*******-i -d
external_acl_type squid_kerb_ldap_msgroup3 ttl=3600 negative_ttl=3600 %LOGIN
/usr/libexec/squid/squid_kerb_ldap -g INETGRLHR3*******-i -d
acl msgroup1 external squid_kerb_ldap_msgroup1
acl msgroup2 external squid_kerb_ldap_msgroup2
acl msgroup3 external squid_kerb_ldap_msgroup3

http_access deny msgroup2 msnd
http_access deny msgroup2 ym

###----Most Restricted settings Exclusive for Normal users......###
http_access deny msgroup3 Movies
http_access deny msgroup3 dlSites
http_access deny msgroup2 youtube_domains wh
http_access deny msgroup2 BIP wh

http_access allow msgroup1
http_access allow msgroup2
http_access allow msgroup3
http_access deny all

9---------------------klist---------------------------------------
[root@squidlhr1 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: techadmin_ba*******
Valid starting     Expires            Service principal
06/30/10 15:25:06  07/01/10 01:24:49
krbtgt/MAILSERVER.v.local*******
        renew until 07/01/10 15:25:06
06/30/10 15:25:49  07/01/10 01:24:49  ldap/ldc-ms-dc2.mailserver.v.local@
        renew until 07/01/10 15:25:06
06/30/10 15:25:49  06/30/10 15:27:49  kadmin/changepw*******
        renew until 06/30/10 15:27:49

Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

Keytab name: FILE:/etc/squid/HTTP.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   2 HTTP/squidlhr1.mailserver.v.local*******(DES cbc mode with
CRC-32)
   2 HTTP/squidlhr1.mailserver.v.local*******(DES cbc mode with
RSA-MD5)
   2 HTTP/squidlhr1.mailserver.v.local*******(ArcFour with
HMAC/md5)

10.-------------------------msktutil------------------------------------------------------
msktutil -c -b "OU=UNIXOU" -s HTTP/squidlhr1.mailserver.mcb.com.pk -h
squidlhr1.v.local -k /etc/squid/HTTP.keytab --computer-name
squidlhr-http --upn HTTP/squidlhr1.mailserver.v.local --server
ldc-ms-dc2.v.local --verbose

Please help me out as tried so not yet got a clue about. Will be thankful.
regards,
Bilal

----------------------------------------

Hotmail: Powerful Free email with security by Microsoft. https://signup.live.com/signup.aspx?id=60969


Markus Moeller Wed, 30 Jun 2010 12:49:33 -0700

Hi,

  From your log file I also see that squid_kerb_ldap is crashing.  Can you
get the latest version 1.2.1a ? If you have already that version I would
need to debug it to find the reason for the crash in free().

Regards
Markus

news:SNT134-w1253F4526C3CE839AEC160B9CC0*******...

Hi Markus/Henrik,

Below is the information for your reference. Now even the authentication
portion is not working at all for any single client. Tried hard recreating
SPN using different accounts etc. but with no success. please help

1.-----------------------Output of
cache.log----------------------------------
'squid_kerb_auth' processes
processes
processes
INETGRLHR1*******
MAILSERVER.v.local
INETGRLHR1*******
MAILSERVER.v.local
INETGRLHR1*******
MAILSERVER.v.local
INETGRLHR1*******
MAILSERVER.v.local
INETGRLHR1*******
MAILSERVER.v.local
INETGRLHR2*******
MAILSERVER.v.local
INETGRLHR2*******
MAILSERVER.v.local
processes
INETGRLHR2*******
MAILSERVER.v.local
INETGRLHR2*******
MAILSERVER.v.local
INETGRLHR3*******
MAILSERVER.v.local
INETGRLHR2*******
MAILSERVER.v.local
INETGRLHR3*******
MAILSERVER.v.local
INETGRLHR3*******
MAILSERVER.v.local
INETGRLHR3*******
MAILSERVER.v.local
INETGRLHR3*******
MAILSERVER.v.local
YIIFXwYGKwYBBQUCoIIFUzCCBU+gJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBSUEggUhYIIFHQYJKoZIhvcSAQICAQBuggUMMIIFCKADAgEFoQMCAQ6iBwMFACAAAACjggQlYYIEITCCBB2gAwIBBaEXGxVNQUlMU0VSVkVSLk1DQi5DT00uUEuiMjAwoAMCAQKhKTAnGwRIVFRQGx9zcXVpZGxocjEubWFpbHNlcnZlci5tY2IuY29tLnBro4IDxzCCA8OgAwIBF6EDAgECooIDtQSCA7E6xFAU7tV+87z/uGC3I2o/u8IWx1hZr4ZoH/ePUXC6NcjhSFxnzR5f5shMtNH6rycrqToIYceyfJc9PqEt7o2mvi7Q6yEYEidruuEJBHEbOWpDtR928ej30EABy2p5bktDEY6/BvATUkCkXgzpytnCwkVPLwF8CYsyrjSTk8tAjqz7HZYQeV5M3l8MHxj6aJdEAAcSPjJKUQaipWt7/5HXAGyte6uQea18n+kmv6yEuXHc8uLQeX1Quh9QHQsfvueJrFccLkAsNK+GcpfYeTT71tJk4Jxrk0RPBDbEhCl35uU2G+f8tQkNxKieRfUIWGwrEktk8Wt6tDYk19bYR7oYR/e+A3qKtc4563iEnocJgFJnFkX2PTM9Q+357tFpUqp4SxcErpuxQXOjzmGMsUBFZaWCVG8IKitgN5QKYHFXqUwaUrXEKvnc4EDOvsqZ5H/hsKHJJGR6sY0isToBBHHPic1R/bnsf2DfTw2ptftMKaRX3gXKBahSVHKOx9eN2kgMYbRS2bHHXYPvXl/JVKF6NsnQRmC24StCY2NfdADc/1vhtGPpl2vaFM6HdMaaNwjiWubZ9//DXgYKJtjP+jKla+KB3w/Xuz3yZPvDzSmBFmlfSnO0bpc841oiz1hX17bwzq3Pvbjg6M8VzDfP7WFGhxtxUcNxh/Rzjxc1RjGVlDzX4M4EoQGycSw/OzowBOlrn4xUaNQzjPOgezEL04StbEMxcKltN1xHTSYs9mcpa8g3rXRds6Z02qASW5p24wDSnkJfa3TWzIZipYO3n5yoog+jhqy8iOsbnyD4G08FYXwwXZHmI3E/F8wqGThpqpxjSC8WTzAr8swup0NjgZSb8NY2XVxixbqxYDaP6NdvMEZfGL+NLyynlyjWy+ke5/tDxJvEVKjqqrsyl47TtLEgxH9MhMJKm2QRgRvWJaMkvxni37BA1ouKDwfSRQs+D9SRVjTPnq4TxmQl79hEUyhtT4EZgtSqTqnPYbQevrox3fEjHq/7QLwaP2EOepINWdmo8pSerSPhvij4L7wdqKe9e5VAMoOXrSdQI1wbUVLyp/w8eosRMvs5sgZMZ4fNX4k7sd4Txj95/s52eoMERzBGEApk0ZQd2Q8trcDHamjK7AFBkHeFgqXEciDRlqgFaWrhpINXXKMdSgSbgv1UKzqGYcAqCM5rgLDbWsXQHt2eXxCUq27dGHgSvJIVD3cEsGPoF70/EirvxzhR0AIRxaR9aJ/EKeYHS8OVPoUm86vxgKGkgckwgcagAwIBF6KBvgSBu9MVxum4R6bwUDB+yGLvvr3rqAWJ90mScdcAHPEoLHR/piuUGdmxDDV5UfBShsmKtEwEWcIWbfVhBuAIL27otPGGZI6cy3wT4aNgfwKRxvl5VySdfogDk2kjEkigmJQsSLkkYqAGVW40JNJWj/sd9EuIKrjTQetwBEHjpfHUrx8ccXKGslYR8WHcXYEbZNUMGObeATqls9aZKThYvnANhOaa0BRkKjJNx1C/NtZqazEFhY03ctEDKeIySXg='
from squid (length: 1843).
GSS failure. Minor code may provide more information. No such file or
directory
YIIFXwYGKwYBBQUCoIIFUzCCBU+gJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBSUEggUhYIIFHQYJKoZIhvcSAQICAQBuggUMMIIFCKADAgEFoQMCAQ6iBwMFACAAAACjggQlYYIEITCCBB2gAwIBBaEXGxVNQUlMU0VSVkVSLk1DQi5DT00uUEuiMjAwoAMCAQKhKTAnGwRIVFRQGx9zcXVpZGxocjEubWFpbHNlcnZlci5tY2IuY29tLnBro4IDxzCCA8OgAwIBF6EDAgECooIDtQSCA7E6xFAU7tV+87z/uGC3I2o/u8IWx1hZr4ZoH/ePUXC6NcjhSFxnzR5f5shMtNH6rycrqToIYceyfJc9PqEt7o2mvi7Q6yEYEidruuEJBHEbOWpDtR928ej30EABy2p5bktDEY6/BvATUkCkXgzpytnCwkVPLwF8CYsyrjSTk8tAjqz7HZYQeV5M3l8MHxj6aJdEAAcSPjJKUQaipWt7/5HXAGyte6uQea18n+kmv6yEuXHc8uLQeX1Quh9QHQsfvueJrFccLkAsNK+GcpfYeTT71tJk4Jxrk0RPBDbEhCl35uU2G+f8tQkNxKieRfUIWGwrEktk8Wt6tDYk19bYR7oYR/e+A3qKtc4563iEnocJgFJnFkX2PTM9Q+357tFpUqp4SxcErpuxQXOjzmGMsUBFZaWCVG8IKitgN5QKYHFXqUwaUrXEKvnc4EDOvsqZ5H/hsKHJJGR6sY0isToBBHHPic1R/bnsf2DfTw2ptftMKaRX3gXKBahSVHKOx9eN2kgMYbRS2bHHXYPvXl/JVKF6NsnQRmC24StCY2NfdADc/1vhtGPpl2vaFM6HdMaaNwjiWubZ9//DXgYKJtjP+jKla+KB3w/Xuz3yZPvDzSmBFmlfSnO0bpc841oiz1hX17bwzq3Pvbjg6M8VzDfP7WFGhxtxUcNxh/Rzjxc1RjGVlDzX4M4EoQGycSw/OzowBOlrn4xUaNQzjPOgezEL04StbEMxcKltN1xHTSYs9mcpa8g3rXRds6Z02qASW5p24wDSnkJfa3TWzIZipYO3n5yoog+jhqy8iOsbnyD4G08FYXwwXZHmI3E/F8wqGThpqpxjSC8WTzAr8swup0NjgZSb8NY2XVxixbqxYDaP6NdvMEZfGL+NLyynlyjWy+ke5/tDxJvEVKjqqrsyl47TtLEgxH9MhMJKm2QRgRvWJaMkvxni37BA1ouKDwfSRQs+D9SRVjTPnq4TxmQl79hEUyhtT4EZgtSqTqnPYbQevrox3fEjHq/7QLwaP2EOepINWdmo8pSerSPhvij4L7wdqKe9e5VAMoOXrSdQI1wbUVLyp/w8eosRMvs5sgZMZ4fNX4k7sd4Txj95/s52eoMERzBGEApk0ZQd2Q8trcDHamjK7AFBkHeFgqXEciDRlqgFaWrhpINXXKMdSgSbgv1UKzqGYcAqCM5rgLDbWsXQHt2eXxCUq27dGHgSvJIVD3cEsGPoF70/EirvxzhR0AIRxaR9aJ/EKeYHS8OVPoUm86vxgKGkgckwgcagAwIBF6KBvgSBuzd/55NTV07Vjq7xFngCfgVnUjLrbR2KTIIBIL7XUrmtB0wFFrX3tRutT4CwZapATOjYoZj4lWgKH6vyDMzfikGoA3QIV6OZgixWyc7fGPsiXipU4Ad1xYcJHBwQl9QGwkMlg+dvX6BhM3ItFRaky/BEDKxS7s0W1Nznje9uPzx090aXoKWkOcbVEk2Sq6EeMQ0JMFtY77vV0tOc60o2LKhldvcbLEPakbmpko4auX/LNXidgofZ+MQbp0o='
from squid (length: 1843).
GSS failure. Minor code may provide more information. No such file or
directory

2.--------------------------hosts
file-----------------------------------------------
[root@squidlhr1 ~]# cat /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 localhost.localdomain localhost
#10.1.82.53 squidlhr1.mailserver.v.local squidlhr1

#Mailserver Domain:
10.1.82.201 ldc-ms-dc1.mailserver.v.local
10.1.82.202 ldc-ms-dc2.mailserver.v.local
10.25.88.163 kdc-ms-dc2.mailserver.v.local
10.25.88.162 kdc-ms-dc1.mailserver.v.local
10.32.11.11 isbitcdc03051.mailserver.v.local
10.32.11.10 isbitc-dc2.mailserver.v.local

::1 localhost6.localdomain6 localhost6

3.-------------------------host.conf-------------------------------------
[root*******
order bind,hosts

4.-------------------------network file-------------------------
[root@squidlhr1 ~]# cat /etc/sysconfig/network
NETWORKING=yes
NETWORKING_IPV6=no
HOSTNAME=squidlhr1

5.------------------------nslookup-------------------------------
[root@squidlhr1 ~]# nslookup
Server: 10.1.82.204
Address: 10.1.82.204#53
Name: squidlhr1.mailserver.v.local
Address: 10.1.82.53
Server: 10.1.82.204
Address: 10.1.82.204#53
53.82.1.10.in-addr.arpa name = squidlhr1.mailserver.v.local.
Server: 10.1.82.204
Address: 10.1.82.204#53
Name: ldc-ms-dc2.mailserver.v.local
Address: 10.1.82.202

6--------------------------------------hostname----------------------------------------
[root@squidlhr1 ~]# hostname -s
squidlhr1
[root@squidlhr1 ~]# hostname -f
squidlhr1.mailserver.mcb.com.pk
[root@squidlhr1 ~]#

7-------------------------------------krb5.conf---------------------------------------
[libdefaults]
default_realm = MAILSERVER.v.local
dns_lookup_realm = true
dns_lookup_kdc = true
default_keytab_name = /etc/krb5.keytab
; for windows 2003 encryption type configuration.
default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
[realms]
v.local = {
kdc = ldc-mcb-dc2.v.local
admin_server = ldc-mcb-dc2.v.local
}
MAILSERVER.v.local = {
kdc = ldc-ms-dc2.mailserver.v.local
admin_server = ldc-ms-dc2.mailserver.v.local
}
# BT.v.local = {
# kdc = dc.bt.v.local
# admin_server = dc.bt.v.local
#}
[domain_realm]
.linux.home = MAILSERVER.v.local
.v.local = v.local
v.local = v.local
.mailserver.v.local = MAILSERVER.v.local
mailserver.v.local = MAILSERVER.v.local
#.bt.v.local = BT.v.local
#bt.v.local = BT.v.local
[logging]
kdc = FILE:/var/log/kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/kdc.log

8.----------------------------------------squid.conf relevant
portion--------------------------------
# Part 2 Authentication/Authorization
auth_param negotiate program
/usr/libexec/squid/squid_kerb_auth/squid_kerb_auth -d -i
auth_param negotiate children 10
auth_param negotiate keep_alive on
# basic auth ACL controls to make use of it are.(if and only if
squid_kerb_ldap(authorization) is not used)
#acl auth proxy_auth REQUIRED
#http_access deny !auth
#http_access allow auth
#Groups fom Mailserver Domain:
external_acl_type squid_kerb_ldap_msgroup1 ttl=3600 negative_ttl=3600 %LOGIN
/usr/libexec/squid/squid_kerb_ldap -g INETGRLHR1*******-i -d
external_acl_type squid_kerb_ldap_msgroup2 ttl=3600 negative_ttl=3600 %LOGIN
/usr/libexec/squid/squid_kerb_ldap -g INETGRLHR2*******-i -d
external_acl_type squid_kerb_ldap_msgroup3 ttl=3600 negative_ttl=3600 %LOGIN
/usr/libexec/squid/squid_kerb_ldap -g INETGRLHR3*******-i -d
acl msgroup1 external squid_kerb_ldap_msgroup1
acl msgroup2 external squid_kerb_ldap_msgroup2
acl msgroup3 external squid_kerb_ldap_msgroup3

http_access deny msgroup2 msnd
http_access deny msgroup2 ym

###----Most Restricted settings Exclusive for Normal users......###
http_access deny msgroup3 Movies
http_access deny msgroup3 dlSites
http_access deny msgroup2 youtube_domains wh
http_access deny msgroup2 BIP wh

http_access allow msgroup1
http_access allow msgroup2
http_access allow msgroup3
http_access deny all

9---------------------klist---------------------------------------
[root@squidlhr1 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: techadmin_ba*******
Valid starting     Expires            Service principal
06/30/10 15:25:06  07/01/10 01:24:49
krbtgt/MAILSERVER.v.local*******
        renew until 07/01/10 15:25:06
06/30/10 15:25:49  07/01/10 01:24:49  ldap/ldc-ms-dc2.mailserver.v.local@
        renew until 07/01/10 15:25:06
06/30/10 15:25:49  06/30/10 15:27:49  kadmin/changepw*******
        renew until 06/30/10 15:27:49

Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

Keytab name: FILE:/etc/squid/HTTP.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   2 HTTP/squidlhr1.mailserver.v.local*******(DES cbc mode with
CRC-32)
   2 HTTP/squidlhr1.mailserver.v.local*******(DES cbc mode with
RSA-MD5)
   2 HTTP/squidlhr1.mailserver.v.local*******(ArcFour with
HMAC/md5)

10.-------------------------msktutil------------------------------------------------------
msktutil -c -b "OU=UNIXOU" -s HTTP/squidlhr1.mailserver.mcb.com.pk -h
squidlhr1.v.local -k /etc/squid/HTTP.keytab --computer-name
squidlhr-http --upn HTTP/squidlhr1.mailserver.v.local --server
ldc-ms-dc2.v.local --verbose

Please help me out as tried so not yet got a clue about. Will be thankful.
regards,
Bilal

----------------------------------------

Hotmail: Powerful Free email with security by Microsoft. https://signup.live.com/signup.aspx?id=60969


Markus Moeller Wed, 30 Jun 2010 13:15:11 -0700

Hi

1)  1.2.1a is just a minor patch version to 1.2.1.
2)  This happens only when you use the -d debug option
3)  You can use the options  -u BIND_DN -p BIND_PW -b BIND_PATH -l LDAP_URL
4)  If they have different access needs then that is the only way. If they
have the same access right you can use -g
INETGRLHR1*******

Regards
Markus


Markus Moeller Thu, 01 Jul 2010 13:31:33 -0700

Hi=2C

please some more guidance required. Can squid_kerb_ldap be used(alone) indpendentaly of calling squid_kerb_auth or any other helper??

If and only if it is must to use squid_kerb_auth & squid_kerb_ldap both thn is it correct that we are not using the following directives??

acl auth proxy_auth REQUIRED #used
#http_access deny !auth # Not used
#http_access allow auth #not used

as instead ldap based directives of the following form are used...

external_acl_type squid_kerb_ldap ttl=3600  negative_ttl=3600  %LOGIN usr/sbin/squid_kerb_ldap -g GROUP@
acl ldap_group_check external squid_kerb_ldap
http_access allow ldap_group_check


thanking you
&
regards=2C

Bilal








----------------------------------------

Your E-mail and More On-the-Go. Get Windows Live Hotmail Free. https://signup.live.com/signup.aspx?id=6096


GIGO . Mon, 05 Jul 2010 10:13:19 -0700

Hi

  squid_kerb_auth is not required for squid_kerb_ldap work, but you have to
use -g GROUP and provide an ldap URL as squid_kerb_ldap won't be able to
"automagically" determine the ldap server.

Regards
Markus

news:SNT134-w356B42D425F0504C922352B9B10*******...

Hi,

please some more guidance required. Can squid_kerb_ldap be used(alone)
independentaly of calling squid_kerb_auth or any other helper??

If and only if it is must to use squid_kerb_auth & squid_kerb_ldap both then
is it correct that we are not using the following directives??

acl auth proxy_auth REQUIRED #used
#http_access deny !auth # Not used
#http_access allow auth #not used

as instead ldap based directives of the following form are used...

external_acl_type squid_kerb_ldap ttl=3600  negative_ttl=3600  %LOGIN
/usr/sbin/squid_kerb_ldap -g GROUP@
acl ldap_group_check external squid_kerb_ldap
http_access allow ldap_group_check

thanking you
&
regards,

Bilal

----------------------------------------

Your E-mail and More On-the-Go. Get Windows Live Hotmail Free. https://signup.live.com/signup.aspx?id=60969


Markus Moeller Mon, 05 Jul 2010 11:35:18 -0700



Related Topics

Post a Comment