0

I use squid on RHEL6 and I want that authentication is via AD windows 2008, I already joined the server to the windows domain and all users is already seen by wbinfo -u wbinfo -g but wbmin -t show error below :

$ wbinfo -t checking the trust secret for domain TELMA via RPC calls failed Could not check secret

I followed this tuto https://www.dalemacartney.com/2012/0...nd-simple-way/ and all is fine and normally all user on domain doesn't require authentication but when I configured the browser to point to the proxy it's always requiring authentication and showing error below on /var/log/squid/cache.log :

2014/07/31 15:47:07| squid_kerb_auth: ERROR: gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information. Unknown error 2014/07/31 15:47:07| squid_kerb_auth: INFO: User not authenticated 2014/07/31 15:47:07| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information. Unknown error'

This command also provides error below :

$ kinit -V -k -t /etc/krb5.keytab Using default cache: /tmp/krb5cc_10084_H30tfi kinit: Cannot determine realm for host (principal host/rhel6test@)

Find below my squid.conf configuration :

auth_param negotiate program /usr/lib64/squid/squid_kerb_auth auth_param negotiate children 10 auth_param negotiate keep_alive on

http_access deny !ad_auth http_access allow ad_auth

Could someone help for this issue?

user3863795
  • 51
  • 2
  • 7
  • have you configure kerberos? sorry for the external link http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos – c4f4t0r Aug 01 '14 at 09:30
  • Yes, find below my kerberos config : [libdefaults] default_realm = DOMAINE.COM dns_lookup_realm = false dns_lookup_kdc = false default_keytab_name = FILE:/etc/krb5.keytab [realms] DOMAINE.COM = { kdc = tdcp02wp.domaine.com kdc = tdcp03wp.domaine.com kdc = tdcp01wp.domaine.com admin_server = tdcp02wp.domaine.com default_domain = domaine.com } [domain_realm] .domaine.com = DOMAINE.COM domaine.com = DOMAINE.COM [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } – user3863795 Aug 01 '14 at 12:34
  • I already read this wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos – user3863795 Aug 01 '14 at 12:38
  • if use the command kinit , do you get the kerberos ticket? – c4f4t0r Aug 01 '14 at 13:15
  • find below recult command : $ kinit tsioritafita Password for tsioritafita@CORP.TELMA.MG: [ RHEL6TEST | root | 2014-08-01 16:22:42 | /root ] $ kinit -V -k -t /etc/squid/HTTP.keytab Using default cache: /tmp/krb5cc_10084_pN2aCW kinit: Cannot determine realm for host (principal host/rhel6test@) – user3863795 Aug 01 '14 at 13:25
  • now use the klist? – c4f4t0r Aug 01 '14 at 15:35
  • $ klist -ekt /etc/squid/squid.keytab Keytab name: WRFILE:/etc/squid/squid.keytab KVNO Timestamp Principal ---- ----------------- -------------------------------------------------------- 3 07/31/14 10:46:22 RHEL6TEST$@CORP.TELMA.MG (arcfour-hmac) 3 07/31/14 10:46:22 RHEL6TEST$@CORP.TELMA.MG (aes128-cts-hmac-sha1-96) 3 07/31/14 10:46:22 RHEL6TEST$@CORP.TELMA.MG (aes256-cts-hmac-sha1-96) 3 07/31/14 10:46:22 host/rhel6test.corp.telma.mg@CORP.TELMA.MG (arcfour-hmac) – user3863795 Aug 04 '14 at 05:16
  • Hi guys, wbinfo -u, wbinfo -g doesn't work now, it was working after I joined the server to the domain. please help – user3863795 Aug 06 '14 at 12:01

1 Answers1

1

Make sure reverse DNS lookup is properly configured for your domain as explained here.

If you run dig -x [domain_controler_ip] and you don't see your domain name in the "ANSWER SECTION" you will get Unspecified GSS failure.

SMD
  • 111
  • 1