Authenticatenegotiatehandlereply error validating user via negotiate
COM = Install Samba and Winbind apt-get install samba winbind samba-common-bin Edit /etc/samba/smb.conf[global] workgroup = XYZ password server = domain.realm = XYZ.COM security = ads dns_lookup_realm = true dns_lookup_kdc = true idmap config * : backend = rid idmap config * : range = 2000-50000000 template homedir = /home/%U template shell = /bin/bash winbind use default domain = true winbind offline logon = true Restart samba & winbind Initiate a kerberos session to the server with administrator permissions to add objects to ADkinit administrator Password for [email protected] You can see if you succe Ssfully obtained a ticket with: klist Now join the proxysrv to the domain.squid_ldap_auth" lines from squid.conf, firefox fails to authenticate too). I dunno that I can nail it down to one specific fix.I have followed this guide to install squid on debian on a vm on ESXi 4.1 Host: ... output from klist: Ticket cache: FILE:/tmp/krb5cc_0Default principal: [email protected] Some of the things that I've done trying to fix it are:1.This is only the first step and I cannot get past it, the next is to add a external NIC, restrict squid to the internal NIC, setup reporting and setup firewall. Thanks, Glenn I have also modified the krb5file after the fact to try to see if this was the issue, I have tryied the settings for both 20: default_realm = MYDOMAIN. AU dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d forwardable = true default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc$ default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc$ permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-c$ [realms] EXAMPLE.
coredump_dir /var/spool/squid3cache_dir ufs /usr/local/squid/var/cache/squid 13926 16 256cache_effective_user proxyrefresh_pattern ^ftp: 1440 20% 10080refresh_pattern ^gopher: 1440 0% 1440refresh_pattern -i (/cgi-bin/|\? 0 20% 4320As at 5 pm localtime yesterday I sort of got it sort of working.
This is not completely necessary but is useful to ensure msktutil works as expected.
msktutil --auto-update --verbose --computer-name proxysrv-http --server com -s HTTP/com -k /etc/squid3/PROXY.keytab Add the following to cron so it can automatically updates the computer account in active directory when it expires.
net ads join -U Administrator Enter Administrator's password: Using short domain name -- XYZJoined 'PROXYSRV' to realm 'xyz.com' Restart samba and winbind and test acces to the domain wbinfo -tchecking the trust secret for domain XYZ via RPC calls succeeded In DNS Server, ensure new A record entry for the proxysrv server's hostname and ensure a corresponding PTR entry is also created and works.
Ping a internal and external hostname to ensure DNS is operating.