Description of problem: squid in RHEL5.3 can't provide single-sign-on authentication via Kerberos, as negotiate authentication is not enabled. Version-Release number of selected component (if applicable): squid-2.6.STABLE21-3.el5 How reproducible: Always Steps to Reproduce: 1. Install squid 2. Compile squid_auth_kerb 3. Add the following to squid.conf: auth_param negotiate program /usr/lib/squid/squid_kerb_auth auth_param negotiate children 10 auth_param negotiate keep_alive on Actual results: # /etc/init.d/squid restart Stopping squid: 2009/08/07 17:22:46| Parsing Config File: Unknown authentication scheme 'negotiate'. 2009/08/07 17:22:46| Parsing Config File: Unknown authentication scheme 'negotiate'. 2009/08/07 17:22:46| Parsing Config File: Unknown authentication scheme 'negotiate'. Expected results: Squid should start, and assuming all other conditions are satisfied, transparently authenticated access control should be possible. Additional info: This was enabled for Fedora 8 and 10 in bug #445337, but should be available in RHEL5.
Created attachment 362517 [details] Proposed patch against squid.spec Proposed naive patch against squid.spec that enables negotiate support.
The option within squid configuration was enabled thus is supported now. Nevertheless we are not able to verify it. Still getting authentication failures. The env. was set on kerberos enabled system with keytab (with HTTP/$HOSTNAME principals) properly exported and with ownership set permissions set. This settings was used auth_param negotiate program /usr/<lib_pth>/squid/squid_kerb_auth -d auth_param negotiate children 5 auth_param negotiate keep_alive on This defines helper for authentication. Then squid.conf should contain necessary acl: ... acl auth proxy_auth REQUIRED ... http_access deny !auth http_access allow auth Can you please test it in your environment and if you are using different setup put your configuration files?
@Buchan Milne Please grab the latest 5.5 Beta bits from RHN, test for the resolution of this request and report your results back here. Also, in the future, when reporting feature requests or defect reports it is critical that you escalate your issues through Red Hat Support.
~~ Attention Customers and Partners - RHEL 5.5 Beta is now available on RHN ~~ RHEL 5.5 Beta has been released! There should be a fix present in this release that addresses your request. Please test and report back results here, by March 3rd 2010 (2010-03-03) or sooner. Upon successful verification of this request, post your results and update the Verified field in Bugzilla with the appropriate value. If you encounter any issues while testing, please describe them and set this bug into NEED_INFO. If you encounter new defects or have additional patch(es) to request for inclusion, please clone this bug per each request and escalate through your support representative.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2010-0221.html