> -Original Message-
> From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On
> Behalf Of Amos Jeffries
> Sent: Wednesday, March 23, 2016 11:50 PM
> To: squid-us...@lists.squid-cache.org
> Cc: 819...@bugs.debian.org
> Subject: Re: [squid-users] Negotiate wrappter returns AF = on Debian Jessie
>
> "--helper-protocol=gss-spnego" configures Negotiate/Kerberos, not
> Negotiate/NTLM.
>
> For Negotiate/NTLM what you need is "--helper=squid-2.5-ntlmssp"
>
>
> Or, drop the wrapper helper entirely and just use:
>
> auth_param negotiate program /usr/bin/ntlm_auth \
> --helper-protocol=gss-spnego --domain=DOMAIN.LOCAL
>
> Amos
Oh. Thank you!
That does resolve the username issue in the logs.
I'm still a little confused as the proxy was behaving as if it was doing NTLM
anyway.
If I used the FQDN to reach the proxy, my username was
james_zuelow@DOMAIN.LOCAL as I would expect from a Kerberos authentication.
If I used the IP address to reach the proxy, my understanding is that Kerberos
would not work (since the principal now did not match), and I would fall back
to NTLM. And in that case my username was james_zuelow, as with plain NTLM.
And clients that could not do Kerberos at all such as non-domain Linux machines
could still authenticate with NTLM username/password.
So except for the log format issue gss-spnego and squid-2.5-ntlmssp both seem
to work as I intended it to, with Kerberos primary and NTLM fallback.
Thanks again & Debian #819102 can be chalked up to user error.
James