Re: [squid-users] Problem with squid_kerb_auth
Ok, I'll try to focus on client side. Now I've installed XP SP3 with IE8 and FF3.6 and there is the same problem. "* Check that IE is configured to use Kerberos by reference." How to check it? In addition: When I start IE on XP machine, with Wireshark I get: KRB Error: KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN R.
Re: [squid-users] Problem with squid_kerb_auth
tor 2011-01-20 klockan 01:26 +1300 skrev Amos Jeffries: > As you can see the browser is sending an NTLM handshake instead of the > Kerberos token. The current Squid auth system does not support > Negotiate/NTLM only Negotiate/Kerberos but has no way to tell IE8 that. Technically Squid do not care which SPNEGO (Negotiate scheme) method is used, but squid_kerb_auth is Kerberos only. In this case Negotiate/NTLM was used by the client (not to be confused with bare NTLM). Regards Henrik
Re: [squid-users] Problem with squid_kerb_auth
ons 2011-01-19 klockan 13:12 +0100 skrev Rafal Zawierta: > authenticateNegotiateHandleReply: Error validating user via Negotiate. > Error returned 'BH received type 1 NTLM token' That the client selected to use NTLM, not Kerberos. The squid_kerb_auth helper only supports Kerberos. To support NTLM you also need to configure NTLM authentication support in Squid. The Negotiate scheme as such on the wire supports any authentication method Windows SPNEGO supports. I can only guess to why the client did not select to use Kerberos * Did not find the right kerberos principal in the domain directory. * do not trust the requested proxy server for Kerbeors authentication * perhaps kerberos auth failed somehow and it did a fallback on NTLM? Regards Henrik
Re: [squid-users] Problem with squid_kerb_auth
On 20/01/11 01:12, Rafal Zawierta wrote: Hello, I'm trying to set up squid to auth against AD. AD is on 2008 server (but functionality level of 2003). Kerberos works fine, from linux machine (debian) kinit and klist and kutil are all right. I also have created krb5.keytab and for my proxy user I have: ktutil: rkt /etc/krb5.keytab ktutil: l slot KVNO Principal - 12 HTTP/squid.pfsee@pfsee.net 22 HTTP/squid.pfsee@pfsee.net 32 HTTP/squid.pfsee@pfsee.net 42 HTTP/sq...@pfsee.net 52 HTTP/sq...@pfsee.net 62 HTTP/sq...@pfsee.net ktutil: q squid - hostname of linux machine pfsee.net - my AD domain Squid3 cache.log (at startup) 2011/01/19 13:07:43| Process ID 1782 2011/01/19 13:07:43| With 65535 file descriptors available 2011/01/19 13:07:43| Initializing IP Cache... 2011/01/19 13:07:43| helperOpenServers: Starting 10/10 'squid_kerb_auth' processes (is it working now?) First try - IE8 from my AD server (2008R2). In Lan-Proxy i have: squid.pfsee.net When I try to open page, I get basic auth prompt (I really should not!) - and cache.log says: authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH received type 1 NTLM token' What is wrong? Problem is with squid and linux or on the win2k8 machine (IE client side)? As you can see the browser is sending an NTLM handshake instead of the Kerberos token. The current Squid auth system does not support Negotiate/NTLM only Negotiate/Kerberos but has no way to tell IE8 that. * Check that you have all auth_param with Negotiate type first before other types of auth. * Check that IE is configured to use Kerberos by reference. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.10 Beta testers wanted for 3.2.0.4
[squid-users] Problem with squid_kerb_auth
Hello, I'm trying to set up squid to auth against AD. AD is on 2008 server (but functionality level of 2003). Kerberos works fine, from linux machine (debian) kinit and klist and kutil are all right. I also have created krb5.keytab and for my proxy user I have: ktutil: rkt /etc/krb5.keytab ktutil: l slot KVNO Principal - 12 HTTP/squid.pfsee@pfsee.net 22 HTTP/squid.pfsee@pfsee.net 32 HTTP/squid.pfsee@pfsee.net 42 HTTP/sq...@pfsee.net 52 HTTP/sq...@pfsee.net 62 HTTP/sq...@pfsee.net ktutil: q squid - hostname of linux machine pfsee.net - my AD domain Squid3 cache.log (at startup) 2011/01/19 13:07:43| Process ID 1782 2011/01/19 13:07:43| With 65535 file descriptors available 2011/01/19 13:07:43| Initializing IP Cache... 2011/01/19 13:07:43| helperOpenServers: Starting 10/10 'squid_kerb_auth' processes (is it working now?) First try - IE8 from my AD server (2008R2). In Lan-Proxy i have: squid.pfsee.net When I try to open page, I get basic auth prompt (I really should not!) - and cache.log says: authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH received type 1 NTLM token' What is wrong? Problem is with squid and linux or on the win2k8 machine (IE client side)? Regards R.