[squid-users] Squid > Kerberos authentication
Hello, I'm considering dropping the use of NTLM in favor of Kerberos (auth_param negotiate) to authenticate users against my AD 2003 server. To do this, I would like to use the squid_kerb_auth program. Prior starting my work on this, I was wondering what would happen for users not currently logged in on my domain controller (ie., users not having a valid Kerberos ticket) - for example, users at home or Mac OS X / Linux users? From my readings, Safari 3/4, Firefox 2+, IE7/8 all seems to support Kerberos authentication to a Squid proxy but for clients, it's not clear to me (after reading RFC4559) what will happen if no ticket is present when the user goes through the Squid proxy. Will it just fail? Thanks for any light you can shine on this. Best regards,
[squid-users] Squid Kerberos Authentication
Hi, I've followed the http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory howto, and I am now getting this error in my cache.log 2011/07/15 12:13:45| squid_kerb_auth: WARNING: received type 1 NTLM token 2011/07/15 12:13:45| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH received type 1 NTLM token' 2011/07/15 12:13:54| squid_kerb_auth: DEBUG: Got 'YR TlRMTVNTUAABl4II4gAGAbEdDw==' from squid (length: 59). 2011/07/15 12:13:54| squid_kerb_auth: DEBUG: Decode 'TlRMTVNTUAABl4II4gAGAbEdDw==' (decoded length: 40). 2011/07/15 12:13:54| squid_kerb_auth: WARNING: received type 1 NTLM token 2011/07/15 12:13:54| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH received type 1 NTLM token' This happens both when trying to access via the proxy using IE/Chrome/Firefox None of my googling as presented a solution Thanks
Re: [squid-users] Squid > Kerberos authentication
On Sat, 28 Nov 2009 17:44:40 -0500 Extra Fu wrote: > Hello, > > I'm considering dropping the use of NTLM in favor of Kerberos > (auth_param negotiate) to authenticate users against my AD 2003 > server. To do this, I would like to use the squid_kerb_auth program. > > Prior starting my work on this, I was wondering what would happen for > users not currently logged in on my domain controller (ie., users not > having a valid Kerberos ticket) - for example, users at home or Mac OS > X / Linux users? From my readings, Safari 3/4, Firefox 2+, IE7/8 all > seems to support Kerberos authentication to a Squid proxy but for > clients, it's not clear to me (after reading RFC4559) what will happen > if no ticket is present when the user goes through the Squid proxy. > > Will it just fail? > > Thanks for any light you can shine on this. > > Best regards, > Hi, at least on Linux it is possible to obtain a valid ticket with the kinit command. If you want to integrate it further you should take a look at the kerberos PAM-module (libpam-krb5 on debian). Firefox is then able to use kerberos to authenticate to Squid. I use this kind of setup in a productive environment. Regards -- --- Malte Schröder malte...@gmx.de --- signature.asc Description: PGP signature
Re: [squid-users] Squid > Kerberos authentication
Hello Malte, First of all, thanks for your prompt reply. > at least on Linux it is possible to obtain a valid ticket with the > kinit command. If you want to integrate it further you should take a > look at the kerberos PAM-module (libpam-krb5 on debian). > > Firefox is then able to use kerberos to authenticate to Squid. I use > this kind of setup in a productive environment. Yep, that's what I thought. In any case, if the ticket has to be present for things to work (which is normal), what are the options for Windows users (not logged in on the domain)? In my case, the real use of the Squid proxy is for users outside of my network, for letting them access resources for which their access is limited to my local network (think of a library proxy). Since we can't have encryption between the browser and the Squid proxy, the most secure authentication mechanism has to be used... of course users could just use the VPN server, but that's an other story :-/ Thanks,
Re: [squid-users] Squid Kerberos Authentication
On 15/07/11 13:47, Daniel Faulknor wrote: Hi, I've followed the http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory howto, and I am now getting this error in my cache.log 2011/07/15 12:13:45| squid_kerb_auth: WARNING: received type 1 NTLM token 2011/07/15 12:13:45| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH received type 1 NTLM token' 2011/07/15 12:13:54| squid_kerb_auth: DEBUG: Got 'YR TlRMTVNTUAABl4II4gAGAbEdDw==' from squid (length: 59). 2011/07/15 12:13:54| squid_kerb_auth: DEBUG: Decode 'TlRMTVNTUAABl4II4gAGAbEdDw==' (decoded length: 40). 2011/07/15 12:13:54| squid_kerb_auth: WARNING: received type 1 NTLM token 2011/07/15 12:13:54| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH received type 1 NTLM token' This happens both when trying to access via the proxy using IE/Chrome/Firefox None of my googling as presented a solution Thanks Squid is offering Negotiate/Kerberos auth and the agents are responding with NTLM or Negotiate/NTLM. Markus Moeller wrote a negotiate_wrapper helper that works nicely to cope with Negotiate/NTLM responses. There is nothing we can do about the other broken agents which return plain NTLM though. The wrapper helper can be found at: http://sourceforge.net/projects/squidkerbauth/files/ Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.14 Beta testers wanted for 3.2.0.9
[squid-users] Squid Kerberos authentication error
Hi, I am trying to setup squid to authenticate as AD with kerberos as per the following document http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirecto ry but I am getting following error in cache log, authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information. Unknown error' appreciated for your kind help .. thanks, abusam
