On 20/01/11 01:12, Rafal Zawierta wrote:
Hello,I'm trying to set up squid to auth against AD. AD is on 2008 server (but functionality level of 2003). Kerberos works fine, from linux machine (debian) kinit and klist and kutil are all right. I also have created krb5.keytab and for my proxy user I have: ktutil: rkt /etc/krb5.keytab ktutil: l slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 2 HTTP/squid.pfsee....@pfsee.net 2 2 HTTP/squid.pfsee....@pfsee.net 3 2 HTTP/squid.pfsee....@pfsee.net 4 2 HTTP/sq...@pfsee.net 5 2 HTTP/sq...@pfsee.net 6 2 HTTP/sq...@pfsee.net ktutil: q squid - hostname of linux machine pfsee.net - my AD domain Squid3 cache.log (at startup) 2011/01/19 13:07:43| Process ID 1782 2011/01/19 13:07:43| With 65535 file descriptors available 2011/01/19 13:07:43| Initializing IP Cache... 2011/01/19 13:07:43| helperOpenServers: Starting 10/10 'squid_kerb_auth' processes (is it working now?) First try - IE8 from my AD server (2008R2). In Lan-Proxy i have: squid.pfsee.net When I try to open page, I get basic auth prompt (I really should not!) - and cache.log says: authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH received type 1 NTLM token' What is wrong? Problem is with squid and linux or on the win2k8 machine (IE client side)?
As you can see the browser is sending an NTLM handshake instead of the Kerberos token. The current Squid auth system does not support Negotiate/NTLM only Negotiate/Kerberos but has no way to tell IE8 that.
* Check that you have all auth_param with Negotiate type first before other types of auth.
* Check that IE is configured to use Kerberos by reference. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.10 Beta testers wanted for 3.2.0.4
