Re: [squid-users] Re: kerberos (AD) authentication - squid_kerb_auth

From: Mrvka Andreas <mrv_at_tuv.at>
Date: Wed, 26 Aug 2009 11:06:48 +0200

hi,

if you have made the wiki[...]/Kerberos guide through then you are close to
the goal.

it seems that your problem is only configuration error on client side.

since squid_kerb_auth is a MUST to configure the fqdn name of squid in the IE
settings.

at my place IE 7, IE 8 and FF 3.5 works great with squid_kerb_auth.

regards
Andrew

Am Mittwoch, 26. August 2009 00:35:01 schrieb Jeremy Monnet:
> On Tue, Aug 25, 2009 at 11:23 PM, Markus Moeller<huaraz_at_moeller.plus.com>
wrote:
> >> I a m trying to authenticate users through kerberos on a windows 2003
> >> server AD. Basically, I followed the klaubert tutorial [1], part on
> >> Negotiate/kerberos authentication.
> >
> > See also http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
>
> Of course I forgot this one, but I used it also.
>
> >> reason attempted to use NTLM. ", does this mean the web browser/gssapi
> >> or stuff on the client side is the problem ? Is there anything to do
> >> on the windows client machine to send just a standard kerberos ticket
> >> ?
> >
> > Possibly. It is important that the proxy you have configured is the fqdn
> > and that your web Browser supports negotiate proxy authentication (e.g IE
> > > 7 or Firefox)
>
> Trying on windows 7 with IE 8 and FF 3.5.
>
> >> And, last but not least, it seems we can start squid_kerb_auth from
> >> the command line in standalone (well, that's the way it works with
> >> squid), is there a way to use it to debug the situation ?
> >
> > Yes Just start it onthe command line and input YR <token> where <token>
> > is a base64 encoded token. There is a small test program
> > squid_kerb_auth_test.c at
> > http://squidkerbauth.cvs.sourceforge.net/viewvc/squidkerbauth/squid_kerb_
> >auth/ which you can run as follows:
> > kinit user_at_DOMAIN
> > ./squid_kerb_auth_test <proxy fqdn> 200 | ./squid_kerb_auth -d -s
> > HTTP/<proxy fqdn>
> >
> > This will create 200 authentication requests for testing.
>
> That will help me a lot ! Thank you very much for your answers !
>
> I'll post comments as soon as it works (or I get new questions).
>
> Regards,
>
> Jeremy
>
Received on Wed Aug 26 2009 - 09:06:57 MDT

This archive was generated by hypermail 2.2.0 : Wed Aug 26 2009 - 12:00:04 MDT