Re: [squid-users] Re: squid 2.7 - problems with kerberos authentication

This means your client does not use Kerberos but NTLM. Check that IE is
configured with the fqdn.

Regards
Markus

----- Original Message -----
From: "Дмитрий Нестеркин" <undelborg_at_gmail.com>
To: "Henrik Nordstrom" <henrik_at_henriknordstrom.net>
Cc: "Markus Moeller" <huaraz_at_moeller.plus.com>
Sent: Wednesday, September 02, 2009 12:36 PM
Subject: Re: [squid-users] Re: squid 2.7 - problems with kerberos
authentication

2 сентября 2009 г. 14:32 пользователь Дмитрий Нестеркин
(undelborg_at_gmail.com) написал:
>>> external_acl_type ldap_check ttl=1200 %LOGIN
>>> /usr/lib/squid/squid_ldap_group -R -b "dc=mydomain,dc=local" -f
>>> "(&(objectclass=user)(sAMAccountName=%v
>>> (memberof=cn=%a,ou=internet,dc=mydomain,dc=local))" -D
>>> "proxyuser_at_mydomain.local" -w "password" -K -d 192.168.100.42
>>
>> Do this work from the command line?
>>
>> If it's a AD server then basic bind without TLS is generally not allowed
>> (deemed insecure).
>>
>> The helper expects
>>
>> login group
>>
>> as input, and will respond with OK/ERR.
>>
>> But since there is no debug output from squid_ldap_group I suspect
>> squid_kerb_auth isn't happy with something.. But it's odd there is no
>> debug output from squid_kerb_auth either...
> Yes, It works from command line! And I can't understand why not with
> squid.
>
> $ /usr/lib/squid/squid_ldap_group -R -b "dc=teliset,dc=local" -f
> "(&(objectclass=user)(sAMAccountName=%v)(memberof=cn=%a,ou=internet,dc=teliset,dc=local))"
> -D "proxyuser_at_teliset.local" -w "password" -K -d 192.168.100.42
> my_username inet_allow
> OK
>
I've updated krb5-user package to latest testing version. Now cache
log contain squid_kerb_auth info:

2009/09/02 15:27:46| Ready to serve requests.
2009/09/02 15:27:46| Done reading /var/spool/squid swaplog (405 entries)
2009/09/02 15:27:46| Finished rebuilding storage from disk.
2009/09/02 15:27:46| 405 Entries scanned
2009/09/02 15:27:46| 0 Invalid entries.
2009/09/02 15:27:46| 0 With invalid flags.
2009/09/02 15:27:46| 405 Objects loaded.
2009/09/02 15:27:46| 0 Objects expired.
2009/09/02 15:27:46| 0 Objects cancelled.
2009/09/02 15:27:46| 0 Duplicate URLs purged.
2009/09/02 15:27:46| 0 Swapfile clashes avoided.
2009/09/02 15:27:46| Took 0.3 seconds (1453.0 objects/sec).
2009/09/02 15:27:46| Beginning Validation Procedure
2009/09/02 15:27:46| Completed Validation Procedure
2009/09/02 15:27:46| Validated 405 Entries
2009/09/02 15:27:46| store_swap_size = 4052k
2009/09/02 15:27:46| storeLateRelease: released 0 objects
2009/09/02 15:32:48| squid_kerb_auth: Got 'YR
TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' from squid
(length: 59).
2009/09/02 15:32:48| squid_kerb_auth: received type 1 NTLM token
2009/09/02 15:32:50| squid_kerb_auth: Got 'YR
TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' from squid
(length: 59).
2009/09/02 15:32:50| squid_kerb_auth: received type 1 NTLM token
2009/09/02 15:32:50| squid_kerb_auth: Got 'YR
TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' from squid
(length: 59).
2009/09/02 15:32:50| squid_kerb_auth: received type 1 NTLM token
2009/09/02 15:32:51| squid_kerb_auth: Got 'YR
TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' from squid
(length: 59).
2009/09/02 15:32:51| squid_kerb_auth: received type 1 NTLM token
Received on Wed Sep 02 2009 - 21:48:06 MDT