Hi Markus,
I don't have that problem, when i am using user_at_REALM
I forgot to use @REALM.
Now I am trying with firefox and have the same problem that appears at
the topic "squid_kerb_auth problem".
I will reply to the topic "squid_kerb_auth problem".
Thanks
Jose
Markus Moeller wrote:
> Can you run squid_kerb_auth with -d and send me the output please ?
>
> Markus
>
>
> "Jose Lopes" <jlopes_at_iportalmais.pt> wrote in message
> news:4B545789.1090706_at_iportalmais.pt...
>> Hi,
>>
>> I'm trying to get the squid helper squid_kerb_auth to work against our
>> Active Directory (win 2003 r2).
>>
>> I'm using squid 3.0.STABLE14
>>
>> Squid Cache: Version 3.0.STABLE14
>> configure options: '--build=x86_64-mandriva-linux-gnu' '--prefix=/usr'
>> '--exec-prefix=/usr' '--bindir=/usr/sbin' '--sbindir=/usr/sbin'
>> '--sysconfdir=/etc/squid' '--datadir=/usr/share'
>> '--includedir=/usr/include' '--libdir=/usr/lib64'
>> '--libexecdir=/usr/lib64/squid' '--localstatedir=/var'
>> '--sharedstatedir=/usr/com' '--mandir=/usr/share/man'
>> '--infodir=/usr/share/info' '--x-includes=/usr/include'
>> '--x-libraries=/usr/lib64' '--enable-shared=yes' '--enable-static=no'
>> '--enable-xmalloc-statistics' '--enable-carp' '--enable-async-io'
>> '--enable-storeio=aufs,diskd,null,ufs'
>> '--enable-disk-io=AIO,Blocking,DiskDaemon,DiskThreads'
>> '--enable-removal-policies=heap,lru' '--enable-icmp'
>> '--enable-delay-pools' '--disable-esi' '--enable-icap-client'
>> '--enable-useragent-log' '--enable-referer-log' '--enable-wccp'
>> '--enable-wccpv2' '--disable-kill-parent-hack' '--enable-snmp'
>> '--enable-cachemgr-hostname=localhost' '--enable-arp-acl'
>> '--enable-htcp' '--enable-ssl' '--enable-forw-via-db'
>> '--enable-cache-digests' '--disable-poll' '--enable-epoll'
>> '--enable-linux-netfilter' '--disable-ident-lookups'
>> '--enable-default-hostsfile=/etc/hosts'
>> '--enable-auth=basic,digest,negotiate,ntlm'
>> '--enable-basic-auth-helpers=getpwnam,LDAP,MSNT,multi-domain-NTLM,NCSA,PAM,SMB,YP,SASL,POP3,DB,squid_radius_auth'
>>
>> '--enable-ntlm-auth-helpers=fakeauth,no_check,SMB'
>> '--enable-negotiate-auth-helpers=squid_kerb_auth'
>> '--enable-digest-auth-helpers=password,ldap,eDirectory'
>> '--enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_group'
>>
>> '--with-default-user=squid' '--with-pthreads' '--with-dl'
>> '--with-openssl=/usr' '--with-large-files'
>> '--with-build-environment=default' '--with-filedescriptors=1024'
>> 'build_alias=x86_64-mandriva-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wformat
>> -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
>> -fstack-protector --param=ssp-buffer-size=4 -fstack-protector-all
>> -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64' 'LDFLAGS= -Wl,--as-needed
>> -Wl,--no-undefined -Wl,-z,relro' 'CPPFLAGS=-I/usr/include/openssl '
>> 'CXXFLAGS=-O2 -g -pipe -Wformat -Werror=format-security
>> -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector
>> --param=ssp-buffer-size=4 -fstack-protector-all -D_LARGEFILE64_SOURCE
>> -D_FILE_OFFSET_BITS=64'
>>
>>
>>
>> A keytab file was create on AD for squid
>> (HTTP/fqdn_at_REALM)
>>
>> ktpass -princ HTTP/fqdn_at_REALM -mapuser squiduser
>> -pass password -ptype KRB5_NT_SRV_HST -out HTTP.keytab
>>
>> Transferred the file to the squid server and placed it
>> in /etc/squid/HTTP.keytab
>>
>>
>> kinit -k -t /etc/squid/HTTP.keytab HTTP/fqdn_at_REALM
>> it works!
>>
>>
>> At /etc/init.d/squid, I have included:
>> KRB5_KTNAME=/etc/squid/HTTP.keytab
>> export KRB5_KTNAME
>>
>> I have configured /etc/squid/squid.conf to use squid_kerb_auth
>>
>> I am using IE as client and set the proxy to fqdn.
>>
>> When i try to go to http://www.squid-cache.org/, IE asks for login and
>> password, but it fails.
>> The messages between squid an IE are:
>>
>> IE -> SQUID
>> GET http://www.squid-cache.org/ HTTP/1.1
>> [...]
>>
>> SQUID -> IE
>> HTTP/1.0 407 Proxy Authentication Required
>> Server: squid/3.0.STABLE14
>> [...]
>> Proxy-Authenticate: Negotiate
>> [...]
>>
>> IE -> SQUID
>> GET http://www.squid-cache.org/ HTTP/1.1
>> [...]
>> Proxy-Authorization: Negotiate
>> TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==
>>
>> SQUID -> IE
>> HTTP/1.0 407 Proxy Authentication Required
>> Server: squid/3.0.STABLE14
>> [...]
>> Proxy-Authenticate: Negotiate
>> [...]
>>
>> Seems like IE tries to authenticate with NTLM, and not with kerberos.
>>
>> How do I sort out this problem?
>>
>>
>> Thanks in advance.
>> Regards
>> Jose Lopes
>>
>>
>>
>>
>
>
Received on Tue Jan 19 2010 - 11:06:41 MST
This archive was generated by hypermail 2.2.0 : Tue Jan 19 2010 - 12:00:03 MST