[squid-users] squid_kerb_auth received type 1 NTLM token

From: Lieven <lieven_at_ba.be>
Date: Wed, 05 May 2010 22:11:50 +0200

Dear list,

I have currently a problem where it seems that my clients, webbrowsers
firefox 3.5 and IE8 only seem to return NTLM tokens as authentication
instead of kerberos.

This is the error in the cache log from squid:

squid_kerb_auth: WARNING: received type 1 NTLM token
authenticateNegotiateHandleReply: Error validating user via Negotiate.
Error returned 'BH received type 1 NTLM token'

squid has been configured like this:
./configure --enable-negotiate-auth-helpers=squid_kerb_auth
--enable-stacktraces --prefix=/opt/squid-3.1.3
make and make install went fine.

the squid box is a cleanly installed debian lenny i386.

Squid itself seems to run fine, I can browse through it.

Then my goal to use kerberos authentication fails with the error above.
in my krb5.conf I have the following info in my realm:
    kdc = xxx.xxx.xxx.xxx
    admin_server = xxx.xxx.xxx.xxx
these are the libdefaults:
    default_realm = DOMAIN.LOCAL
    dns_lookup_kdc = no
    dns_lookup_realm = no
    default_keytab_name = /etc/HTTP.keytab
    ticket_lifetime = 24h

the /etc/HTTP.keytab file is like this:
-rw-r----- 1 squid squid 532 2010-05-05 20:58 /etc/HTTP.keytab
squid is running as user "squid"

First I got a kerberos ticket with:
kinit administrator
I can see a krbtgt ticket with klist.

I'm trying to authenticate against a windows 2008 dc and I used msktutil
like this:
msktutil -c -b "CN=COMPUTERS" -s HTTP/domain.local -h domain.local -k
/etc/HTTP.keytab --computer-name squid3-proxy --upn HTTP/domain.local
--server ad2008srvr.domain.local --verbose --enctypes 28

The squid config file is quiete basic. (only relevant parts here - I think)
auth_param negotiate program /opt/squid-3.1.3/sbin/squid_kerb_auth -d
auth_param negotiate children 10
auth_param negotiate keep_alive on
http_access allow AUTHENTICATED

DNS seems to work alright, the AD server is used for dns and has a
working A and PTR record for the squid3-proxy.domain.local server
because the A and PTR lookups return the correct results when run from
the server and from the clients.

Is there anybody out there who can help me troubleshoot this problem?
I found tutorials where the keytab file is created on the windows server
but that's not necessary if I use the msktutil, right?

thanks a lot. I'v been trying to get this to work for some time now.

Received on Wed May 05 2010 - 20:11:58 MDT

This archive was generated by hypermail 2.2.0 : Thu May 06 2010 - 12:00:08 MDT