[squid-users] Re: Simple Kerberos/Squid configuration "received type 1 NTLM token"

"barbarossa" <bDmanLIB_at_hotmail.com> wrote in message
news:1285675470312-2717106.post_at_n4.nabble.com...
>
> So, I set the following in about:config (Firefox):
> *network.auth.use-sspi: false
> *network.negotiate-auth.gsslib: C:\Program
> Files\MIT\Kerberos\bin\gssapi32.dll
> *network.negotiate-auth.using-native-gsslib: false
>
> Then I got in /var/log/squid/cache.log:
> squid_kerb_auth: gss_acquire_cred() failed: Unspecified GSS failure.
> Minor
> code may provide more information. No principal in keytab matches desired
> name
>
> After searching the mailinglists, I saw that the principal did exist but I
> had 2 keytab files. One of them was old and squid used the old one.
>
> Now, Firefox works! Great.
>
> As for IE, it shows a login dialog, when entering username_at_REALM I get:
>
> 2010/09/28 11:44:28| squid_kerb_auth: Got 'YR
> YIICLgYGKwYBBQUCoIICIjCCAh6gJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCAfQEggHwYIIB7AYJKoZIhvcSAQICAQBuggHbMIIB16ADAgEFoQMCAQ6iBwMFACAAAACjggEFYYIBATCB/qADAgEFoQsbCVZVQi5BQy5CRaImMCSgAwIBAqEdMBsbBEhUVFAbE2JpYmxwYzA4My5WVUIuQUMuQkWjgcEwgb6gAwIBF6EDAgEDooGxBIGuRlcmAe5EkRJ96vVgsuXySbzRyqbhbf0Ciymg0M2PTGhZzGNygccoy7qFrSK0IL1mlFZrtR/9kjAFvEOrbi5MQKvhTKelWJ+AW5sNSv0MCLrifZ9I4iYVzC8ykuEuynLFVNrFrXvR1X8o9GE0WKBiQH1qGrLPihRqqxVTwPIYFjvJHfOj4hNQKYoNgTPe8gyVOcoFNgSKM5x8nvUo7yMkMGDZl37rKEN+SF5T1RclpIG4MIG1oAMCAReiga0EgaohkYCppLKIRyD9lOdHwFa892QilUpoDEON8P6RpBbDaANc/2QRKk3inxTujwUzUuDZ7yd2w7oYHzRtnT8I2UUWN31lPIZpinURAtVq87klW9SCQkjBy7Kco2HdvicJnwUcnpk28X0nOsjol0Mm+4ysDDBe4aCzN3Qd6fjdsOvH8/Eh5ckCMlBTr3sLhrfmQGnmmqAHztvL54g87c2Qq+xHvvU5F/6pIE/U7Q=='
> from squid (length: 755).
> 2010/09/28 11:44:28| squid_kerb_auth: parseNegTokenInit failed with rc=102
> 2010/09/28 11:44:28| squid_kerb_auth: gss_accept_sec_context() failed:
> Unspecified GSS failure. Minor code may provide more information. Key
> table
> entry not found

This does not look to bad as it seems to be a Kerberos not a NTLM token. Did
you use the correct fqdn for the squid proxy in your IE configuration (e.g.
the exact same name as used for the keytab entry ) ? Can you capture the
traffic to squid ( usually port 3128) with wireshark ? It should tell you
the details of the ticket from the Negotiate exchange.

>
> So, IE does not use the MIT kerberos ticket I created. Is there a way to
> configure it?
>

What you might be able to do and want already seems to have happend is that
XP is looking for a kdc via DNS. Can you check the DNS port 53 traffic and
Kerberos traffic on port 88 from your XP system using wireshark ?

> Thanks.
> --
> View this message in context:
> http://squid-web-proxy-cache.1019090.n4.nabble.com/Simple-Kerberos-Squid-configuration-received-type-1-NTLM-token-tp2553379p2717106.html
> Sent from the Squid - Users mailing list archive at Nabble.com.
>
Received on Tue Sep 28 2010 - 19:13:21 MDT