On 20/01/11 01:12, Rafal Zawierta wrote:
> Hello,
>
> I'm trying to set up squid to auth against AD.
>
> AD is on 2008 server (but functionality level of 2003).
> Kerberos works fine, from linux machine (debian) kinit and klist and
> kutil are all right. I also have created krb5.keytab and for my proxy
> user I have:
>
> ktutil: rkt /etc/krb5.keytab
> ktutil: l
> slot KVNO Principal
> ---- ---- ---------------------------------------------------------------------
> 1 2 HTTP/squid.pfsee.net_at_PFSEE.NET
> 2 2 HTTP/squid.pfsee.net_at_PFSEE.NET
> 3 2 HTTP/squid.pfsee.net_at_PFSEE.NET
> 4 2 HTTP/squid_at_PFSEE.NET
> 5 2 HTTP/squid_at_PFSEE.NET
> 6 2 HTTP/squid_at_PFSEE.NET
> ktutil: q
>
> squid - hostname of linux machine
> pfsee.net - my AD domain
>
> Squid3 cache.log (at startup)
> 2011/01/19 13:07:43| Process ID 1782
> 2011/01/19 13:07:43| With 65535 file descriptors available
> 2011/01/19 13:07:43| Initializing IP Cache...
> 2011/01/19 13:07:43| helperOpenServers: Starting 10/10
> 'squid_kerb_auth' processes
> (is it working now?)
>
> First try - IE8 from my AD server (2008R2).
> In Lan-Proxy i have: squid.pfsee.net
>
> When I try to open page, I get basic auth prompt (I really should
> not!) - and cache.log says:
> authenticateNegotiateHandleReply: Error validating user via Negotiate.
> Error returned 'BH received type 1 NTLM token'
>
> What is wrong? Problem is with squid and linux or on the win2k8
> machine (IE client side)?
As you can see the browser is sending an NTLM handshake instead of the
Kerberos token. The current Squid auth system does not support
Negotiate/NTLM only Negotiate/Kerberos but has no way to tell IE8 that.
* Check that you have all auth_param with Negotiate type first before
other types of auth.
* Check that IE is configured to use Kerberos by reference.
Amos
-- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.10 Beta testers wanted for 3.2.0.4Received on Wed Jan 19 2011 - 12:26:24 MST
This archive was generated by hypermail 2.2.0 : Wed Jan 19 2011 - 12:00:03 MST