Re: [squid-users] Re: Help me configure Kerberos Authentication

From: Go Wow <gowows_at_gmail.com>
Date: Sat, 30 Apr 2011 13:45:15 +0400

Amos, Do you know where the problem is? Should I move back to squid
2.7, will that help?

If I configure my squid to use ntlm auth I get so many NTLM Type 3
token messages in cache.log. The same config works good on IE6. When I
test this with firefox 3.6+ or IE8 it keeps prompting the username.

On 30 April 2011 13:30, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
> On 30/04/11 20:13, Go Wow wrote:
>>
>> When I run msktutil I get this line in the output.
>>
>> krb5_get_init_creds_keytab failed (Client not found in Kerberos database)
>>
>> I did kinit before issuing msktutil and it ran successfully. I can see
>> tickets when I issue klist.
>>
>
> Tickets, klist and keytabs do not matter in this case Kerberos is not
> involved.
>
>>
>>
>> On 30 April 2011 10:43, Go Wow wrote:
>>>
>>> Hi,
>>>
>>>  I'm trying to configure Kerberos Authentication for squid. I'm
>>> running Squid 3.1.12 and Windows 2008 R2 SP2. I have followed the
>>> kerberos authentication guide on squid-cache and many other guides, I
>>> always end up with these logs in my cache.log. My client browser keeps
>>> prompting for username/password. Even a valid set of credentials are
>>> not accepted.
>>>
>>>  2011/04/30 10:24:32| squid_kerb_auth: WARNING: received type 1 NTLM
>>> token
>>> 2011/04/30 10:24:32| authenticateNegotiateHandleReply: Error
>>> validating user via Negotiate. Error returned 'BH received type 1 NTLM
>>> token'
>
> "type 1 NTLM"  aka NTLM authentication protocol.
>
> The Kerberos helpers for Squid only validate type 3 (Kerberos).
>
> Markus has developed a negotiate_wrapper helepr which can split the
> Negotiate auth protocol into Negotiate/Kerberos and Negotiate/NTLM
> validation. That may be of some help, though there are bugs in the Squid end
> which prevent is working sometimes.
>
> Amos
> --
> Please be using
>  Current Stable Squid 2.7.STABLE9 or 3.1.12
>  Beta testers wanted for 3.2.0.7 and 3.1.12.1
>
Received on Sat Apr 30 2011 - 09:45:24 MDT

This archive was generated by hypermail 2.2.0 : Sat Apr 30 2011 - 12:00:04 MDT