Re: [squid-users] Squid 3.2 help using kerberos Error returned 'BH received type 1 NTLM token'

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 14 Dec 2011 10:41:43 +1300

 On Tue, 13 Dec 2011 18:27:00 +0100, David Touzeau wrote:
> Dear
>
> I would like to connect my squid 3.2 to the Active Directory 2003
>
> All Kerberos settings should working
>
> # /usr/bin/kinit Administrateur_at_MAISON.TOUZEAU.BIZ -V 2>&1
> Password for Administrateur_at_MAISON.TOUZEAU.BIZ:
> Authenticated to Kerberos v5
>
> # klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: Administrateur_at_MAISON.TOUZEAU.BIZ
>
> Valid starting Expires Service principal
> 12/13/11 17:10:26 12/14/11 03:10:24
> krbtgt/MAISON.TOUZEAU.BIZ_at_MAISON.TOUZEAU.BIZ
> renew until 12/14/11 17:10:26
>
>
> Squid.conf
>
> auth_param negotiate program /lib/squid3/negotiate_kerberos_auth -d
> -s
> HTTP/squid32-64.touzeau.com
> auth_param negotiate children 10
> auth_param negotiate keep_alive on
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 2 hour
> authenticate_ip_ttl 60 seconds
> authenticate_cache_garbage_interval 10 seconds
> authenticate_ttl 0 hour
> #--------- kerberos ACL settings
> acl AUTHENTICATED proxy_auth REQUIRED
>
> In events squid claim
>
> 011/12/13 17:11:27 kid1| ERROR: Negotiate Authentication validating
> user. Error returned 'BH received type 1 NTLM token'

 This is the old problem of Squid advertising Negotiate authentication
 but receiving NTLMv1 credentials from the browser.

 Kerberos begins with a type 2 token.

 The workaround in 3.1 and older has been to use the negotiate_wrapper
 helper to detect the token type and support both NTLM or Kerberos
 helpers for Negotiate. Unfortunately the wrapper seems to cause auth
 failures in the new 3.2 architecture and we have not yet tracked that
 bug down.

 Amos
Received on Tue Dec 13 2011 - 22:41:46 MST

This archive was generated by hypermail 2.2.0 : Wed Dec 14 2011 - 12:00:03 MST