Re: [squid-users] Squid 3.2 help using kerberos Error returned 'BH received type 1 NTLM token'

From: david touzeau <david.touzeau_at_fr.kaspersky.com>
Date: Wed, 14 Dec 2011 02:15:33 +0100

Le mercredi 14 décembre 2011 à 10:41 +1300, Amos Jeffries a écrit :
> On Tue, 13 Dec 2011 18:27:00 +0100, David Touzeau wrote:
> > Dear
> >
> > I would like to connect my squid 3.2 to the Active Directory 2003
> >
> > All Kerberos settings should working
> >
> > # /usr/bin/kinit Administrateur_at_MAISON.TOUZEAU.BIZ -V 2>&1
> > Password for Administrateur_at_MAISON.TOUZEAU.BIZ:
> > Authenticated to Kerberos v5
> >
> > # klist
> > Ticket cache: FILE:/tmp/krb5cc_0
> > Default principal: Administrateur_at_MAISON.TOUZEAU.BIZ
> >
> > Valid starting Expires Service principal
> > 12/13/11 17:10:26 12/14/11 03:10:24
> > krbtgt/MAISON.TOUZEAU.BIZ_at_MAISON.TOUZEAU.BIZ
> > renew until 12/14/11 17:10:26
> >
> >
> > Squid.conf
> >
> > auth_param negotiate program /lib/squid3/negotiate_kerberos_auth -d
> > -s
> > HTTP/squid32-64.touzeau.com
> > auth_param negotiate children 10
> > auth_param negotiate keep_alive on
> > auth_param basic realm Squid proxy-caching web server
> > auth_param basic credentialsttl 2 hour
> > authenticate_ip_ttl 60 seconds
> > authenticate_cache_garbage_interval 10 seconds
> > authenticate_ttl 0 hour
> > #--------- kerberos ACL settings
> > acl AUTHENTICATED proxy_auth REQUIRED
> >
> > In events squid claim
> >
> > 011/12/13 17:11:27 kid1| ERROR: Negotiate Authentication validating
> > user. Error returned 'BH received type 1 NTLM token'
>
> This is the old problem of Squid advertising Negotiate authentication
> but receiving NTLMv1 credentials from the browser.
>
> Kerberos begins with a type 2 token.
>
> The workaround in 3.1 and older has been to use the negotiate_wrapper
> helper to detect the token type and support both NTLM or Kerberos
> helpers for Negotiate. Unfortunately the wrapper seems to cause auth
> failures in the new 3.2 architecture and we have not yet tracked that
> bug down.
>
> Amos
>

Dear Amos,

Any workaround ?

Best regards

-- 
Received on Wed Dec 14 2011 - 01:15:49 MST

This archive was generated by hypermail 2.2.0 : Wed Dec 14 2011 - 12:00:03 MST