The return code 102 of parseNegTokenInit usually means the token is not a SPNEGO token. Could you sned me the complete token ? Which Kerberos release are you using ? Regards Markus "miolinux" <miolinux@xxxxxxxxx> wrote in message news:20070711160326.738cfa79@xxxxxxxxxxxxxxxxxx Hi, I'm testing new squid helper to use negotiate to authenticate users against a mit kerberos kdc. I already use a cross-realm trust to authenticate windows users against the kdc, so users when logged into windows already have the TGT for kerberos realm (authenticating users this way i cannot use NTLM auth, that's why i need negotiate against kerberos). I've compiled the latest squid-2.6 branch version # sbin/squid -v Squid Cache: Version 2.6.STABLE13-20070704 configure options: '--prefix=/usr/local/squid' '--enable-auth=negotiate' '--enable-negotiate-auth-helpers=squid_kerb_auth' set up a local keytab for squid (HTTP/squid.domain@xxxxxxxxxxxxxx) tested it kinit -k -t squid.keytab HTTP/squid.domain@xxxxxxxxxxxxxx setted and exported KRB5_KTNAME pointing to the local keytab added authentication to squid conf auth_param negotiate program /usr/libexec/squid_kerb_auth -d -s HTTP/squid.domain@xxxxxxxxxxxxxx and started squid. When trying to access web with firefox user get ticket for HTTP/squid.domain service, but access is denied. >From logs i've investigated (and from wireshark dumps) seems like client sends authentication but squid fails to verify it. Flows seems like this: Client send request Squid process request, no auth, so request auth header client send request + Proxy-Authorization: Negotiate YIICTA[...]YdpMw== squid process proxy-authorization header: (strip "Proxy-Authorization: Negotiate" and add YR to request) squid pass "YR YIICTA[...]YdpMw==" to squid_kerb_auth squid_kerb_auth generate an error. Here are revelant log part: 2007/07/05 15:47:19| squid_kerb_auth: parseNegTokenInit failed with rc=102 2007/07/05 15:47:19| squid_kerb_auth: gss_accept_sec_context() failed: A token was invalid. Mechanism is incorrect 2007/07/05 15:47:19| comm_call_handlers(): got fd=6 read_event=1 write_event=0 F->read_handler=0x8084b10 F->write_handler=(nil) 2007/07/05 15:47:19| comm_call_handlers(): Calling read handler on fd=6 2007/07/05 15:47:19| cbdataValid: 0x82239b0 2007/07/05 15:47:19| helperStatefulHandleRead: 80 bytes from negotiateauthenticator #1. 2007/07/05 15:47:19| commSetSelect: FD 6 type 1 2007/07/05 15:47:19| commSetEvents(fd=6) 2007/07/05 15:47:19| helperStatefulHandleRead: end of reply found 2007/07/05 15:47:19| cbdataValid: 0x841eb48 2007/07/05 15:47:19| authenticateNegotiateHandleReply: Helper: '0x82239b0' {NA gss_accept_sec_context() failed: A token was invalid. Mechanism is incorrect} What is rc=102 ? Why mechanism is incorrect? There's a way i can verify if Proxy-Authorization header is correct? Btw if you need full log output i can attach it, but problem seems to arize here in squid_kerb_auth Thanks, -- Miolinux
