Just installed an OpenSUSE 11.0 system to replace our aging Suse 9.0 squid proxy server. I've chosen to use the 3.0 version of squid that was included. I am trying to get kerberos authentication working against our AD (Win2003) environment. I followed the instructions at http://klaubert.wordpress.com/2008/01/09/squid-kerberos-authentication-and-ldap-authorization-in-active-directory/ I created the account in Windows, created the keytab file and moved it over to my Linux system. I tested it using kinit and klist and it authenticates successfully. What's more, I have the system authenticating my ssh logins using kerberos successfully, as well. All of that leads me to believe that my kerberos environment is configured properly. When I add the auth_param, acl, and http_access settings to my squid.conf, though, I am unable to authenticate with either Firefox (2.0.0.16) or IE (6.0) on my Windows XP clients. These same clients are able to authenticate to our IIS servers using kerberos (for the ability to identity_impersonate to our 3rd tier SQL servers), so I believe my browsers are properly configured. We have set Firefox's parameter network.negotiate-auth.trusted-uris to our internal domains. When I try to connect with debugging turned on I see the following in the cache.log: <leading log removed for clarity> 2008/10/23 14:13:27.154| ACLChecklist::preCheck: 0xb8481fd8 checking 'http_access allow AUTHENTICATED' 2008/10/23 14:13:27.154| ACLList::matches: checking AUTHENTICATED 2008/10/23 14:13:27.154| ACL::checklistMatches: checking 'AUTHENTICATED' 2008/10/23 14:13:27.154| aclMatchAcl: returning 0 sending authentication challenge. 2008/10/23 14:13:27.154| ACL::ChecklistMatches: result for 'AUTHENTICATED' is 0 2008/10/23 14:13:27.154| ACLList::matches: result is false 2008/10/23 14:13:27.154| aclmatchAclList: 0xb8481fd8 returning false (AND list entry failed to match) 2008/10/23 14:13:27.154| ACLChecklist::checkForAsync: requiring Proxy Auth header. 2008/10/23 14:13:27.154| ACLChecklist::markFinished: 0xb8481fd8 checklist processing finished 2008/10/23 14:13:27.154| aclmatchAclList: async=1 nodeMatched=0 async_in_progress=0 lastACLResult() = 0 finished() = 1 2008/10/23 14:13:27.154| ACLChecklist::check: 0xb8481fd8 match found, calling back with 2 2008/10/23 14:13:27.154| ACLChecklist::checkCallback: 0xb8481fd8 answer=2 2008/10/23 14:13:27.154| aclGetDenyInfoPage: got called for AUTHENTICATED 2008/10/23 14:13:27.154| aclGetDenyInfoPage: no match 2008/10/23 14:13:27.155| aclCheckFast: list: 0 2008/10/23 14:13:27.155| aclCheckFast: no matches, returning: 1 2008/10/23 14:13:27.155| ACLChecklist::~ACLChecklist: destroyed 0xb848206c 2008/10/23 14:13:27.155| aclCheckFast: list: 0 <trailing log removed for clarity> I see no sign on my DCs of any failed authentication. A tcpdump trace on my workstation shows no attempts from my Windows PC to perform any kerberos authentication. If I try running the command line specified in the squid.conf, I get: squid_kerb_auth: Got '' from squid (length: 0). squid_kerb_auth: Invalid request NA Invalid request I'm guessing, however, that squid_kerb_auth can't be run just like that, however. Any ideas where I should look? I set my keytab file to be world-readable as a test and that didn't help. My config is below: debug_options ALL,1 28,9 auth_param negotiate program /usr/sbin/squid_kerb_auth -d -s HTTP/myhost.mydomain.tld auth_param negotiate children 10 auth_param negotiate keep_alive on acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 acl localnet src 192.168.0.0/16 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl CONNECT method CONNECT acl AUTHENTICATED proxy_auth REQUIRED # Only allow cachemgr access from localhost http_access allow manager localhost http_access deny manager # Deny requests to unknown ports http_access deny !Safe_ports # Deny CONNECT to other than SSL ports http_access deny CONNECT !SSL_ports # allow localhost always proxy functionality http_access allow localhost http_access allow AUTHENTICATED # And finally deny all other access to this proxy http_access deny all # Squid normally listens to port 3128 http_port 3128 icp_port 0 htcp_port 0 hierarchy_stoplist cgi-bin ? access_log /var/log/squid/access.log squid coredump_dir /var/cache/squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern (cgi-bin|\?) 0 0% 0 refresh_pattern . 0 20% 4320
