On tor, 2008-10-23 at 14:25 -0400, Steven Cardinal wrote: > I see no sign on my DCs of any failed authentication. A tcpdump trace > on my workstation shows no attempts from my Windows PC to perform any > kerberos authentication. If I try running the command line specified > in the squid.conf, I get: Then your browsers do not trust the proxy with kerberos authentication. Verify that you have configured the proxy by name and not IP in the browser proxy settings. To be exact the proxy name needs to match both a name that the browser trusts with Kerberos authentication AND a server kerberos ticket (or whatever those are called, kept in the keytab, kerberos is not a strong field of mine..) > I'm guessing, however, that squid_kerb_auth can't be run just like > that, however. Correct. You need to speak base64 encoded GSSAPI wrapped in Microsoft Negotiate SSP protocol format wrapped in the "Squid NTLM/Negotiate protocol" to it.. > Any ideas where I should look? I set my keytab file to be > world-readable as a test and that didn't help. It seems you don't even get that far.. the very first steps is not dependent on the helper, only browser.. only when the browser agrees on sending the initial negotiation packet is the helper called. Until then all that happens is that Squid says that authentication is required to continue and the Negotiate SSP authentication protocol is supported. Regards Henrik
Attachment:
signature.asc
Description: This is a digitally signed message part