Search squid archive

Re: kerberos (AD) authentication - squid_kerb_auth

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 
"Jeremy Monnet" <jmonnet@xxxxxxxxx> wrote in message news:2b1bd02c0908251050i6e63cecaxeb29ceecd2a845e8@xxxxxxxxxxxxxxxxx 
Hi,

I a m trying to authenticate users through kerberos on a windows 2003
server AD. Basically, I followed the klaubert tutorial [1], part on
Negotiate/kerberos authentication.



See also http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos


The kerberos stuff seems ok, I can get some tickets using kinit and
see them using klist.

The error message I get is "authenticateNegotiateHandleReply: Error
validating user via Negotiate. Error returned 'BH received type 1 NTLM
token'", and I saw a previous thread talking about that [2], but I am
sorry I don't understand most of it. When it says "squid_kerb_auth
only support Kerberos, but it looks like that your client for some
reason attempted to use NTLM. ", does this mean the web browser/gssapi
or stuff on the client side is the problem ? Is there anything to do
on the windows client machine to send just a standard kerberos ticket
?
Possibly. It is important that the proxy you have configured is the fqdn and that your web Browser supports negotiate proxy authentication (e.g IE > 7 or Firefox) 



Or is the integration of ntlm_auth into squid_kerb_auth achieved
(couldn't find news on that point) and a better thing to use ?



No only Kerberos



And, last but not least, it seems we can start squid_kerb_auth from
the command line in standalone (well, that's the way it works with
squid), is there a way to use it to debug the situation ?
Yes Just start it onthe command line and input YR <token> where <token> is a base64 encoded token. There is a small test program squid_kerb_auth_test.c at http://squidkerbauth.cvs.sourceforge.net/viewvc/squidkerbauth/squid_kerb_auth/ 

which you can run as follows:

kinit user@DOMAIN
./squid_kerb_auth_test <proxy fqdn> 200 | ./squid_kerb_auth -d -s HTTP/<proxy fqdn> 

This will create 200 authentication requests for testing.



Thanks for your answers,



Regards
Markus


Jeremy
[1] http://klaubert.wordpress.com/2008/01/09/squid-kerberos-authentication-and-ldap-authorization-in-active-directory/ [2] http://www.nabble.com/Negotiate-problem-%27BH-received-type-1-NTLM-token%27-td17981333.html
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux