Hi, I'm trying to get the squid helper squid_kerb_auth to work against our Active Directory (win 2003 r2). I'm using squid 3.0.STABLE14 Squid Cache: Version 3.0.STABLE14 configure options: '--build=x86_64-mandriva-linux-gnu' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/sbin' '--sbindir=/usr/sbin' '--sysconfdir=/etc/squid' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/lib64/squid' '--localstatedir=/var' '--sharedstatedir=/usr/com' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--x-includes=/usr/include' '--x-libraries=/usr/lib64' '--enable-shared=yes' '--enable-static=no' '--enable-xmalloc-statistics' '--enable-carp' '--enable-async-io' '--enable-storeio=aufs,diskd,null,ufs' '--enable-disk-io=AIO,Blocking,DiskDaemon,DiskThreads' '--enable-removal-policies=heap,lru' '--enable-icmp' '--enable-delay-pools' '--disable-esi' '--enable-icap-client' '--enable-useragent-log' '--enable-referer-log' '--enable-wccp' '--enable-wccpv2' '--disable-kill-parent-hack' '--enable-snmp' '--enable-cachemgr-hostname=localhost' '--enable-arp-acl' '--enable-htcp' '--enable-ssl' '--enable-forw-via-db' '--enable-cache-digests' '--disable-poll' '--enable-epoll' '--enable-linux-netfilter' '--disable-ident-lookups' '--enable-default-hostsfile=/etc/hosts' '--enable-auth=basic,digest,negotiate,ntlm' '--enable-basic-auth-helpers=getpwnam,LDAP,MSNT,multi-domain-NTLM,NCSA,PAM,SMB,YP,SASL,POP3,DB,squid_radius_auth' '--enable-ntlm-auth-helpers=fakeauth,no_check,SMB' '--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-digest-auth-helpers=password,ldap,eDirectory' '--enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_group' '--with-default-user=squid' '--with-pthreads' '--with-dl' '--with-openssl=/usr' '--with-large-files' '--with-build-environment=default' '--with-filedescriptors=1024' 'build_alias=x86_64-mandriva-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -fstack-protector-all -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64' 'LDFLAGS= -Wl,--as-needed -Wl,--no-undefined -Wl,-z,relro' 'CPPFLAGS=-I/usr/include/openssl ' 'CXXFLAGS=-O2 -g -pipe -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -fstack-protector-all -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64' A keytab file was create on AD for squid (HTTP/fqdn@REALM) ktpass -princ HTTP/fqdn@REALM -mapuser squiduser -pass password -ptype KRB5_NT_SRV_HST -out HTTP.keytab Transferred the file to the squid server and placed it in /etc/squid/HTTP.keytab kinit -k -t /etc/squid/HTTP.keytab HTTP/fqdn@REALM it works! At /etc/init.d/squid, I have included: KRB5_KTNAME=/etc/squid/HTTP.keytab export KRB5_KTNAME I have configured /etc/squid/squid.conf to use squid_kerb_auth I am using IE as client and set the proxy to fqdn. When i try to go to http://www.squid-cache.org/, IE asks for login and password, but it fails. The messages between squid an IE are: IE -> SQUID GET http://www.squid-cache.org/ HTTP/1.1 [...] SQUID -> IE HTTP/1.0 407 Proxy Authentication Required Server: squid/3.0.STABLE14 [...] Proxy-Authenticate: Negotiate [...] IE -> SQUID GET http://www.squid-cache.org/ HTTP/1.1 [...] Proxy-Authorization: Negotiate TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw== SQUID -> IE HTTP/1.0 407 Proxy Authentication Required Server: squid/3.0.STABLE14 [...] Proxy-Authenticate: Negotiate [...] Seems like IE tries to authenticate with NTLM, and not with kerberos. How do I sort out this problem? Thanks in advance. Regards Jose Lopes
