Hi Markus, I don't have that problem, when i am using user@REALM I forgot to use @REALM. Now I am trying with firefox and have the same problem that appears at the topic "squid_kerb_auth problem". I will reply to the topic "squid_kerb_auth problem". Thanks Jose Markus Moeller wrote: > Can you run squid_kerb_auth with -d and send me the output please ? > > Markus > > > "Jose Lopes" <jlopes@xxxxxxxxxxxxxx> wrote in message > news:4B545789.1090706@xxxxxxxxxxxxxxxxx >> Hi, >> >> I'm trying to get the squid helper squid_kerb_auth to work against our >> Active Directory (win 2003 r2). >> >> I'm using squid 3.0.STABLE14 >> >> Squid Cache: Version 3.0.STABLE14 >> configure options: '--build=x86_64-mandriva-linux-gnu' '--prefix=/usr' >> '--exec-prefix=/usr' '--bindir=/usr/sbin' '--sbindir=/usr/sbin' >> '--sysconfdir=/etc/squid' '--datadir=/usr/share' >> '--includedir=/usr/include' '--libdir=/usr/lib64' >> '--libexecdir=/usr/lib64/squid' '--localstatedir=/var' >> '--sharedstatedir=/usr/com' '--mandir=/usr/share/man' >> '--infodir=/usr/share/info' '--x-includes=/usr/include' >> '--x-libraries=/usr/lib64' '--enable-shared=yes' '--enable-static=no' >> '--enable-xmalloc-statistics' '--enable-carp' '--enable-async-io' >> '--enable-storeio=aufs,diskd,null,ufs' >> '--enable-disk-io=AIO,Blocking,DiskDaemon,DiskThreads' >> '--enable-removal-policies=heap,lru' '--enable-icmp' >> '--enable-delay-pools' '--disable-esi' '--enable-icap-client' >> '--enable-useragent-log' '--enable-referer-log' '--enable-wccp' >> '--enable-wccpv2' '--disable-kill-parent-hack' '--enable-snmp' >> '--enable-cachemgr-hostname=localhost' '--enable-arp-acl' >> '--enable-htcp' '--enable-ssl' '--enable-forw-via-db' >> '--enable-cache-digests' '--disable-poll' '--enable-epoll' >> '--enable-linux-netfilter' '--disable-ident-lookups' >> '--enable-default-hostsfile=/etc/hosts' >> '--enable-auth=basic,digest,negotiate,ntlm' >> '--enable-basic-auth-helpers=getpwnam,LDAP,MSNT,multi-domain-NTLM,NCSA,PAM,SMB,YP,SASL,POP3,DB,squid_radius_auth' >> >> '--enable-ntlm-auth-helpers=fakeauth,no_check,SMB' >> '--enable-negotiate-auth-helpers=squid_kerb_auth' >> '--enable-digest-auth-helpers=password,ldap,eDirectory' >> '--enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_group' >> >> '--with-default-user=squid' '--with-pthreads' '--with-dl' >> '--with-openssl=/usr' '--with-large-files' >> '--with-build-environment=default' '--with-filedescriptors=1024' >> 'build_alias=x86_64-mandriva-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wformat >> -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions >> -fstack-protector --param=ssp-buffer-size=4 -fstack-protector-all >> -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64' 'LDFLAGS= -Wl,--as-needed >> -Wl,--no-undefined -Wl,-z,relro' 'CPPFLAGS=-I/usr/include/openssl ' >> 'CXXFLAGS=-O2 -g -pipe -Wformat -Werror=format-security >> -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector >> --param=ssp-buffer-size=4 -fstack-protector-all -D_LARGEFILE64_SOURCE >> -D_FILE_OFFSET_BITS=64' >> >> >> >> A keytab file was create on AD for squid >> (HTTP/fqdn@REALM) >> >> ktpass -princ HTTP/fqdn@REALM -mapuser squiduser >> -pass password -ptype KRB5_NT_SRV_HST -out HTTP.keytab >> >> Transferred the file to the squid server and placed it >> in /etc/squid/HTTP.keytab >> >> >> kinit -k -t /etc/squid/HTTP.keytab HTTP/fqdn@REALM >> it works! >> >> >> At /etc/init.d/squid, I have included: >> KRB5_KTNAME=/etc/squid/HTTP.keytab >> export KRB5_KTNAME >> >> I have configured /etc/squid/squid.conf to use squid_kerb_auth >> >> I am using IE as client and set the proxy to fqdn. >> >> When i try to go to http://www.squid-cache.org/, IE asks for login and >> password, but it fails. >> The messages between squid an IE are: >> >> IE -> SQUID >> GET http://www.squid-cache.org/ HTTP/1.1 >> [...] >> >> SQUID -> IE >> HTTP/1.0 407 Proxy Authentication Required >> Server: squid/3.0.STABLE14 >> [...] >> Proxy-Authenticate: Negotiate >> [...] >> >> IE -> SQUID >> GET http://www.squid-cache.org/ HTTP/1.1 >> [...] >> Proxy-Authorization: Negotiate >> TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw== >> >> SQUID -> IE >> HTTP/1.0 407 Proxy Authentication Required >> Server: squid/3.0.STABLE14 >> [...] >> Proxy-Authenticate: Negotiate >> [...] >> >> Seems like IE tries to authenticate with NTLM, and not with kerberos. >> >> How do I sort out this problem? >> >> >> Thanks in advance. >> Regards >> Jose Lopes >> >> >> >> > >
