Can you get a wireshark capture of port 53 (dns) and port 88(kerberos) and
port 3128(squid) from your client machine when you try to surf ? Can you
also install kerbtray from microsoft to list tickets in your clients
kerberos cache ?
Regards
Markus
"Lieven" <lieven@xxxxx> wrote in message news:4BE1D106.7090207@xxxxxxxx
Dear list,
I have currently a problem where it seems that my clients, webbrowsers
firefox 3.5 and IE8 only seem to return NTLM tokens as authentication
instead of kerberos.
This is the error in the cache log from squid:
...
squid_kerb_auth: WARNING: received type 1 NTLM token
authenticateNegotiateHandleReply: Error validating user via Negotiate.
Error returned 'BH received type 1 NTLM token'
...
squid has been configured like this:
./configure --enable-negotiate-auth-helpers=squid_kerb_auth --enable-stacktraces
--prefix=/opt/squid-3.1.3
make and make install went fine.
the squid box is a cleanly installed debian lenny i386.
Squid itself seems to run fine, I can browse through it.
Then my goal to use kerberos authentication fails with the error above.
in my krb5.conf I have the following info in my realm:
kdc = xxx.xxx.xxx.xxx
admin_server = xxx.xxx.xxx.xxx
these are the libdefaults:
[libdefaults]
default_realm = DOMAIN.LOCAL
dns_lookup_kdc = no
dns_lookup_realm = no
default_keytab_name = /etc/HTTP.keytab
ticket_lifetime = 24h
the /etc/HTTP.keytab file is like this:
-rw-r----- 1 squid squid 532 2010-05-05 20:58 /etc/HTTP.keytab
squid is running as user "squid"
First I got a kerberos ticket with:
kinit administrator
I can see a krbtgt ticket with klist.
I'm trying to authenticate against a windows 2008 dc and I used msktutil
like this:
msktutil -c -b "CN=COMPUTERS" -s HTTP/domain.local -h domain.local -k
/etc/HTTP.keytab --computer-name squid3-proxy --upn
HTTP/domain.local --server ad2008srvr.domain.local --verbose --enctypes 28
The squid config file is quiete basic. (only relevant parts here - I
think)
auth_param negotiate program /opt/squid-3.1.3/sbin/squid_kerb_auth -d
auth_param negotiate children 10
auth_param negotiate keep_alive on
acl AUTHENTICATED proxy_auth REQUIRED
http_access allow AUTHENTICATED
DNS seems to work alright, the AD server is used for dns and has a working
A and PTR record for the squid3-proxy.domain.local server because the A
and PTR lookups return the correct results when run from the server and
from the clients.
Is there anybody out there who can help me troubleshoot this problem?
I found tutorials where the keytab file is created on the windows server
but that's not necessary if I use the msktutil, right?
thanks a lot. I'v been trying to get this to work for some time now.
cheers,
Lieven
