Hi all, I've been trying to get my squid 2.7 S9 to work with kerberos authentication against AD 2003 server for a couple weeks now but still failed. I've read through lots of posts in the list and different tutorials following them 1 at a time but still no go. I've been following tuts by Klaubert (http://klaubert.wordpress.com/2008/01/09/squid-kerberos-authentication-and-ldap-authorization-in-active-directory/) and the wiki too.. I've tried using the squid_kerb_auth both from the squid dist and sourceforge v1.0.5. here is what i did: => configure squid with these options: ./configure --prefix=/usr/local/squid --with-maxfd=16384 --enable-storeio=aufs,coss --enable-removal-policies=lru,heap --enable-delay-pools --disable-wccp --disable-wccpv2 --enable-arp-acl --enable-coss-aio-ops --disable-ident-lookups --enable-auth="ntlm,basic,negotiate" --enable-ntlm-auth-helpers="SMB" --enable-negotiate-auth-helpers="squid_kerb_auth" --enable-basic-auth-helpers="LDAP" --enable-external-acl-helpers="ldap_group" --with-large-files => created a user "proxy.domain" in AD server => created keytab in AD server: ktpass -princ HTTP/proxy.domain@xxxxxxxxxxxx -mapuser proxy.domain -crypto rc4-hmac-nt pass <password> -ptype KRB5_NT_SRV_HST -out proxy.domain.keytab and transfered to squid server in /etc/proxy.domain.keytab chmod 400 /etc/proxy.domain.keytab chown nobody /etc/proxy.domain.keytab => /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = MYDOMAIN.COM dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h forwardable = yes [realms] MYDOMAIN.COM = { kdc = dc1.mydomain.com:88 kdc = dc2.mydomain.com:88 kdc = dc3.mydomain.com:88 admin_server = dc1.mydomain.com:749 admin_server = dc2.mydomain.com:749 admin_server = dc3.mydomain.com:749 default_domain = mydomain.com } [domain_realm] .mydomain.com = MYDOMAIN.COM mydomain.com = MYDOMAIN.COM ;[kdc] ; profile = /var/kerberos/krb5kdc/kdc.conf [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } => tested the keytab file [root@proxy ~]# kinit -V -k -t /etc/proxy.domain.keytab HTTP/proxy.domain Authenticated to Kerberos v5 => squid startup script #!/bin/bash export KRB5_KTNAME=/etc/proxy.domain.keytab /usr/sbin/squid -D => squid.conf file auth_param negotiate program /usr/local/squid/libexec/squid_kerb_auth -d auth_param negotiate children 10 auth_param negotiate keep_alive on acl authenticated proxy_auth REQUIRED http_access allow authenticated http_access deny all => after starting squid, ps ax output 7040 ? Ss 0:00 /usr/sbin/squid -D 7042 ? Sl 0:00 (squid) -D 7043 ? S 0:00 (squid_kerb_auth) -d 7044 ? S 0:00 (squid_kerb_auth) -d 7045 ? S 0:00 (squid_kerb_auth) -d 7046 ? S 0:00 (squid_kerb_auth) -d 7047 ? S 0:00 (squid_kerb_auth) -d 7048 ? S 0:00 (squid_kerb_auth) -d 7049 ? S 0:00 (squid_kerb_auth) -d 7050 ? S 0:00 (squid_kerb_auth) -d 7051 ? S 0:00 (squid_kerb_auth) -d 7052 ? S 0:00 (squid_kerb_auth) -d 7053 ? S 0:00 (unlinkd) => proxy has A and PTR records for its fqdn in AD Server(DNS) and resolves find. IE7 in client machine(windows XP) is setup with fqdn in the proxy address. when trying to access the internet, login prompt comes up repeatedly and dies with denied message after 3 attempts. =>when using squid_kerb_auth v1.0.5 from sourceforge: 2010/08/29 10:59:00| Parser: retval 1: from 0->41: method 0->2; url 4->30; version 32->40 (1/1) 2010/08/29 10:59:00| The request GET http://www.squid-cache.org/ is DENIED, because it matched 'authenticated' 2010/08/29 10:59:00| The reply for GET http://www.squid-cache.org/ is ALLOWED, because it matched 'authenticated' 2010/08/29 10:59:00| Parser: retval 1: from 0->41: method 0->2; url 4->30; version 32->40 (1/1) 2010/08/29 10:59:00| squid_kerb_auth: Got 'YR TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' from squid (length: 59). 2010/08/29 10:59:00| squid_kerb_auth: Decode 'TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' (decoded length: 40). 2010/08/29 10:59:00| squid_kerb_auth: received type 1 NTLM token 2010/08/29 10:59:00| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH received type 1 NTLM token' 2010/08/29 10:59:00| The request GET http://www.squid-cache.org/ is DENIED, because it matched 'authenticated' 2010/08/29 10:59:00| The reply for GET http://www.squid-cache.org/ is ALLOWED, because it matched 'authenticated' 2010/08/29 11:03:49| Parser: retval 1: from 0->41: method 0->2; url 4->30; version 32->40 (1/1) 2010/08/29 11:03:49| squid_kerb_auth: Got 'YR TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' from squid (length: 59). 2010/08/29 11:03:49| squid_kerb_auth: Decode 'TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' (decoded length: 40). 2010/08/29 11:03:49| squid_kerb_auth: received type 1 NTLM token 2010/08/29 11:03:49| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH received type 1 NTLM token' 2010/08/29 11:03:49| The request GET http://www.squid-cache.org/ is DENIED, because it matched 'authenticated' 2010/08/29 11:03:49| The reply for GET http://www.squid-cache.org/ is ALLOWED, because it matched 'authenticated' 2010/08/29 11:03:50| Parser: retval 1: from 0->41: method 0->2; url 4->30; version 32->40 (1/1) 2010/08/29 11:03:50| squid_kerb_auth: Got 'YR TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' from squid (length: 59). 2010/08/29 11:03:50| squid_kerb_auth: Decode 'TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' (decoded length: 40). 2010/08/29 11:03:50| squid_kerb_auth: received type 1 NTLM token 2010/08/29 11:03:50| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH received type 1 NTLM token' 2010/08/29 11:03:50| The request GET http://www.squid-cache.org/ is DENIED, because it matched 'authenticated' 2010/08/29 11:03:50| The reply for GET http://www.squid-cache.org/ is ALLOWED, because it matched 'authenticated' 2010/08/29 11:03:50| Parser: retval 1: from 0->41: method 0->2; url 4->30; version 32->40 (1/1) 2010/08/29 11:03:50| squid_kerb_auth: Got 'YR TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' from squid (length: 59). 2010/08/29 11:03:50| squid_kerb_auth: Decode 'TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' (decoded length: 40). 2010/08/29 11:03:50| squid_kerb_auth: received type 1 NTLM token => using squid_kerb_auth from squid2.7Stable9 distribution: 2010/08/29 11:09:14| Parser: retval 1: from 0->41: method 0->2; url 4->30; version 32->40 (1/1) 2010/08/29 11:09:14| The request GET http://www.squid-cache.org/ is DENIED, because it matched 'authenticated' 2010/08/29 11:09:14| The reply for GET http://www.squid-cache.org/ is ALLOWED, because it matched 'authenticated' 2010/08/29 11:09:15| Parser: retval 1: from 0->41: method 0->2; url 4->30; version 32->40 (1/1) 2010/08/29 11:09:15| squid_kerb_auth: Got 'YR TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' from squid (length: 59). 2010/08/29 11:09:15| squid_kerb_auth: parseNegTokenInit failed with rc=101 2010/08/29 11:09:15| squid_kerb_auth: received type 1 NTLM token 2010/08/29 11:09:15| authenticateNegotiateAuthenticateUser: need to challenge client 'received'! 2010/08/29 11:09:15| The request GET http://www.squid-cache.org/ is DENIED, because it matched 'authenticated' 2010/08/29 11:09:15| The reply for GET http://www.squid-cache.org/ is ALLOWED, because it matched 'authenticated' 2010/08/29 11:09:15| Parser: retval 1: from 0->41: method 0->2; url 4->30; version 32->40 (1/1) 2010/08/29 11:09:15| squid_kerb_auth: Got 'YR TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' from squid (length: 59). 2010/08/29 11:09:15| squid_kerb_auth: parseNegTokenInit failed with rc=101 2010/08/29 11:09:15| squid_kerb_auth: received type 1 NTLM token 2010/08/29 11:09:15| authenticateNegotiateAuthenticateUser: need to challenge client 'received'! 2010/08/29 11:09:15| The request GET http://www.squid-cache.org/ is DENIED, because it matched 'authenticated' 2010/08/29 11:09:15| The reply for GET http://www.squid-cache.org/ is ALLOWED, because it matched 'authenticated' 2010/08/29 11:09:16| Parser: retval 1: from 0->41: method 0->2; url 4->30; version 32->40 (1/1) 2010/08/29 11:09:16| squid_kerb_auth: Got 'YR TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' from squid (length: 59). 2010/08/29 11:09:16| squid_kerb_auth: parseNegTokenInit failed with rc=101 2010/08/29 11:09:16| squid_kerb_auth: received type 1 NTLM token 2010/08/29 11:09:16| authenticateNegotiateAuthenticateUser: need to challenge client 'received'! 2010/08/29 11:09:16| The request GET http://www.squid-cache.org/ is DENIED, because it matched 'authenticated' 2010/08/29 11:09:16| The reply for GET http://www.squid-cache.org/ is ALLOWED, because it matched 'authenticated' 2010/08/29 11:09:16| Parser: retval 1: from 0->41: method 0->2; url 4->30; version 32->40 (1/1) 2010/08/29 11:09:16| squid_kerb_auth: Got 'YR TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' from squid (length: 59). 2010/08/29 11:09:16| squid_kerb_auth: parseNegTokenInit failed with rc=101 2010/08/29 11:09:16| squid_kerb_auth: received type 1 NTLM token 2010/08/29 11:09:16| authenticateNegotiateAuthenticateUser: need to challenge client 'received'! 2010/08/29 11:09:16| The request GET http://www.squid-cache.org/ is DENIED, because it matched 'authenticated' 2010/08/29 11:09:16| The reply for GET http://www.squid-cache.org/ is ALLOWED, because it matched 'authenticated' kerbtray shows krbtgt/MYDOMAIN.COM entries listed. I'm obviously doing something wrong here.. please help pointing out what am I doing wrong. Thanks Manoj