Search squid archive

Re: Simple Kerberos/Squid configuration "received type 1 NTLM token"

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




"barbarossa" <bDmanLIB@xxxxxxxxxxx> wrote in message news:1285675470312-2717106.post@xxxxxxxxxxxxxxxx

So, I set the following in about:config (Firefox):
*network.auth.use-sspi: false
*network.negotiate-auth.gsslib: C:\Program
Files\MIT\Kerberos\bin\gssapi32.dll
*network.negotiate-auth.using-native-gsslib: false

Then I got in /var/log/squid/cache.log:
squid_kerb_auth: gss_acquire_cred() failed: Unspecified GSS failure. Minor
code may provide more information. No principal in keytab matches desired
name

After searching the mailinglists, I saw that the principal did exist but I
had 2 keytab files. One of them was old and squid used the old one.

Now, Firefox works! Great.

As for IE, it shows a login dialog, when entering username@REALM I get:

2010/09/28 11:44:28| squid_kerb_auth: Got 'YR
YIICLgYGKwYBBQUCoIICIjCCAh6gJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCAfQEggHwYIIB7AYJKoZIhvcSAQICAQBuggHbMIIB16ADAgEFoQMCAQ6iBwMFACAAAACjggEFYYIBATCB/qADAgEFoQsbCVZVQi5BQy5CRaImMCSgAwIBAqEdMBsbBEhUVFAbE2JpYmxwYzA4My5WVUIuQUMuQkWjgcEwgb6gAwIBF6EDAgEDooGxBIGuRlcmAe5EkRJ96vVgsuXySbzRyqbhbf0Ciymg0M2PTGhZzGNygccoy7qFrSK0IL1mlFZrtR/9kjAFvEOrbi5MQKvhTKelWJ+AW5sNSv0MCLrifZ9I4iYVzC8ykuEuynLFVNrFrXvR1X8o9GE0WKBiQH1qGrLPihRqqxVTwPIYFjvJHfOj4hNQKYoNgTPe8gyVOcoFNgSKM5x8nvUo7yMkMGDZl37rKEN+SF5T1RclpIG4MIG1oAMCAReiga0EgaohkYCppLKIRyD9lOdHwFa892QilUpoDEON8P6RpBbDaANc/2QRKk3inxTujwUzUuDZ7yd2w7oYHzRtnT8I2UUWN31lPIZpinURAtVq87klW9SCQkjBy7Kco2HdvicJnwUcnpk28X0nOsjol0Mm+4ysDDBe4aCzN3Qd6fjdsOvH8/Eh5ckCMlBTr3sLhrfmQGnmmqAHztvL54g87c2Qq+xHvvU5F/6pIE/U7Q=='
from squid (length: 755).
2010/09/28 11:44:28| squid_kerb_auth: parseNegTokenInit failed with rc=102
2010/09/28 11:44:28| squid_kerb_auth: gss_accept_sec_context() failed:
Unspecified GSS failure. Minor code may provide more information. Key table
entry not found

This does not look to bad as it seems to be a Kerberos not a NTLM token. Did you use the correct fqdn for the squid proxy in your IE configuration (e.g. the exact same name as used for the keytab entry ) ? Can you capture the traffic to squid ( usually port 3128) with wireshark ? It should tell you the details of the ticket from the Negotiate exchange.


So, IE does not use the MIT kerberos ticket I created. Is there a way to
configure it?


What you might be able to do and want already seems to have happend is that XP is looking for a kdc via DNS. Can you check the DNS port 53 traffic and Kerberos traffic on port 88 from your XP system using wireshark ?

Thanks.
--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Simple-Kerberos-Squid-configuration-received-type-1-NTLM-token-tp2553379p2717106.html
Sent from the Squid - Users mailing list archive at Nabble.com.





[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux