"barbarossa" <bDmanLIB@xxxxxxxxxxx> wrote in message
news:1285675470312-2717106.post@xxxxxxxxxxxxxxxx
So, I set the following in about:config (Firefox):
*network.auth.use-sspi: false
*network.negotiate-auth.gsslib: C:\Program
Files\MIT\Kerberos\bin\gssapi32.dll
*network.negotiate-auth.using-native-gsslib: false
Then I got in /var/log/squid/cache.log:
squid_kerb_auth: gss_acquire_cred() failed: Unspecified GSS failure.
Minor
code may provide more information. No principal in keytab matches desired
name
After searching the mailinglists, I saw that the principal did exist but I
had 2 keytab files. One of them was old and squid used the old one.
Now, Firefox works! Great.
As for IE, it shows a login dialog, when entering username@REALM I get:
2010/09/28 11:44:28| squid_kerb_auth: Got 'YR
YIICLgYGKwYBBQUCoIICIjCCAh6gJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCAfQEggHwYIIB7AYJKoZIhvcSAQICAQBuggHbMIIB16ADAgEFoQMCAQ6iBwMFACAAAACjggEFYYIBATCB/qADAgEFoQsbCVZVQi5BQy5CRaImMCSgAwIBAqEdMBsbBEhUVFAbE2JpYmxwYzA4My5WVUIuQUMuQkWjgcEwgb6gAwIBF6EDAgEDooGxBIGuRlcmAe5EkRJ96vVgsuXySbzRyqbhbf0Ciymg0M2PTGhZzGNygccoy7qFrSK0IL1mlFZrtR/9kjAFvEOrbi5MQKvhTKelWJ+AW5sNSv0MCLrifZ9I4iYVzC8ykuEuynLFVNrFrXvR1X8o9GE0WKBiQH1qGrLPihRqqxVTwPIYFjvJHfOj4hNQKYoNgTPe8gyVOcoFNgSKM5x8nvUo7yMkMGDZl37rKEN+SF5T1RclpIG4MIG1oAMCAReiga0EgaohkYCppLKIRyD9lOdHwFa892QilUpoDEON8P6RpBbDaANc/2QRKk3inxTujwUzUuDZ7yd2w7oYHzRtnT8I2UUWN31lPIZpinURAtVq87klW9SCQkjBy7Kco2HdvicJnwUcnpk28X0nOsjol0Mm+4ysDDBe4aCzN3Qd6fjdsOvH8/Eh5ckCMlBTr3sLhrfmQGnmmqAHztvL54g87c2Qq+xHvvU5F/6pIE/U7Q=='
from squid (length: 755).
2010/09/28 11:44:28| squid_kerb_auth: parseNegTokenInit failed with rc=102
2010/09/28 11:44:28| squid_kerb_auth: gss_accept_sec_context() failed:
Unspecified GSS failure. Minor code may provide more information. Key
table
entry not found
This does not look to bad as it seems to be a Kerberos not a NTLM token. Did
you use the correct fqdn for the squid proxy in your IE configuration (e.g.
the exact same name as used for the keytab entry ) ? Can you capture the
traffic to squid ( usually port 3128) with wireshark ? It should tell you
the details of the ticket from the Negotiate exchange.
So, IE does not use the MIT kerberos ticket I created. Is there a way to
configure it?
What you might be able to do and want already seems to have happend is that
XP is looking for a kdc via DNS. Can you check the DNS port 53 traffic and
Kerberos traffic on port 88 from your XP system using wireshark ?
Thanks.
--
View this message in context:
http://squid-web-proxy-cache.1019090.n4.nabble.com/Simple-Kerberos-Squid-configuration-received-type-1-NTLM-token-tp2553379p2717106.html
Sent from the Squid - Users mailing list archive at Nabble.com.