On 20/01/11 01:12, Rafal Zawierta wrote:
Hello,
I'm trying to set up squid to auth against AD.
AD is on 2008 server (but functionality level of 2003).
Kerberos works fine, from linux machine (debian) kinit and klist and
kutil are all right. I also have created krb5.keytab and for my proxy
user I have:
ktutil: rkt /etc/krb5.keytab
ktutil: l
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 2 HTTP/squid.pfsee.net@xxxxxxxxx
2 2 HTTP/squid.pfsee.net@xxxxxxxxx
3 2 HTTP/squid.pfsee.net@xxxxxxxxx
4 2 HTTP/squid@xxxxxxxxx
5 2 HTTP/squid@xxxxxxxxx
6 2 HTTP/squid@xxxxxxxxx
ktutil: q
squid - hostname of linux machine
pfsee.net - my AD domain
Squid3 cache.log (at startup)
2011/01/19 13:07:43| Process ID 1782
2011/01/19 13:07:43| With 65535 file descriptors available
2011/01/19 13:07:43| Initializing IP Cache...
2011/01/19 13:07:43| helperOpenServers: Starting 10/10
'squid_kerb_auth' processes
(is it working now?)
First try - IE8 from my AD server (2008R2).
In Lan-Proxy i have: squid.pfsee.net
When I try to open page, I get basic auth prompt (I really should
not!) - and cache.log says:
authenticateNegotiateHandleReply: Error validating user via Negotiate.
Error returned 'BH received type 1 NTLM token'
What is wrong? Problem is with squid and linux or on the win2k8
machine (IE client side)?
As you can see the browser is sending an NTLM handshake instead of the
Kerberos token. The current Squid auth system does not support
Negotiate/NTLM only Negotiate/Kerberos but has no way to tell IE8 that.
* Check that you have all auth_param with Negotiate type first before
other types of auth.
* Check that IE is configured to use Kerberos by reference.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.10
Beta testers wanted for 3.2.0.4
