Hi,
The squid log file says that the client could not use Kerberos and fell
back to NTLM.
Can you capture the traffic from the client to the proxy and to your
Kerberos servers (e.g. active directory) with wireshark and send me the cap
file (if not too big) ?
Markus
"spiderslack" <spiderslack@xxxxxxxxxxxx> wrote in message
news:4DE282AC.6080200@xxxxxxxxxxxxxxx
Hello
I'm doing a test with squid using kerberos configured as follows squid and
kerberos
squid.conf
auth_param negotiate program /usr/lib/squid3/squid_kerb_auth -d
auth_param negotiate children 10
auth_param negotiate keep_alive on
acl auth proxy_auth REQUIRED
http_access allow auth
http_access deny all
krb4.conf
[libdefaults]
default_realm = VIALACTEA.CORP
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
dns_lookup_realm = true
dns_lookup_kdc = true
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
VIALACTEA.CORP = {
kdc = 192.168.1.155
admin_server = 192.168.1.155
}
[domain_realm]
.vialactea.corp = VIALACTEA.CORP
vialactea.corp = VIALACTEA.CORP
[login]
krb4_convert = true
krb4_get_tickets = false
On the client pointed out the proxy address configured and the following
variables firefox with the domain name:
network.negotiate-auth.delegation-uris
network.negotiate-auth.trusted-uris
When trying to browse I get the following messages in the logs with
debugging enabled.
2011/05/29 02:42:57| squid_kerb_auth: Got 'YR
TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' from squid
(length: 59).
2011/05/29 02:42:57| squid_kerb_auth: received type 1 NTLM token
Does anyone have any idea of the problem? At the station installed
Kerbtray and it shows the ticket
Regards.
