On Tue, 13 Dec 2011 18:27:00 +0100, David Touzeau wrote:
Dear
I would like to connect my squid 3.2 to the Active Directory 2003
All Kerberos settings should working
# /usr/bin/kinit Administrateur@xxxxxxxxxxxxxxxxxx -V 2>&1
Password for Administrateur@xxxxxxxxxxxxxxxxxx:
Authenticated to Kerberos v5
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrateur@xxxxxxxxxxxxxxxxxx
Valid starting Expires Service principal
12/13/11 17:10:26 12/14/11 03:10:24
krbtgt/MAISON.TOUZEAU.BIZ@xxxxxxxxxxxxxxxxxx
renew until 12/14/11 17:10:26
Squid.conf
auth_param negotiate program /lib/squid3/negotiate_kerberos_auth -d
-s
HTTP/squid32-64.touzeau.com
auth_param negotiate children 10
auth_param negotiate keep_alive on
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hour
authenticate_ip_ttl 60 seconds
authenticate_cache_garbage_interval 10 seconds
authenticate_ttl 0 hour
#--------- kerberos ACL settings
acl AUTHENTICATED proxy_auth REQUIRED
In events squid claim
011/12/13 17:11:27 kid1| ERROR: Negotiate Authentication validating
user. Error returned 'BH received type 1 NTLM token'
This is the old problem of Squid advertising Negotiate authentication
but receiving NTLMv1 credentials from the browser.
Kerberos begins with a type 2 token.
The workaround in 3.1 and older has been to use the negotiate_wrapper
helper to detect the token type and support both NTLM or Kerberos
helpers for Negotiate. Unfortunately the wrapper seems to cause auth
failures in the new 3.2 architecture and we have not yet tracked that
bug down.
Amos
