Le mercredi 14 décembre 2011 à 10:41 +1300, Amos Jeffries a écrit : > On Tue, 13 Dec 2011 18:27:00 +0100, David Touzeau wrote: > > Dear > > > > I would like to connect my squid 3.2 to the Active Directory 2003 > > > > All Kerberos settings should working > > > > # /usr/bin/kinit Administrateur@xxxxxxxxxxxxxxxxxx -V 2>&1 > > Password for Administrateur@xxxxxxxxxxxxxxxxxx: > > Authenticated to Kerberos v5 > > > > # klist > > Ticket cache: FILE:/tmp/krb5cc_0 > > Default principal: Administrateur@xxxxxxxxxxxxxxxxxx > > > > Valid starting Expires Service principal > > 12/13/11 17:10:26 12/14/11 03:10:24 > > krbtgt/MAISON.TOUZEAU.BIZ@xxxxxxxxxxxxxxxxxx > > renew until 12/14/11 17:10:26 > > > > > > Squid.conf > > > > auth_param negotiate program /lib/squid3/negotiate_kerberos_auth -d > > -s > > HTTP/squid32-64.touzeau.com > > auth_param negotiate children 10 > > auth_param negotiate keep_alive on > > auth_param basic realm Squid proxy-caching web server > > auth_param basic credentialsttl 2 hour > > authenticate_ip_ttl 60 seconds > > authenticate_cache_garbage_interval 10 seconds > > authenticate_ttl 0 hour > > #--------- kerberos ACL settings > > acl AUTHENTICATED proxy_auth REQUIRED > > > > In events squid claim > > > > 011/12/13 17:11:27 kid1| ERROR: Negotiate Authentication validating > > user. Error returned 'BH received type 1 NTLM token' > > This is the old problem of Squid advertising Negotiate authentication > but receiving NTLMv1 credentials from the browser. > > Kerberos begins with a type 2 token. > > The workaround in 3.1 and older has been to use the negotiate_wrapper > helper to detect the token type and support both NTLM or Kerberos > helpers for Negotiate. Unfortunately the wrapper seems to cause auth > failures in the new 3.2 architecture and we have not yet tracked that > bug down. > > Amos > Dear Amos, Any workaround ? Best regards --
