For windows system in a domain, what is the typicaly strategy, would one usually A. Authenticate via Kerberos (only IE browsers, or also chrome/FF?) B. else authenticate via ntlkm (IE only?) C. else use ldap (all other browsers and Linux, or Windows PCs not in the domain). It is right to say that if kerberos is enabled, but not basic/ldap, then non IE browsers cannot login? Or will kerberos work for all browsers in a Windows system in the domain? Or have I completely misunderstood? :-) Starting off with C) squid_ldap_auth, which works fine, the next step is kerberos. For kerberos, my main reading references are: http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos http://klaubert.wordpress.com/2008/01/09/squid-kerberos-authentication-and-ldap-authorization-in-active-directory/ http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Proxy Runing squid/3.HEAD-20120814-r12282. On the linux level kerberos and samba are installed,/configured the system is in the domain (wbinfo -t) and "kinit -V username" works fine. Ntml auth on the command line looks ok too (/usr/bin/ntlm_auth --domain=MYDOMAIN --username=myuser) In squid , kerberos configured as follows: auth_param negotiate program /usr/local/squid/libexec/squid_kerb_auth -d -i -s GSS_C_NO_NAME auth_param negotiate children 10 startup=1 idle=5 auth_param negotiate keep_alive on acl restricted proxy_auth REQUIRED After restart squid, log entries look good: Sep 7 09:10:31 proxy squid[26997]: helperOpenServers: Starting 1/10 'squid_kerb_auth' processes Trying to connect with IE causes a login box to popup on the bowser and squid to log: ERROR: Negotiate Authentication validating user. Error returned 'BH received type 1 NTLM token' in cache.log: 2012/09/07 09:22:53.421| ACL::checklistMatches: checking 'restricted' 2012/09/07 09:22:53.421| Acl.cc(65) AuthenticateAcl: returning 3 sending authentication challenge. I can give in a valid or invalid username/password to the popup, box but no access is granted and I dont see any usernames or squid_kerb_auth lines in the cache.log. Question: how can one debug in detail what squid_kerb_auth is doing? The "-d" option does not seem to show much? (debug_options ALL,1 83,5 23,2 26,9 28,9 33,4 84,3: any better suggestions?) Doing some "tcpdumnp -A" tracing: - browser sends: GET http://google.com/ HTTP/1.1 -proxy answers HTTP/1.1 407 Proxy Authentication Required X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0 Proxy-Authenticate: Negotiate - browser send back: Proxy-Authorization: Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw== -proxy answers HTTP/1.1 407 Proxy Authentication Required X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0 Proxy-Authenticate: Negotiate Also tried kerberos with NTLM, in this case access is always denied, no popup. Tcpdump show similar handshaking. auth_param negotiate program /usr/local/squid/libexec/negotiate_wrapper_auth -d --ntlm /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain=MYDOMAIN --kerberos /usr/local/squid/libexec/squid_kerb_auth -d -i -s GSS_C_NO_NAME - Thanks in advance for any tips :-)
