Hi Sean,
If you see NTLM tokens in squid_kerb_auth then either you have not
created a keytab for squid or the client can not get a HTTP/<squid> ticket
from AD. Please capture traffic on port 88 for kerberos traffic on the
client and 3128 for squid traffic.
Markus
"Sean Boran" <sean@xxxxxxxxx> wrote in message
news:CAOnghjunh71a43eomdSR5UH-rnLXjx2iLWLFKGoR49FP_83ADQ@xxxxxxxxxxxxxx...
For windows system in a domain, what is the typicaly strategy, would
one usually
A. Authenticate via Kerberos (only IE browsers, or also chrome/FF?)
B. else authenticate via ntlkm (IE only?)
C. else use ldap (all other browsers and Linux, or Windows PCs not in
the domain).
It is right to say that if kerberos is enabled, but not basic/ldap,
then non IE browsers cannot login?
Or will kerberos work for all browsers in a Windows system in the domain?
Or have I completely misunderstood? :-)
Starting off with C) squid_ldap_auth, which works fine, the next step
is kerberos.
For kerberos, my main reading references are:
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
http://klaubert.wordpress.com/2008/01/09/squid-kerberos-authentication-and-ldap-authorization-in-active-directory/
http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Proxy
Runing squid/3.HEAD-20120814-r12282.
On the linux level kerberos and samba are installed,/configured the
system is in the domain (wbinfo -t) and "kinit -V username" works
fine. Ntml auth on the command line looks ok too (/usr/bin/ntlm_auth
--domain=MYDOMAIN --username=myuser)
In squid , kerberos configured as follows:
auth_param negotiate program /usr/local/squid/libexec/squid_kerb_auth
-d -i -s GSS_C_NO_NAME
auth_param negotiate children 10 startup=1 idle=5
auth_param negotiate keep_alive on
acl restricted proxy_auth REQUIRED
After restart squid, log entries look good:
Sep 7 09:10:31 proxy squid[26997]: helperOpenServers: Starting 1/10
'squid_kerb_auth' processes
Trying to connect with IE causes a login box to popup on the bowser
and squid to log:
ERROR: Negotiate Authentication validating user. Error returned 'BH
received type 1 NTLM token'
in cache.log:
2012/09/07 09:22:53.421| ACL::checklistMatches: checking 'restricted'
2012/09/07 09:22:53.421| Acl.cc(65) AuthenticateAcl: returning 3
sending authentication challenge.
I can give in a valid or invalid username/password to the popup, box
but no access is granted and I dont see any usernames or
squid_kerb_auth lines in the cache.log.
Question: how can one debug in detail what squid_kerb_auth is doing?
The "-d" option does not seem to show much? (debug_options ALL,1 83,5
23,2 26,9 28,9 33,4 84,3: any better suggestions?)
Doing some "tcpdumnp -A" tracing:
- browser sends: GET http://google.com/ HTTP/1.1
-proxy answers
HTTP/1.1 407 Proxy Authentication Required
X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
Proxy-Authenticate: Negotiate
- browser send back:
Proxy-Authorization: Negotiate
TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==
-proxy answers
HTTP/1.1 407 Proxy Authentication Required
X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
Proxy-Authenticate: Negotiate
Also tried kerberos with NTLM, in this case access is always denied,
no popup. Tcpdump show similar handshaking.
auth_param negotiate program
/usr/local/squid/libexec/negotiate_wrapper_auth -d --ntlm
/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
--domain=MYDOMAIN --kerberos /usr/local/squid/libexec/squid_kerb_auth
-d -i -s GSS_C_NO_NAME
-
Thanks in advance for any tips :-)