Markus, " If you see NTLM tokens in squid_kerb_auth then either you have not created a keytab for squid--" Running on ubuntu I have the following into the upstart config file /etc/init/squid.conf env KRB5_KTNAME=/etc/krb5.keytab And put it into /etc/environment so that the proxy user always has this setting. And file permissions allow squid to read it: -rw-r----- 1 root proxy 545 Sep 6 10:15 /etc/krb5.keytab The keytab was generated as follows: net ads keytab CREATE -U myuser net ads keytab add -U myuser HTTP chgrp proxy /etc/krb5.keytab chmod 640 /etc/krb5.keytab Running ktutil as the proxy user "rkt /etc/krb5.keytab" show a list of 9 entries with variations of the proxy hostname. So the proxy user can read the keytab, and sees the same entries as root. "... or the client can not get a HTTP/<squid> ticket from AD..." How can I test that on the command line? Trying "kinit -V HTTP/MYDOMAIN.NET" as the proxy user give the error "not found in Kerberos database while getting initial credentials", but I dont understand what I'm doing with than command :-) There was no port 88 traffic on the client during a test right now, may the kerberos part is cached, Using the nice "follow tcp stream" in wireshark, the headers going back and forward are as following, starting with the client: GET http://mysite.ch/foo.html HTTP/1.1 > HTTP/1.1 407 Proxy Authentication Required > X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0 > Proxy-Authenticate: Negotiate GET http://mysite.ch/foo.html HTTP/1.1 Proxy-Authorization: Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw== > HTTP/1.1 407 Proxy Authentication Required > X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0 > Proxy-Authenticate: Negotiate Wireshark is able to interpret that "Proxy-Authorization: Negotiate" line as "NTLM Secure Service Provider", with a list of flag indicating degrees of NTLM supported, and "Version 6.1 (Build 7601); NTLM Current Revision 15". IE and chrome sent exactly the same Proxy-Authorization reply. The above negociate strict is also in the cache.log on the squid side: squid_kerb_auth: DEBUG: Got 'YR TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==' from squid (length: 59). WARNING: received type 1 NTLM token How can I debug squid_kerb_auth to see what config it is reading, what exactly it is trying to do, etc? Hmm, looking at the source file helpers/negotiate_auth/wrapper/negotiate_wrapper.cc and helpers/negotiate_auth/kerberos/negotiate_kerberos_auth.cc, I realise that I was calling squid_kerb_auth instead negotiate_kerberos_auth (a squid_kerb_auth file was available, probably due to an older squid compilation). => So, at least one error fixed:, the squid.conf line is now: auth_param negotiate program /usr/local/squid/libexec/negotiate_wrapper_auth -d --kerberos /usr/local/squid/libexec/negotiate_kerberos_auth -d -i -s GSS_C_NO_NAME --ntlm /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain=MYDOMAIN This gives a little bit more info in cache.log, although authentications still does not work: grep negotiate_kerberos_auth cache.log negotiate_wrapper: Kerberos command: /usr/local/squid/libexec/negotiate_kerberos_auth -d -i -s GSS_C_NO_NAME grep negotiate_kerberos_auth cache.log negotiate_kerberos_auth.cc(271): pid=5725 :2012/09/10 11:04:51| negotiate_kerberos_auth: INFO: Starting version 3.0.4sq So at least the correct wrapper is being started now, and some debug messages are arriving. Aside: in negotiate_kerberos_auth.cc the string "squid_kerb_auth" appears in the usage: minor doc bug? Looking at negotiate_kerberos_auth.cc, the "INFO" message above is printed out at: debug((char *) "%s| %s: INFO: Starting version %s\n", LogTime(), PROGRAM, SQUID_KERB_AUTH_VERSION); but no messages are logged from the child processes in the while(1) loop? Thanks in advance, Sean Boran >>>>>>>>>> Hi Sean, If you see NTLM tokens in squid_kerb_auth then either you have not created a keytab for squid or the client can not get a HTTP/<squid> ticket from AD. Please capture traffic on port 88 for kerberos traffic on the client and 3128 for squid traffic. Markus > For windows system in a domain, what is the typicaly strategy, would > one usually > A. Authenticate via Kerberos (only IE browsers, or also chrome/FF?) > B. else authenticate via ntlkm (IE only?) > C. else use ldap (all other browsers and Linux, or Windows PCs not in > the domain). > > It is right to say that if kerberos is enabled, but not basic/ldap, > then non IE browsers cannot login? > Or will kerberos work for all browsers in a Windows system in the domain? > > Or have I completely misunderstood? :-) > > Starting off with C) squid_ldap_auth, which works fine, the next step > is kerberos. > > For kerberos, my main reading references are: > http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos > http://klaubert.wordpress.com/2008/01/09/squid-kerberos-authentication-and-ldap-authorization-in-active-directory/ > http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Proxy > > Runing squid/3.HEAD-20120814-r12282. > > On the linux level kerberos and samba are installed,/configured the > system is in the domain (wbinfo -t) and "kinit -V username" works > fine. Ntml auth on the command line looks ok too (/usr/bin/ntlm_auth > --domain=MYDOMAIN --username=myuser) > > In squid , kerberos configured as follows: > auth_param negotiate program /usr/local/squid/libexec/squid_kerb_auth > -d -i -s GSS_C_NO_NAME > auth_param negotiate children 10 startup=1 idle=5 > auth_param negotiate keep_alive on > acl restricted proxy_auth REQUIRED > > > After restart squid, log entries look good: > Sep 7 09:10:31 proxy squid[26997]: helperOpenServers: Starting 1/10 > 'squid_kerb_auth' processes > > Trying to connect with IE causes a login box to popup on the bowser > and squid to log: > ERROR: Negotiate Authentication validating user. Error returned 'BH > received type 1 NTLM token' > > in cache.log: > 2012/09/07 09:22:53.421| ACL::checklistMatches: checking 'restricted' > 2012/09/07 09:22:53.421| Acl.cc(65) AuthenticateAcl: returning 3 > sending authentication challenge. > > I can give in a valid or invalid username/password to the popup, box > but no access is granted and I dont see any usernames or > squid_kerb_auth lines in the cache.log. > > Question: how can one debug in detail what squid_kerb_auth is doing? > The "-d" option does not seem to show much? (debug_options ALL,1 83,5 > 23,2 26,9 28,9 33,4 84,3: any better suggestions?) > > Doing some "tcpdumnp -A" tracing: > - browser sends: GET http://google.com/ HTTP/1.1 > -proxy answers > HTTP/1.1 407 Proxy Authentication Required > X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0 > Proxy-Authenticate: Negotiate > - browser send back: > Proxy-Authorization: Negotiate > TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw== > -proxy answers > HTTP/1.1 407 Proxy Authentication Required > X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0 > Proxy-Authenticate: Negotiate > > Also tried kerberos with NTLM, in this case access is always denied, > no popup. Tcpdump show similar handshaking. > auth_param negotiate program > /usr/local/squid/libexec/negotiate_wrapper_auth -d --ntlm > /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp > --domain=MYDOMAIN --kerberos /usr/local/squid/libexec/squid_kerb_auth > -d -i -s GSS_C_NO_NAME > - > > Thanks in advance for any tips :-) >