> -----Original Message----- > From: squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] On > Behalf Of Amos Jeffries > Sent: Wednesday, March 23, 2016 11:50 PM > To: squid-users@xxxxxxxxxxxxxxxxxxxxx > Cc: 819102@xxxxxxxxxxxxxxx > Subject: Re: Negotiate wrappter returns AF = on Debian Jessie > > "--helper-protocol=gss-spnego" configures Negotiate/Kerberos, not > Negotiate/NTLM. > > For Negotiate/NTLM what you need is "--helper=squid-2.5-ntlmssp" > > > Or, drop the wrapper helper entirely and just use: > > auth_param negotiate program /usr/bin/ntlm_auth \ > --helper-protocol=gss-spnego --domain=DOMAIN.LOCAL > > Amos Oh. Thank you! That does resolve the username issue in the logs. I'm still a little confused as the proxy was behaving as if it was doing NTLM anyway. If I used the FQDN to reach the proxy, my username was james_zuelow@DOMAIN.LOCAL as I would expect from a Kerberos authentication. If I used the IP address to reach the proxy, my understanding is that Kerberos would not work (since the principal now did not match), and I would fall back to NTLM. And in that case my username was james_zuelow, as with plain NTLM. And clients that could not do Kerberos at all such as non-domain Linux machines could still authenticate with NTLM username/password. So except for the log format issue gss-spnego and squid-2.5-ntlmssp both seem to work as I intended it to, with Kerberos primary and NTLM fallback. Thanks again & Debian #819102 can be chalked up to user error. James _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
