[squid-users] Re: kerberos (AD) authentication - squid_kerb_auth

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Tue, 25 Aug 2009 22:23:42 +0100

"Jeremy Monnet" <jmonnet_at_gmail.com> wrote in message
news:2b1bd02c0908251050i6e63cecaxeb29ceecd2a845e8_at_mail.gmail.com...
> Hi,
>
> I a m trying to authenticate users through kerberos on a windows 2003
> server AD. Basically, I followed the klaubert tutorial [1], part on
> Negotiate/kerberos authentication.
>

See also http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos

> The kerberos stuff seems ok, I can get some tickets using kinit and
> see them using klist.
>
> The error message I get is "authenticateNegotiateHandleReply: Error
> validating user via Negotiate. Error returned 'BH received type 1 NTLM
> token'", and I saw a previous thread talking about that [2], but I am
> sorry I don't understand most of it. When it says "squid_kerb_auth
> only support Kerberos, but it looks like that your client for some
> reason attempted to use NTLM. ", does this mean the web browser/gssapi
> or stuff on the client side is the problem ? Is there anything to do
> on the windows client machine to send just a standard kerberos ticket
> ?

Possibly. It is important that the proxy you have configured is the fqdn
and that your web Browser supports negotiate proxy authentication (e.g IE >
7 or Firefox)

>
> Or is the integration of ntlm_auth into squid_kerb_auth achieved
> (couldn't find news on that point) and a better thing to use ?
>

No only Kerberos

> And, last but not least, it seems we can start squid_kerb_auth from
> the command line in standalone (well, that's the way it works with
> squid), is there a way to use it to debug the situation ?
>

Yes Just start it onthe command line and input YR <token> where <token> is
a base64 encoded token. There is a small test program squid_kerb_auth_test.c
at
http://squidkerbauth.cvs.sourceforge.net/viewvc/squidkerbauth/squid_kerb_auth/

which you can run as follows:

kinit user_at_DOMAIN
./squid_kerb_auth_test <proxy fqdn> 200 | ./squid_kerb_auth -d -s
HTTP/<proxy fqdn>

This will create 200 authentication requests for testing.

> Thanks for your answers,
>

Regards
Markus

> Jeremy
> [1]
> http://klaubert.wordpress.com/2008/01/09/squid-kerberos-authentication-and-ldap-authorization-in-active-directory/
> [2]
> http://www.nabble.com/Negotiate-problem-%27BH-received-type-1-NTLM-token%27-td17981333.html
>
Received on Tue Aug 25 2009 - 21:25:09 MDT

This archive was generated by hypermail 2.2.0 : Wed Aug 26 2009 - 12:00:04 MDT