[squid-users] Re: problems squid_kerb_auth

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Sun, 29 May 2011 14:39:31 +0100

Hi,

  The squid log file says that the client could not use Kerberos and fell
back to NTLM.

  Can you capture the traffic from the client to the proxy and to your
Kerberos servers (e.g. active directory) with wireshark and send me the cap
file (if not too big) ?

Markus

"spiderslack" <spiderslack_at_yahoo.com.br> wrote in message
news:4DE282AC.6080200_at_yahoo.com.br...
> Hello
>
> I'm doing a test with squid using kerberos configured as follows squid and
> kerberos
>
> squid.conf
> auth_param negotiate program /usr/lib/squid3/squid_kerb_auth -d
> auth_param negotiate children 10
> auth_param negotiate keep_alive on
>
> acl auth proxy_auth REQUIRED
>
> http_access allow auth
> http_access deny all
>
>
> krb4.conf
> [libdefaults]
> default_realm = VIALACTEA.CORP
> krb4_config = /etc/krb.conf
> krb4_realms = /etc/krb.realms
> kdc_timesync = 1
> ccache_type = 4
> forwardable = true
> proxiable = true
> dns_lookup_realm = true
> dns_lookup_kdc = true
> v4_instance_resolve = false
> v4_name_convert = {
> host = {
> rcmd = host
> ftp = ftp
> }
> plain = {
> something = something-else
> }
> }
> fcc-mit-ticketflags = true
> [realms]
> VIALACTEA.CORP = {
> kdc = 192.168.1.155
> admin_server = 192.168.1.155
> }
> [domain_realm]
> .vialactea.corp = VIALACTEA.CORP
> vialactea.corp = VIALACTEA.CORP
> [login]
> krb4_convert = true
> krb4_get_tickets = false
>
>
> On the client pointed out the proxy address configured and the following
> variables firefox with the domain name:
> network.negotiate-auth.delegation-uris
> network.negotiate-auth.trusted-uris
>
> When trying to browse I get the following messages in the logs with
> debugging enabled.
> 2011/05/29 02:42:57| squid_kerb_auth: Got 'YR
> TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' from squid
> (length: 59).
> 2011/05/29 02:42:57| squid_kerb_auth: received type 1 NTLM token
>
> Does anyone have any idea of the problem? At the station installed
> Kerbtray and it shows the ticket
>
> Regards.
>
>
Received on Sun May 29 2011 - 13:39:58 MDT

This archive was generated by hypermail 2.2.0 : Tue May 31 2011 - 12:00:03 MDT