Re: [squid-users] Trouble getting kerberos auth working with squid 3.0

From: Henrik Nordstrom <henrik_at_henriknordstrom.net>
Date: Thu, 23 Oct 2008 21:03:55 +0200

On tor, 2008-10-23 at 14:25 -0400, Steven Cardinal wrote:
> I see no sign on my DCs of any failed authentication. A tcpdump trace
> on my workstation shows no attempts from my Windows PC to perform any
> kerberos authentication. If I try running the command line specified
> in the squid.conf, I get:

Then your browsers do not trust the proxy with kerberos authentication.
Verify that you have configured the proxy by name and not IP in the
browser proxy settings. To be exact the proxy name needs to match both a
name that the browser trusts with Kerberos authentication AND a server
kerberos ticket (or whatever those are called, kept in the keytab,
kerberos is not a strong field of mine..)

> I'm guessing, however, that squid_kerb_auth can't be run just like
> that, however.

Correct. You need to speak base64 encoded GSSAPI wrapped in Microsoft
Negotiate SSP protocol format wrapped in the "Squid NTLM/Negotiate
protocol" to it..

> Any ideas where I should look? I set my keytab file to be
> world-readable as a test and that didn't help.

It seems you don't even get that far.. the very first steps is not
dependent on the helper, only browser.. only when the browser agrees on
sending the initial negotiation packet is the helper called. Until then
all that happens is that Squid says that authentication is required to
continue and the Negotiate SSP authentication protocol is supported.

Regards
Henrik

Received on Thu Oct 23 2008 - 19:03:59 MDT

This archive was generated by hypermail 2.2.0 : Fri Oct 24 2008 - 12:00:04 MDT