[squid-users] Re: Simple Kerberos/Squid configuration "received type 1 NTLM token"

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Fri, 24 Sep 2010 15:18:37 +0100

Are the XP users defined in the Kerberos server ?

Markus

"barbarossa" <bDmanLIB_at_hotmail.com> wrote in message
news:1285330198052-2553379.post_at_n4.nabble.com...
>
> Hi,
>
> I have a simple configuration of Squid, with a acl to deny access to users
> that aren't authenticated. I have setup kerberos correctly as the squid
> server ask tickets. There is no AD, just a kerberos server, squid server
> and
> Windows XP clients. The Windows client uses Network Identity Manager (MIT)
> to create a ticket.
>
> I could not find a solution in the mailing list archives and other places
> on
> the internet.
>
> When I use the proxy with Firefox (3.6.10, laterst version, same on IE), I
> get:
>
> ERROR
> Cache Access Denied
>
> While trying to retrieve the URL: http://dd/
>
> The following error was encountered:
>
> * Cache Access Denied.
>
> Sorry, you are not currently allowed to request:
>
> http://dd/
>
> from this cache until you have authenticated yourself.
>
> A keytab file for the proxy exists (squid.keytab) and squid has read
> access
> to it. This file is created using "addprinc -randkey squid/MYNETWORK.COM"
>
> I added in the top of the /etc/init.d/squid file the following:
>
> KRB5_KTNAME=/etc/squid/squid.keyab
> export KRB5_KTNAME
>
> The squid configuration is as following:
>
> uth_param negotiate program /usr/lib/squid/squid_kerb_auth -d
> auth_param negotiate children 10
> auth_param negotiate keep_alive on
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> acl password proxy_auth REQUIRED
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow password
> http_access deny all
> icp_access allow all
> http_port 3128
> hierarchy_stoplist cgi-bin ?
> access_log /var/log/squid/access.log squid
> acl QUERY urlpath_regex cgi-bin \?
> cache deny QUERY
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern . 0 20% 4320
> acl apache rep_header Server ^Apache
> broken_vary_encoding allow apache
> cache_mgr root_at_localhost
> coredump_dir /var/spool/squid
>
> When accessing squid from Firefox/IE, I get in cache.log:
>
> 2010/09/21 11:41:12| squid_kerb_auth: Got 'YR
> ElRMTVNTUABBAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgDAAAADw==' from squid
> (length: 59).
> 2010/09/21 11:41:12| squid_kerb_auth: parseNegTokenInit failed with rc=101
> 2010/09/21 11:41:12| squid_kerb_auth: received type 1 NTLM token
>
> It is strange that the proxy receives NTLM messages, as it is not
> configured. What is wrong.
> --
> View this message in context:
> http://squid-web-proxy-cache.1019090.n4.nabble.com/Simple-Kerberos-Squid-configuration-received-type-1-NTLM-token-tp2553379p2553379.html
> Sent from the Squid - Users mailing list archive at Nabble.com.
>
Received on Fri Sep 24 2010 - 14:21:05 MDT

This archive was generated by hypermail 2.2.0 : Fri Sep 24 2010 - 12:00:03 MDT