[squid-users] kerberos (AD) authentication - squid_kerb_auth

From: Jeremy Monnet <jmonnet_at_gmail.com>
Date: Tue, 25 Aug 2009 19:50:00 +0200

Hi,

I a m trying to authenticate users through kerberos on a windows 2003
server AD. Basically, I followed the klaubert tutorial [1], part on
Negotiate/kerberos authentication.

The kerberos stuff seems ok, I can get some tickets using kinit and
see them using klist.

The error message I get is "authenticateNegotiateHandleReply: Error
validating user via Negotiate. Error returned 'BH received type 1 NTLM
token'", and I saw a previous thread talking about that [2], but I am
sorry I don't understand most of it. When it says "squid_kerb_auth
only support Kerberos, but it looks like that your client for some
reason attempted to use NTLM. ", does this mean the web browser/gssapi
or stuff on the client side is the problem ? Is there anything to do
on the windows client machine to send just a standard kerberos ticket
?

Or is the integration of ntlm_auth into squid_kerb_auth achieved
(couldn't find news on that point) and a better thing to use ?

And, last but not least, it seems we can start squid_kerb_auth from
the command line in standalone (well, that's the way it works with
squid), is there a way to use it to debug the situation ?

Thanks for your answers,

Jeremy
[1] http://klaubert.wordpress.com/2008/01/09/squid-kerberos-authentication-and-ldap-authorization-in-active-directory/
[2] http://www.nabble.com/Negotiate-problem-%27BH-received-type-1-NTLM-token%27-td17981333.html
Received on Tue Aug 25 2009 - 17:50:11 MDT

This archive was generated by hypermail 2.2.0 : Wed Aug 26 2009 - 12:00:04 MDT