Can you get a wireshark capture of port 53 (dns) and port 88(kerberos) and
port 3128(squid) from your client machine when you try to surf ? Can you
also install kerbtray from microsoft to list tickets in your clients
kerberos cache ?
Regards
Markus
"Lieven" <lieven_at_ba.be> wrote in message news:4BE1D106.7090207_at_ba.be...
> Dear list,
>
> I have currently a problem where it seems that my clients, webbrowsers
> firefox 3.5 and IE8 only seem to return NTLM tokens as authentication
> instead of kerberos.
>
> This is the error in the cache log from squid:
>
> ...
> squid_kerb_auth: WARNING: received type 1 NTLM token
> authenticateNegotiateHandleReply: Error validating user via Negotiate.
> Error returned 'BH received type 1 NTLM token'
> ...
>
>
> squid has been configured like this:
> ./configure --enable-negotiate-auth-helpers=squid_kerb_auth --enable-stacktraces
> --prefix=/opt/squid-3.1.3
> make and make install went fine.
>
> the squid box is a cleanly installed debian lenny i386.
>
> Squid itself seems to run fine, I can browse through it.
>
> Then my goal to use kerberos authentication fails with the error above.
> in my krb5.conf I have the following info in my realm:
> kdc = xxx.xxx.xxx.xxx
> admin_server = xxx.xxx.xxx.xxx
> these are the libdefaults:
> [libdefaults]
> default_realm = DOMAIN.LOCAL
> dns_lookup_kdc = no
> dns_lookup_realm = no
> default_keytab_name = /etc/HTTP.keytab
> ticket_lifetime = 24h
>
> the /etc/HTTP.keytab file is like this:
> -rw-r----- 1 squid squid 532 2010-05-05 20:58 /etc/HTTP.keytab
> squid is running as user "squid"
>
> First I got a kerberos ticket with:
> kinit administrator
> I can see a krbtgt ticket with klist.
>
> I'm trying to authenticate against a windows 2008 dc and I used msktutil
> like this:
> msktutil -c -b "CN=COMPUTERS" -s HTTP/domain.local -h domain.local -k
> /etc/HTTP.keytab --computer-name squid3-proxy --upn
> HTTP/domain.local --server ad2008srvr.domain.local --verbose --enctypes 28
>
> The squid config file is quiete basic. (only relevant parts here - I
> think)
> auth_param negotiate program /opt/squid-3.1.3/sbin/squid_kerb_auth -d
> auth_param negotiate children 10
> auth_param negotiate keep_alive on
> acl AUTHENTICATED proxy_auth REQUIRED
> http_access allow AUTHENTICATED
>
>
> DNS seems to work alright, the AD server is used for dns and has a working
> A and PTR record for the squid3-proxy.domain.local server because the A
> and PTR lookups return the correct results when run from the server and
> from the clients.
>
> Is there anybody out there who can help me troubleshoot this problem?
> I found tutorials where the keytab file is created on the windows server
> but that's not necessary if I use the msktutil, right?
>
> thanks a lot. I'v been trying to get this to work for some time now.
>
> cheers,
> Lieven
>
>
Received on Wed May 05 2010 - 22:17:23 MDT
This archive was generated by hypermail 2.2.0 : Tue May 11 2010 - 12:00:04 MDT