[squid-users] Re: Simple Kerberos/Squid configuration "received type 1 NTLM token"

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Wed, 29 Sep 2010 21:15:59 +0100

"barbarossa" <bDmanLIB_at_hotmail.com> wrote in message
news:1285759672914-2718780.post_at_n4.nabble.com...
>
> I don't know why, but authenticating in the IE login dialog using kerberos
> credentials works now (user_at_REALM.COM, same as for FF).
>
> For most of the page requests, squid writes to cache.log logs as the
> following:
>
> 2010/09/29 11:19:50| squid_kerb_auth: Got 'YR
> YIICOQYGKwYBBQUCoIICLTCCAimgJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCAf8EggH7YIIB9wYJKoZIhvcSAQICAQBuggHmMIIB4qADAgEFoQMCAQ6iBwMFACAAAACjggEMYYIBCDCCAQSgAwIBBaELGwlWVUIuQUMuQkWiJjAkoAMCAQKhHTAbGwRIVFRQGxNiaWJscGMwODMudnViLmFjLmJlo4HHMIHEoAMCARChAwIBB6KBtwSBtPoenXEkU4igJAThT303vjwwg341PcMmhtLaUG2gZmawDKB/X3sNckogjaW8Wi369+gAImmO6wDwI+Yk8ZTvkBrLWhtBZqUuYteErlaOganW5aNwOYFAs14RMtlafCNtiZfwAQwPM56aNMDEykBXu9k6y00LDkExdAHlWX1DySmoI8r0W281EKmQ/QyUiZcahoHepQiXrW7JdnFicdcYqmLq2rkMlGzJnUyhVO+vA5PE7pmlq6SBvDCBuaADAgEXooGxBIGuT/78/guqfh1tzh/JOmeIiEzL3m3ZLNkMIWyqvoq23+ZEKBVZTWK1XPbg3cczH1L2S0tm2tLRjIyZQWmW8SkyMLFNgB7krSQBmqLQ4sTxsVCKtcRFwPsqZD5YL6Enzh/gTcYP/WgfncPOaD2+/tT7NYzxedaoHjfg5WbS163YujIu7eMHh2xQ08n53JBhhwDfOQdAtnSrlNgUsoQJwPsL+6eDziGQKcEFFw9MM8dJ'
> from squid (length: 767).
> 2010/09/29 11:19:50| squid_kerb_auth: parseNegTokenInit failed with rc=102
> 2010/09/29 11:19:50| squid_kerb_auth: AF
> oYGgMIGdoAMKAQChCwYJKoZIgvcSAQICooGIBIGFYIGCBgkqhkiG9xIBAgICAG9zMHGgAwIBBaEDAgEPomUwY6ADAgEXolwEWktM3mOHT3CdVuGDl7VN64DKZ478GfooqXyH+JFSlneeXjdxNpRCxIF1JD0mfn+gLL0ud5P7SOHMbDX3cDj4B14ghldzGdKUyoFBZbGKoNSZMT3sCDEw0Gx2MA==
> user_at_REALM.COM
>
> Is this normal?
>

Yes this (parseNegTokenInit failed with rc=102) is normal for a Kerberos
library which does not support SPNEGO natively.

> As for IE, it probably deletes the ticket it created when exiting, as each
> time I exit I must reauthenticate. Why does it not use the MIT ticket? Is
> there a solution for this (creating "Windows" Kerberos tickets,
> configuring
> IE to use MIT tickets, ...).
>

This is a security feature in Windows. It is not possible for an external
application to write into the ticket cache. For Vista/7 it might be
possible, but I think the netidmgr has not implemented it.

You could setup your systems to authenticate users against the kdc e.g. use
the kdc like an AD server together with a mapping of local users to kdc
users. (There have been glogs about this although I don't reacll the link)

> Thanks!
> --
> View this message in context:
> http://squid-web-proxy-cache.1019090.n4.nabble.com/Simple-Kerberos-Squid-configuration-received-type-1-NTLM-token-tp2553379p2718780.html
> Sent from the Squid - Users mailing list archive at Nabble.com.
>

Markus
Received on Wed Sep 29 2010 - 20:16:18 MDT

This archive was generated by hypermail 2.2.0 : Thu Sep 30 2010 - 12:00:04 MDT