[squid-users] Help me configure Kerberos Authentication

From: Go Wow <gowows_at_gmail.com>
Date: Sat, 30 Apr 2011 10:43:06 +0400

Hi,

 I'm trying to configure Kerberos Authentication for squid. I'm
running Squid 3.1.12 and Windows 2008 R2 SP2. I have followed the
kerberos authentication guide on squid-cache and many other guides, I
always end up with these logs in my cache.log. My client browser keeps
prompting for username/password. Even a valid set of credentials are
not accepted.

 2011/04/30 10:24:32| squid_kerb_auth: WARNING: received type 1 NTLM token
2011/04/30 10:24:32| authenticateNegotiateHandleReply: Error
validating user via Negotiate. Error returned 'BH received type 1 NTLM
token'
2011/04/30 10:24:36| squid_kerb_auth: DEBUG: Got 'YR
TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' from squid
(length: 59).
2011/04/30 10:24:36| squid_kerb_auth: DEBUG: Decode
'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' (decoded
length: 40).
2011/04/30 10:24:36| squid_kerb_auth: WARNING: received type 1 NTLM token
2011/04/30 10:24:36| authenticateNegotiateHandleReply: Error
validating user via Negotiate. Error returned 'BH received type 1 NTLM
token'
2011/04/30 10:24:36| squid_kerb_auth: DEBUG: Got 'YR
TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' from squid
(length: 59).
2011/04/30 10:24:36| squid_kerb_auth: DEBUG: Decode
'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' (decoded
length: 40).
2011/04/30 10:24:36| squid_kerb_auth: WARNING: received type 1 NTLM token
2011/04/30 10:24:36| authenticateNegotiateHandleReply: Error
validating user via Negotiate. Error returned 'BH received type 1 NTLM
token'

 I want to check and make sure my keytab entries are good. How do I do
that? My client System can list the tickets for client principal.

 Please have a look at my krb5.conf & keytab file here
http://pastebin.com/vTBr3r5D

 I'm using this command to create the keytab file.
msktutil -c -b "CN=COMPUTERS" -s HTTP/proxyserver.orangegroup.com -h
proxyserver.orangegroup.com -k /etc/krb5.keytab --computer-name
proxyserver-http --upn HTTP/proxyserver.orangegroup.com --server
ad01.orangegroup.com --verbose

 All the domains are resolving properly to IPs.

 Thanks for your help.
Received on Sat Apr 30 2011 - 06:43:14 MDT

This archive was generated by hypermail 2.2.0 : Sat Apr 30 2011 - 12:00:04 MDT