1

I would like to know if it possible to let a Windows Xp machine authenticate to Squid (Linux) using Kerberos without the need of an Active Directory domain.

I only want to create a Kerberos ticket on the client side, which should give the client access to squid (using I.E.).

I only found tutorials about configuring A.D./Squid, not an environment with only Linux servers.

Thanks

Update:

The kerberos setup is correctly done, the proxy and client can get tickets.

As for the browser (FF/IE), I get:

ERROR
Cache Access Denied

While trying to retrieve the URL: http://www.google.com/

The following error was encountered:

    * Cache Access Denied. 

Sorry, you are not currently allowed to request:

    http://www.google.com/

from this cache until you have authenticated yourself. 

In kerberos, I get:

squid_kerb_auth: Got 'YR ElRNTVMTUABBAABAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgDAAAADw==' from squid (length: 59).
squid_kerb_auth: parseNegTokenInit failed with rc=101
squid_kerb_auth: received type 1 NTLM token

This message is strange, as I didn't configure NTLM. It looks like the browser uses the wrong authentication methode.

user28362
  • 526
  • 3
  • 7
  • 20

1 Answers1

1

This seemed familiar and Google searching brought me back to ServerFault. Long story short, Micros*** extends Kerberos in a way that makes client authentication with alternative Kerberos implementations (e.g. MIT or Heimdal) not easily accomplished. This is why projects like pGina were created. That might be primarily for LDAP auth, but the cause will lead to you needing a similar result, namely coding your own custom GINA DLL to handle that kind of auth. If you find one that handles Kerberos, please let us know! I would be super-excited to use it and find out.

songei2f
  • 1,924
  • 1
  • 20
  • 30
  • In the Windows side, I make a ticket using the Network Identity Manager (this works). When I access the internet using the gateway I get: The following error was encountered: * Cache Access Denied. Sorry, you are not currently allowed to request: http://www.google.be from this cache until you have authenticated yourself. I did not yet configure squid in the proxyserver as service. Can someone help me? So my setup: *Windows XP client (connection with Kerberos server using Network Identity Manager OK) *Linux Kerberos Server *Linux Squid Server (connection with Kerberos server OK) – user28362 Sep 23 '10 at 13:52
  • I am not sure what the issue is. I thought you wanted to have a computer **login** with credentials from a Linux Kerberos box. Your problem is that the important stuff is after the line `squid_kerb_auth: received type 1 NTLM token`. You might want to post that here. That being said, the line after that is usually self-explanatory. Here is one example: `2010/08/29 11:09:15| squid_kerb_auth: parseNegTokenInit failed with rc=101 2010/08/29 11:09:15| squid_kerb_auth: received type 1 NTLM token 2010/08/29 11:09:15| authenticateNegotiateAuthenticateUser: need to challenge client 'received'!` – songei2f Sep 24 '10 at 17:03