4

I have been trying to get squid running with kerberos auth for a few days but I'm in some trouble. The problem has been asked and replied many times on both the squid-users list and on the web, I have read them all, and tried to solve the problem. But still no luck.

I'm not sure why client tries to authorize with NTLM instead of Kerberos, and I would really appreciate if you explain me how to inspect the reason, and how to fix the problem.

Here is some of my log files and tests. (config files are prepared as exactly as with the wiki; http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos)

--> tail -f cache.log
2012/01/11 11:54:06| squid_kerb_auth: DEBUG: Got 'YR
TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==' from squid
(length: 59).
2012/01/11 11:54:06| squid_kerb_auth: DEBUG: Decode
'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==' (decoded
length: 40).
2012/01/11 11:54:06| squid_kerb_auth: WARNING: received type 1 NTLM token
2012/01/11 11:54:06| authenticateNegotiateHandleReply: Error
validating user via Negotiate. Error returned 'BH received type 1 NTLM
token'

--> tail -f access.log
192.168.0.147 - - [11/Jan/2012:11:54:08 +0200] "GET
http://www.google.com.tr/ HTTP/1.1" 407 1524 TCP_DENIED:NONE
192.168.0.147 - - [11/Jan/2012:11:54:08 +0200] "GET
http://www.google.com.tr/ HTTP/1.1" 407 1524 TCP_DENIED:NONE

I have tested kerberos on the server side with;

--> klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@LABRISTEST.COM

--> kinit -V -k -t /opt/labris/etc/labris-webcache/HTTP.keytab
HTTP/test2008.labristest.com
Authenticated to Kerberos v5

I have captured the packets with wireshark as suggested some of the earlier solutions, it looks like client still tries to authenticate with NTLM while we want to use kerberos.

Here is the some of the parts of wireshark log; (if needed, you can get the full log from here: http://pastebin.com/btp9PzYu )

client to server;
Hypertext Transfer Protocol
    GET http://www.google.com.tr/ HTTP/1.1\r\n
        [Expert Info (Chat/Sequence): GET http://www.google.com.tr/
HTTP/1.1\r\n]
        Request Method: GET
        Request URI: http://www.google.com.tr/
        Request Version: HTTP/1.1
    Host: www.google.com.tr\r\n
    User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:8.0) Gecko/20100101
Firefox/8.0\r\n
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n
    Accept-Language: tr-tr,tr;q=0.8,en-us;q=0.5,en;q=0.3\r\n
    Accept-Encoding: gzip, deflate\r\n
    Accept-Charset: ISO-8859-9,utf-8;q=0.7,*;q=0.7\r\n
    Proxy-Connection: keep-alive\r\n


server reply;
Hypertext Transfer Protocol
    HTTP/1.0 407 Proxy Authentication Required\r\n
        [Expert Info (Chat/Sequence): HTTP/1.0 407 Proxy
Authentication Required\r\n]
        Request Version: HTTP/1.0
        Status Code: 407
        Response Phrase: Proxy Authentication Required
    Server: squid/3.1.12\r\n
    Mime-Version: 1.0\r\n
    Date: Wed, 11 Jan 2012 11:28:01 GMT\r\n
    Content-Type: text/html\r\n
    Content-Length: 1152\r\n
    X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0\r\n
    Proxy-Authenticate: Negotiate\r\n
    X-Cache: MISS from labris-1\r\n
    X-Cache-Lookup: NONE from labris-1:3128\r\n
    Via: 1.0 labris-1 (squid/3.1.12)\r\n
    Connection: keep-alive\r\n
    \r\n


client tries authentication;
Hypertext Transfer Protocol
    GET http://www.google.com.tr/ HTTP/1.1\r\n
        [Expert Info (Chat/Sequence): GET http://www.google.com.tr/
HTTP/1.1\r\n]
        Request Method: GET
        Request URI: http://www.google.com.tr/
        Request Version: HTTP/1.1
    Host: www.google.com.tr\r\n
    User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:8.0) Gecko/20100101
Firefox/8.0\r\n
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n
    Accept-Language: tr-tr,tr;q=0.8,en-us;q=0.5,en;q=0.3\r\n
    Accept-Encoding: gzip, deflate\r\n
    Accept-Charset: ISO-8859-9,utf-8;q=0.7,*;q=0.7\r\n
    Proxy-Connection: keep-alive\r\n
    Proxy-Authorization: Negotiate
TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==\r\n
        NTLM Secure Service Provider
            NTLMSSP identifier: NTLMSSP
            NTLM Message Type: NTLMSSP_NEGOTIATE (0x00000001)
            Flags: 0xe2088297
            Calling workstation domain: NULL
            Calling workstation name: NULL
            Version 6.1 (Build 7601); NTLM Current Revision 15
                Major Version: 6
                Minor Version: 1
                Build Number: 7601
                NTLM Current Revision: 15

Please see me as a newbie, I'd really appreciate a detailed solution to get squid working with kerberos.

Thanks in advance.

nedm
  • 5,610
  • 5
  • 30
  • 52
Muhammet Can
  • 161
  • 1
  • 6

1 Answers1

1

Since you are using Firefox, did you configure Firefox to allow negotiation using kerberos for the proxy in question? Firefox does not do that by default. You will have to add your proxy to network.negotiate-auth.trusted-uris in about:config. If you have multiple proxies you can enter a comma-separated list like this "proxy01.example.com, proxy02.example.com[,...]".

lsmooth
  • 1,521
  • 1
  • 9
  • 17
  • yes, I have checked that setting it seems OK. And also I can't use IE and chrome too. I have asked the question on squid mail list, Amos Jeffries recommend to use negotiate_wrapper, I will try it, and see if it helps. – Muhammet Can Jan 12 '12 at 07:35
  • ok now I'm not getting --authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH received type 1 NTLM token'-- error by using negotiate_wrapper. but I'm still authenticate with NTLM. I'll update the question/or reply if I can solve it. – Muhammet Can Jan 13 '12 at 11:44