Re: [squid-users] Re: squid 2.7 - problems with kerberos authentication

Markus Moeller Wed, 02 Sep 2009 14:56:24 -0700

This means your client does not use Kerberos but NTLM. Check that IE isconfigured with the fqdn.


Regards
Markus

----- Original Message -----From: "Дмитрий Нестеркин" <[email protected]>

To: "Henrik Nordstrom" <[email protected]>
Cc: "Markus Moeller" <[email protected]>
Sent: Wednesday, September 02, 2009 12:36 PM

Subject: Re: [squid-users] Re: squid 2.7 - problems with kerberosauthentication



2 сентября 2009 г. 14:32 пользователь Дмитрий Нестеркин
([email protected]) написал:

external_acl_type ldap_check ttl=1200 %LOGIN
/usr/lib/squid/squid_ldap_group -R -b "dc=mydomain,dc=local" -f
"(&(objectclass=user)(sAMAccountName=%v
(memberof=cn=%a,ou=internet,dc=mydomain,dc=local))" -D
"[email protected]" -w "password" -K -d 192.168.100.42


Do this work from the command line?

If it's a AD server then basic bind without TLS is generally not allowed
(deemed insecure).

The helper expects

login group

as input, and will respond with OK/ERR.

But since there is no debug output from squid_ldap_group I suspect
squid_kerb_auth isn't happy with something.. But it's odd there is no
debug output from squid_kerb_auth either...

Yes, It works from command line! And I can't understand why not withsquid.


$ /usr/lib/squid/squid_ldap_group -R -b "dc=teliset,dc=local" -f
"(&(objectclass=user)(sAMAccountName=%v)(memberof=cn=%a,ou=internet,dc=teliset,dc=local))"
-D "[email protected]" -w "password" -K -d 192.168.100.42
my_username inet_allow
OK

I've updated krb5-user package to latest testing version. Now cache
log contain squid_kerb_auth info:

2009/09/02 15:27:46| Ready to serve requests.
2009/09/02 15:27:46| Done reading /var/spool/squid swaplog (405 entries)
2009/09/02 15:27:46| Finished rebuilding storage from disk.
2009/09/02 15:27:46|       405 Entries scanned
2009/09/02 15:27:46|         0 Invalid entries.
2009/09/02 15:27:46|         0 With invalid flags.
2009/09/02 15:27:46|       405 Objects loaded.
2009/09/02 15:27:46|         0 Objects expired.
2009/09/02 15:27:46|         0 Objects cancelled.
2009/09/02 15:27:46|         0 Duplicate URLs purged.
2009/09/02 15:27:46|         0 Swapfile clashes avoided.
2009/09/02 15:27:46|   Took 0.3 seconds (1453.0 objects/sec).
2009/09/02 15:27:46| Beginning Validation Procedure
2009/09/02 15:27:46|   Completed Validation Procedure
2009/09/02 15:27:46|   Validated 405 Entries
2009/09/02 15:27:46|   store_swap_size = 4052k
2009/09/02 15:27:46| storeLateRelease: released 0 objects
2009/09/02 15:32:48| squid_kerb_auth: Got 'YR
TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' from squid
(length: 59).
2009/09/02 15:32:48| squid_kerb_auth: received type 1 NTLM token
2009/09/02 15:32:50| squid_kerb_auth: Got 'YR
TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' from squid
(length: 59).
2009/09/02 15:32:50| squid_kerb_auth: received type 1 NTLM token
2009/09/02 15:32:50| squid_kerb_auth: Got 'YR
TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' from squid
(length: 59).
2009/09/02 15:32:50| squid_kerb_auth: received type 1 NTLM token
2009/09/02 15:32:51| squid_kerb_auth: Got 'YR
TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' from squid
(length: 59).
2009/09/02 15:32:51| squid_kerb_auth: received type 1 NTLM token

Re: [squid-users] Re: squid 2.7 - problems with kerberos authentication

Reply via email to