[squid-users] Negotiate wrappter returns AF = on Debian Jessie
L.P.H. van Belle
belle at bazuin.nl
Thu Mar 24 10:17:19 UTC 2016
Hai Amos,
Thank you, very appriciated, one question more, if i did understand it correctly.
When using the wrapper helpers, and wanting only kerberos auth.
Then this is correct?
(Sorry to ask, but i have to translating things, and its not always clear.)
auth_param negotiate program /usr/lib/squid3/negotiate_wrapper_auth \
--kerberos /usr/lib/squid3/negotiate_kerberos_auth \
-s HTTP/proxy.domain.local at REALM \
--kerberos /usr/bin/ntlm_auth --helper-protocol=gss-spnego \
--domain=NTDOMAIN
( with the notice, the last (ntlm_auth) give * as username back )
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] Namens
> Amos Jeffries
> Verzonden: donderdag 24 maart 2016 10:56
> Aan: squid-users at lists.squid-cache.org
> Onderwerp: Re: [squid-users] Negotiate wrappter returns AF = on Debian
> Jessie
>
> On 24/03/2016 10:08 p.m., L.P.H. van Belle wrote:
> > Hello Amos,
> >
> > I was missing in my setup also, now i know the problem where that was
> comming from. Can you help me a bit with explaining the diffence in these
> base on below example. Because if i post somewhere, i want to be sure the
> setup is correct. And it was not, :-(, im thinking, what i missed here in
> my understanding.
> >
> > --helper-protocol=gss-spnego
> > --helper-protocol=gss-spnego-client
> > --helper-protocol=squid-2.5-ntlmssp
> >
>
> Squid used to have different helper protocols for each interface.
>
> --helper-protocol=squid-2.5-ntlmssp make it communicate with Squid using
> the old "auth_param ntlm" helper interface protocol.
>
>
> --helper-protocol=gss-spnego makes it communicate with Squid using the
> old "auth_param negotiate" helper interface protocol. When NTLM
> handshake is happening the helper auto-converts between NTLM and
> Negoiate interface protocols by prefixing the username with "* ".
>
>
> The wrapper helper also will attempt to auto-convert old protocol syntax
> into the current (Squid-3.4+) protocol syntax. BUT, it can only do so
> properly if the expected old syntax was being sent for the relevant
> helper (--ntlm vs --kerberos arguments to wrapper).
>
> The result is that ntlm_auth helper auto-converts the result by
> prefixing with "* ". Then the wrapper helper also auto-converts that
> result by prefixing _that_ with "= ".
> Ending with the strange "AF = * username" output.
>
>
> --helper-protocol=gss-spnego-client is for something unrelated to Squid.
>
>
> > I was in belief the following.
> >
> > With use of auth_param negotiate and i wanted to have full kerberos
> auth.
> > --helper-protocol=gss-spnego is needed, but i dont know it this is
> correct.
>
> That is correct for the Samba ntlm_auth helper operating *by itself* on
> the "authparam negotiate" interface of Squid.
>
> --> Not when using the wrapper helpers --ntlm interface.
>
> NP: when using the wrapper helpers --kerberos interface it *is* correct.
>
>
> > And i had also * as username.
> > --helper-protocol=squid-2.5-ntlmssp works fine also and i now see the
> username.
> >
> > And more one question.
> >
> > The log now show for :
> > Kerberos authenticated users : username at REALM
> > NTLM authenticated users : username
> >
> > Is there a way to log users with only username, for both
> authentications?
> >
>
> That depends on whether the Kerberos helper you are using can strip the
> realm name. Squid is simply logging the label it gets told by the helper.
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list