<div dir="ltr"><div class="gmail_extra"><br><div class="gmail_quote">2016-07-15 6:31 GMT-03:00 Amos Jeffries <span dir="ltr"><<a href="mailto:squid3@treenet.co.nz" target="_blank">squid3@treenet.co.nz</a>></span>:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span class="">On 15/07/2016 4:07 a.m., Sergio Belkin wrote:<br>
> Hi,<br>
><br>
> Using squid squid-3.5.19-1.el7.centos.x86_64,<br>
><br>
> I obtain a kerberos ticket but I get the following when trying to use the<br>
> proxy:<br>
><br>
> 2016/07/14 12:57:03.711 kid1| 29,4| UserRequest.cc(290) authenticate: No<br>
> Proxy-Auth header and no working alternative. Requesting auth header.<br>
> 2016/07/14 12:57:03.712 kid1| 29,9| UserRequest.cc(487) addReplyAuthHeader:<br>
> headertype:46 authuser:NULL<br>
> 2016/07/14 12:57:03.712 kid1| 29,9| Config.cc(188) fixHeader: Sending<br>
> type:46 header: 'Negotiate'<br>
> 2016/07/14 12:57:04.159 kid1| 29,4| UserRequest.cc(290) authenticate: No<br>
> Proxy-Auth header and no working alternative. Requesting auth header.<br>
> 2016/07/14 12:57:04.159 kid1| 29,9| UserRequest.cc(487) addReplyAuthHeader:<br>
> headertype:46 authuser:NULL<br>
> 2016/07/14 12:57:04.159 kid1| 29,9| Config.cc(188) fixHeader: Sending<br>
> type:46 header: 'Negotiate'<br>
><br>
<br>
</span>That looks like a debug log of Negotiate/Kerberos authentication<br>
beginning on two connections.<br>
<br>
A good secure client does not send credentials until it needs to. Squdi<br>
has received a request that it needs to authenticate, but does not yet<br>
have credentiasl. So it responds with a 407 or 401 message requesting<br>
the client send them using "Negotiate" auth protocol.<br>
No problem visible.<br>
<br>
<br>
<snip><br>
<span class=""><br>
> Please could you help me? Am I doing something wrong?<br>
<br>
</span>Perhapse if you described what your problem was ?<br></blockquote><div><br><br></div><div>Amos, thanks, for your clarification, I get as follows: <br><br>"Sorry, you are not currently allowed to request <a href="http://www.lxer.com/">http://www.lxer.com/</a> from this cache until you have authenticated yourself"<br><br>( trying to use from a Linux client:)<br><br></div><div>(And in fact I've RTFM :-) )<br></div><div><br></div><div>tail /var/log/squid/access.log<br><br>192.168.50.37 - - [15/Jul/2016:12:01:05 -0300] "GET <a href="http://www.lxer.com/">http://www.lxer.com/</a> HTTP/1.1" 407 4064 "-" "curl/7.43.0" TCP_DENIED:HIER_NONE<br><br></div><div>I have a kerberos ticket:<br><br>klist<br>Ticket cache: KEYRING:persistent:16777216:16777216<br>Default principal: john.doe@EXAMPLE.LOCAL<br><br>Valid starting Expires Service principal<br>15/07/16 12:00:31 15/07/16 22:00:31 krbtgt/EXAMPLE.LOCAL@EXAMPLE.LOCAL<br> renew until 22/07/16 12:00:31<br><br><br></div><div>End of output<br></div><div><br></div><div>I don't know what I'm doing wrong.<br><br></div><div>Thanks in advance!<br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<span class=""><font color="#888888"><br>
Amos<br>
</font></span><div class=""><div class="h5"><br>
_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr">--<br>Sergio Belkin<br>LPIC-2 Certified - <a href="http://www.lpi.org" target="_blank">http://www.lpi.org</a></div></div></div></div>
</div></div>