[squid-users] Authenticacion with Active Directory fails
Sergio Belkin
sebelk at gmail.com
Fri Jul 15 15:11:06 UTC 2016
2016-07-15 6:31 GMT-03:00 Amos Jeffries <squid3 at treenet.co.nz>:
> On 15/07/2016 4:07 a.m., Sergio Belkin wrote:
> > Hi,
> >
> > Using squid squid-3.5.19-1.el7.centos.x86_64,
> >
> > I obtain a kerberos ticket but I get the following when trying to use the
> > proxy:
> >
> > 2016/07/14 12:57:03.711 kid1| 29,4| UserRequest.cc(290) authenticate: No
> > Proxy-Auth header and no working alternative. Requesting auth header.
> > 2016/07/14 12:57:03.712 kid1| 29,9| UserRequest.cc(487)
> addReplyAuthHeader:
> > headertype:46 authuser:NULL
> > 2016/07/14 12:57:03.712 kid1| 29,9| Config.cc(188) fixHeader: Sending
> > type:46 header: 'Negotiate'
> > 2016/07/14 12:57:04.159 kid1| 29,4| UserRequest.cc(290) authenticate: No
> > Proxy-Auth header and no working alternative. Requesting auth header.
> > 2016/07/14 12:57:04.159 kid1| 29,9| UserRequest.cc(487)
> addReplyAuthHeader:
> > headertype:46 authuser:NULL
> > 2016/07/14 12:57:04.159 kid1| 29,9| Config.cc(188) fixHeader: Sending
> > type:46 header: 'Negotiate'
> >
>
> That looks like a debug log of Negotiate/Kerberos authentication
> beginning on two connections.
>
> A good secure client does not send credentials until it needs to. Squdi
> has received a request that it needs to authenticate, but does not yet
> have credentiasl. So it responds with a 407 or 401 message requesting
> the client send them using "Negotiate" auth protocol.
> No problem visible.
>
>
> <snip>
>
> > Please could you help me? Am I doing something wrong?
>
> Perhapse if you described what your problem was ?
>
Amos, thanks, for your clarification, I get as follows:
"Sorry, you are not currently allowed to request http://www.lxer.com/ from
this cache until you have authenticated yourself"
( trying to use from a Linux client:)
(And in fact I've RTFM :-) )
tail /var/log/squid/access.log
192.168.50.37 - - [15/Jul/2016:12:01:05 -0300] "GET http://www.lxer.com/
HTTP/1.1" 407 4064 "-" "curl/7.43.0" TCP_DENIED:HIER_NONE
I have a kerberos ticket:
klist
Ticket cache: KEYRING:persistent:16777216:16777216
Default principal: john.doe at EXAMPLE.LOCAL
Valid starting Expires Service principal
15/07/16 12:00:31 15/07/16 22:00:31 krbtgt/EXAMPLE.LOCAL at EXAMPLE.LOCAL
renew until 22/07/16 12:00:31
End of output
I don't know what I'm doing wrong.
Thanks in advance!
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
--
--
Sergio Belkin
LPIC-2 Certified - http://www.lpi.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160715/fc462faf/attachment-0001.html>
More information about the squid-users
mailing list