[squid-users] Negotiate wrappter returns AF = on Debian Jessie

L.P.H. van Belle belle at bazuin.nl
Thu Mar 24 09:08:21 UTC 2016 

Hello Amos, 

I was missing in my setup also, now i know the problem where that was comming from. Can you help me a bit with explaining the diffence in these base on below example. Because if i post somewhere, i want to be sure the setup is correct. And it was not, :-(, im thinking, what i missed here in my understanding.

--helper-protocol=gss-spnego
--helper-protocol=gss-spnego-client
--helper-protocol=squid-2.5-ntlmssp

I was in belief the following. 

With use of auth_param negotiate and i wanted to have full kerberos auth. 
--helper-protocol=gss-spnego is needed, but i dont know it this is correct. 
And i had also * as username. 
--helper-protocol=squid-2.5-ntlmssp works fine also and i now see the username. 

And more one question. 

The log now show for : 
Kerberos authenticated users : username at REALM
NTLM authenticated users	: username 

Is there a way to log users with only username, for both authentications? 


Greetz, 

Louis



> -----Oorspronkelijk bericht-----
> Van: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] Namens
> Amos Jeffries
> Verzonden: donderdag 24 maart 2016 8:50
> Aan: squid-users at lists.squid-cache.org
> CC: 819102 at bugs.debian.org
> Onderwerp: Re: [squid-users] Negotiate wrappter returns AF = on Debian
> Jessie
> 
> On 18/03/2016 7:29 a.m., James Zuelow wrote:
> > Hello -
> >
> > I have Squid 3.4.8 installed on Debian Jessie.
> >
> > I'm using the negotiate wrapper configured like this:
> >
> > auth_param negotiate program /usr/lib/squid3/negotiate_wrapper_auth -d \
> >    --kerberos /usr/lib/squid3/negotiate_kerberos_auth -s
> HTTP/proxy.domain.local at DOMAIN.LOCAL \
> >    --ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --
> domain=DOMAIN.LOCAL
> >
> 
> "--helper-protocol=gss-spnego" configures Negotiate/Kerberos, not
> Negotiate/NTLM.
> 
> For Negotiate/NTLM what you need is "--helper=squid-2.5-ntlmssp"
> 
> 
> Or, drop the wrapper helper entirely and just use:
> 
>  auth_param negotiate program /usr/bin/ntlm_auth \
>     --helper-protocol=gss-spnego --domain=DOMAIN.LOCAL
> 
> Amos
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list