[squid-users] Negotiate wrappter returns AF = on Debian Jessie

[James Zuelow]

> -----Original Message-----
> From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On
> Behalf Of Amos Jeffries
> Sent: Wednesday, March 23, 2016 11:50 PM
> To: squid-users at lists.squid-cache.org
> Cc: 819102 at bugs.debian.org
> Subject: Re: [squid-users] Negotiate wrappter returns AF = on Debian Jessie
> 
> "--helper-protocol=gss-spnego" configures Negotiate/Kerberos, not
> Negotiate/NTLM.
> 
> For Negotiate/NTLM what you need is "--helper=squid-2.5-ntlmssp"
> 
> 
> Or, drop the wrapper helper entirely and just use:
> 
>  auth_param negotiate program /usr/bin/ntlm_auth \
>     --helper-protocol=gss-spnego --domain=DOMAIN.LOCAL
> 
> Amos

Oh.  Thank you!

That does resolve the username issue in the logs.

I'm still a little confused as the proxy was behaving as if it was doing NTLM anyway.

If I used the FQDN to reach the proxy, my username was james_zuelow at DOMAIN.LOCAL as I would expect from a Kerberos authentication.

If I used the IP address to reach the proxy, my understanding is that Kerberos would not work (since the principal now did not match), and I would fall back to NTLM.  And in that case my username was james_zuelow, as with plain NTLM.  And clients that could not do Kerberos at all such as non-domain Linux machines could still authenticate with NTLM username/password.

So except for the log format issue gss-spnego and squid-2.5-ntlmssp both seem to work as I intended it to, with Kerberos primary and NTLM fallback.

Thanks again & Debian #819102 can be chalked up to user error.

James