Error Validating User Via Negotiate
HCL Search Reviews Search ISOs Go to Page... LinuxQuestions.org > Forums > Linux Forums > Linux - Networking [SOLVED] Help with Squid & LDAP on debian User Name Remember Me? Password Linux - Networking This forum is for any issue related to networks or networking. Routing, network cards, OSI, etc. Anything is fair game. Notices Welcome to LinuxQuestions.org, a friendly and active Linux Community. You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today! Note that registered members see fewer ads, and ContentLink is completely disabled once you log in. Are you new to LinuxQuestions.org? Visit the following links: Site Howto | Site FAQ | Sitemap | Register Now If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here. Having a problem logging in? Please visit this page to clear all LQ-related cookies. Introduction to Linux - A Hands on Guide This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter. For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own. Click Here to receive this Complete Guide absolutely free. Search this Thread 08-06-2012, 11:28 PM #1 brokenpromises Member Registered: Jan 2005 Location: NZ Distribution: Fedora / Debian Posts: 98 Rep: Help with Squid & LDAP on debian I am trying to get SQUID with LDAP working in my Active Directory environment using this guide http://www.howtoforge.com/debian-squ...in-reporter-p2 The only thing of note is that the article didn't specify to install squid, and when I searched the apt repositories I see there are 2 variants, one called 'squid' and another called 'squid3', so I installed
here for a quick overview of the site Help Center Detailed answers to any questions you might have Meta Discuss the workings and policies of this site About Us Learn more about Stack Overflow the company Business Learn more about hiring developers or posting ads with us Stack Overflow Questions Jobs Documentation Tags Users Badges Ask Question x Dismiss Join the Stack Overflow Community Stack Overflow is a community of 4.7 million programmers, just like you, helping each other. Join them; it only takes a minute: Sign up Squid kerberos authentication up vote 0 down vote favorite I am running a squid proxy server (CentOS 5) that http://www.linuxquestions.org/questions/linux-networking-3/help-with-squid-and-ldap-on-debian-4175420746/ I am trying to get working with kerberos through our AD server (Windows Server 2008). I have followed the instructions here: http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos To setup a keytab for the server, which has all worked perfectly. The problem occurs when I attempt to use the proxy from a client PC, where it immediately falls back to basic authentication. If I use the ip address of the proxy I receive this message in cache.log: authenticateNegotiateHandleReply: Error http://stackoverflow.com/questions/10220745/squid-kerberos-authentication validating user via Negotiate. Error returned 'BH received type 1 NTLM token' If I use the domain name of the proxy I receive this message in cache.log: authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information. Configuration file does not specify default realm' If I run klist on the client it has a ticket for the proxy server listed. Thanks in advance! active-directory centos kerberos squid share|improve this question asked Apr 19 '12 at 2:13 Jeames Bone 514312 add a comment| 1 Answer 1 active oldest votes up vote 0 down vote You need specify spn in the helper inside squid.conf With the -s http/fqdn@REALM share|improve this answer edited Oct 4 '12 at 11:02 j0k 17.4k114960 answered Aug 31 '12 at 22:33 user1639764 9112 add a comment| Your Answer draft saved draft discarded Sign up or log in Sign up using Google Sign up using Facebook Sign up using Email and Password Post as a guest Name Email Post as a guest Name Email discard By posting your answer, you agree to the privacy policy and terms of service. Not the answer you're looking for? Browse other questions tagged active-directory centos kerberos squid or ask your own question. asked 4 years ago viewed 3981 t
messages lieven-2 Reply | Threaded Open this post in threaded view ♦ ♦ | Report Content as Inappropriate ♦ ♦ squid_kerb_auth received http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-kerb-auth-received-type-1-NTLM-token-td2131613.html type 1 NTLM token Dear list, I have currently a problem where it seems that my clients, webbrowsers firefox 3.5 and IE8 only seem to return NTLM tokens as https://www.mail-archive.com/squid-users@squid-cache.org/msg79054.html authentication instead of kerberos. This is the error in the cache log from squid: ... squid_kerb_auth: WARNING: received type 1 NTLM token authenticateNegotiateHandleReply: Error validating user via Negotiate. Error error validating returned 'BH received type 1 NTLM token' ... squid has been configured like this: ./configure --enable-negotiate-auth-helpers=squid_kerb_auth --enable-stacktraces --prefix=/opt/squid-3.1.3 make and make install went fine. the squid box is a cleanly installed debian lenny i386. Squid itself seems to run fine, I can browse through it. Then my goal to use kerberos authentication fails with the error above. in my error validating user krb5.conf I have the following info in my realm: kdc = xxx.xxx.xxx.xxx admin_server = xxx.xxx.xxx.xxx these are the libdefaults: [libdefaults] default_realm = DOMAIN.LOCAL dns_lookup_kdc = no dns_lookup_realm = no default_keytab_name = /etc/HTTP.keytab ticket_lifetime = 24h the /etc/HTTP.keytab file is like this: -rw-r----- 1 squid squid 532 2010-05-05 20:58 /etc/HTTP.keytab squid is running as user "squid" First I got a kerberos ticket with: kinit administrator I can see a krbtgt ticket with klist. I'm trying to authenticate against a windows 2008 dc and I used msktutil like this: msktutil -c -b "CN=COMPUTERS" -s HTTP/domain.local -h domain.local -k /etc/HTTP.keytab --computer-name squid3-proxy --upn HTTP/domain.local --server ad2008srvr.domain.local --verbose --enctypes 28 The squid config file is quiete basic. (only relevant parts here - I think) auth_param negotiate program /opt/squid-3.1.3/sbin/squid_kerb_auth -d auth_param negotiate children 10 auth_param negotiate keep_alive on acl AUTHENTICATED proxy_auth REQUIRED http_access allow AUTHENTICATED DNS seems to work alright, the AD server is used for dns and has a working A and P
R2 SP2. I have followed the kerberos authentication guide on squid-cache and many other guides, I always end up with these logs in my cache.log. My client browser keeps prompting for username/password. Even a valid set of credentials are not accepted. 2011/04/30 10:24:32| squid_kerb_auth: WARNING: received type 1 NTLM token 2011/04/30 10:24:32| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH received type 1 NTLM token' 2011/04/30 10:24:36| squid_kerb_auth: DEBUG: Got 'YR TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' from squid (length: 59). 2011/04/30 10:24:36| squid_kerb_auth: DEBUG: Decode 'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' (decoded length: 40). 2011/04/30 10:24:36| squid_kerb_auth: WARNING: received type 1 NTLM token 2011/04/30 10:24:36| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH received type 1 NTLM token' 2011/04/30 10:24:36| squid_kerb_auth: DEBUG: Got 'YR TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' from squid (length: 59). 2011/04/30 10:24:36| squid_kerb_auth: DEBUG: Decode 'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' (decoded length: 40). 2011/04/30 10:24:36| squid_kerb_auth: WARNING: received type 1 NTLM token 2011/04/30 10:24:36| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH received type 1 NTLM token' I want to check and make sure my keytab entries are good. How do I do that? My client System can list the tickets for client principal. Please have a look at my krb5.conf & keytab file here http://pastebin.com/vTBr3r5D I'm using this command to create the keytab file. msktutil -c -b "CN=COMPUTERS" -s HTTP/proxyserver.orangegroup.com -h proxyserver.orangegroup.com -k /etc/krb5.keytab --computer-name proxyserver-http --upn HTTP/proxyserver.orangegroup.com --server ad01.orangegroup.com --verbose All the domains are resolving properly to IPs. Thanks for your help. Previous message View by thread View by date Next message