Squid + Kerbeos authentication


i wan to configure a sles (SUSE Linux Enterprise Server 11 (x86_64) V11, PL3) to run a squid proxy with kerberos authentification to the local domain. i start to install/configure with this link:


the keytab was generated with samba.

wbinfo -g show me the existing ad groups. also wbinfo -u shows the current ad users. i also see the kerberos traffic to the windows dc on the wireshark that is installed on the sles system.

if i start a webbrowser that is configured to use the proxy service i get a login prombt, but authentication don´t work. i also see no traffic from the sles system to the windows dc!
error in sqiod log:

2014/07/10 11:24:40| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH received type 1 NTLM token' 2014/07/10 11:24:41| squid_kerb_auth: DEBUG: Got 'YR TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==' from squid (length: 59). 2014/07/10 11:24:41| squid_kerb_auth: DEBUG: Decode 'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==' (decoded length: 40). 2014/07/10 11:24:41| squid_kerb_auth: WARNING: received type 1 NTLM token



default_realm = EXAMPLE.COM

default_realm = LOCAL

    default_realm = EPSCENTRAL.NET
    # Fred auf 2 x auf true
    dns_lookup_kdc = true
    dns_lookup_realm = true
    default_keytab_name = /etc/squid/HTTP.keytab
    ticket_lifetime = 24h
    renew_lifetime = 7d
    formwardable = true
    clockskew = 300

default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5

default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5

permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5



kdc = kerberos.example.com

admin_server = kerberos.example.com


default_domain = epscentral.net
kdc = derigs0019srv.epscentral.net
admin_server = derigs0019srv.epscentral.net

kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log

.epscentral.net = EPSCENTRAL.NET
epscentral.net = EPSCENTRAL.NET
.stuttgart = EPSCENTRAL.NET
stuttgart = EPSCENTRAL.NET

pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
minimum_uid = 1
clockskew = 300
external = sshd
use_shmem = sshd
keytab = /etc/squid/HTTP.keytab


auth_param negotiate program /usr/sbin/squid_kerb_auth -d -s HTTP/squid-proxy-3.epscentral.net@EPSCENTRAL.NET

auth_param negotiate children 10
auth_param negotiate keep_alive on
auth_param basic credentialsttl 2 hours

acl auth proxy_auth REQUIRED

# Error erscheint wenn aktiv:  acl all src all
# acl all src all

# ACHTUNG FUER TEST - wenn diese Zeile aktiv, dann funktioniert Proxy, da ohne Kerberos (Domain) Zugriff vom localnet erlaubt ist
# http_access allow localnet
#    oder:
# localhost
# als letzte Regel: alles verbieten
http_access deny !auth
http_access allow auth
http_access deny all

any ideas?

thanks, markus

Hi I have same issue with my config with Sles+AD=KERBEROS

Do you have troubleshooted your issue?

Thx a lot