Hi,

i wan to configure a sles (SUSE Linux Enterprise Server 11 (x86_64) V11, PL3) to run a squid proxy with kerberos authentification to the local domain. i start to install/configure with this link:

http://wiki.squid-cache.org/ConfigEx...icate/Kerberos

the keytab was generated with samba.

wbinfo -g show me the existing ad groups. also wbinfo -u shows the current ad users. i also see the kerberos traffic to the windows dc on the wireshark that is installed on the sles system.

if i start a webbrowser that is configured to use the proxy service i get a login prombt, but authentication don´t work. i also see no traffic from the sles system to the windows dc!
error in sqiod log:
Code:
2014/07/10 11:24:40| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH received type 1 NTLM token'
2014/07/10 11:24:41| squid_kerb_auth: DEBUG: Got 'YR TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==' from squid (length: 59).
2014/07/10 11:24:41| squid_kerb_auth: DEBUG: Decode 'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==' (decoded length: 40).
2014/07/10 11:24:41| squid_kerb_auth: WARNING: received type 1 NTLM token
krb5.conf
Code:
[libdefaults]
#       default_realm = EXAMPLE.COM
#       default_realm = LOCAL
        default_realm = EPSCENTRAL.NET
        # Fred auf 2 x auf true
        dns_lookup_kdc = true
        dns_lookup_realm = true
        default_keytab_name = /etc/squid/HTTP.keytab
        ticket_lifetime = 24h
        renew_lifetime = 7d
        formwardable = true
        clockskew = 300

#       default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
#       default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
#       permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5


[realms]
#       EXAMPLE.COM = {
#                kdc = kerberos.example.com
#               admin_server = kerberos.example.com
#       }
EPSCENTRAL.NET = {
        default_domain = epscentral.net
        kdc = derigs0019srv.epscentral.net
        admin_server = derigs0019srv.epscentral.net
}

[logging]
        kdc = FILE:/var/log/krb5/krb5kdc.log
        admin_server = FILE:/var/log/krb5/kadmind.log
        default = SYSLOG:NOTICE:DAEMON

[domain_realm]
        .epscentral.net = EPSCENTRAL.NET
        epscentral.net = EPSCENTRAL.NET
        .EPSCENTRAL.NET = EPSCENTRAL.NET
        EPSCENTRAL.NET = EPSCENTRAL.NET
        .stuttgart = EPSCENTRAL.NET
        stuttgart = EPSCENTRAL.NET
        .STUTTGART = EPSCENTRAL.NET
        STUTTGART = EPSCENTRAL.NET

[appdefaults]
pam = {
        ticket_lifetime = 1d
        renew_lifetime = 1d
        forwardable = true
        proxiable = false
        minimum_uid = 1
        clockskew = 300
        external = sshd
        use_shmem = sshd
        keytab = /etc/squid/HTTP.keytab
}
squid.conf:

Code:
auth_param negotiate program /usr/sbin/squid_kerb_auth -d -s HTTP/squid-proxy-3.epscentral.net@EPSCENTRAL.NET

auth_param negotiate children 10
auth_param negotiate keep_alive on
auth_param basic credentialsttl 2 hours

acl auth proxy_auth REQUIRED


# Error erscheint wenn aktiv:  acl all src all
# acl all src all

# ACHTUNG FUER TEST - wenn diese Zeile aktiv, dann funktioniert Proxy, da ohne Kerberos (Domain) Zugriff vom localnet erlaubt ist
# http_access allow localnet
#    oder:
# localhost
# als letzte Regel: alles verbieten
http_access deny !auth
http_access allow auth
http_access deny all
any ideas?

thanks, markus