Does anyone have any experience with linking Squid to Active Directory? I've been following the doco (http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory), but authentication is failing. When I do a tcpdump, there's no activity on port 88 (Kerberos) and in cache.log, I get:
ERROR: Negotiate Authentication validating user. Error returned 'BH received type 1 NTLM token'
So it looks like Squid isn't even trying to auth using Kerberos, and is simply falling back to NTLM.
My krb5.conf looks like this: http://pastebin.com/xqpn0cPm
My squid.conf looks like this: http://pastebin.com/mRBj5X2H
I've got a user 'squid' in AD, and I created the Kerberos keytab using this command:
ktpass -princ HTTP/squid03.domain.local@DOMAIN.LOCAL -mapuser squid@DOMAIN.LOCAL -crypto aes256-sha1 -pass ************* -ptype KRB5_NT_PRINCIPAL -out squid03-http.keytab
I tried using msktutil as in the doco, but I had the same issue.
In the doco, it mentions using negotiate_wrapper (wouldn't compile on any system I tried it on) and squid_kerb_auth (not included with my Squid install). As in my squid.conf, I'm using negotiate_kerberos_auth, which seems to do a similar job.
If anyone has any suggestions, I'd be really grateful to hear them.
[link][6 comments]