2016-07-15 6:31 GMT-03:00 Amos Jeffries <squ...@treenet.co.nz>: > On 15/07/2016 4:07 a.m., Sergio Belkin wrote: > > Hi, > > > > Using squid squid-3.5.19-1.el7.centos.x86_64, > > > > I obtain a kerberos ticket but I get the following when trying to use the > > proxy: > > > > 2016/07/14 12:57:03.711 kid1| 29,4| UserRequest.cc(290) authenticate: No > > Proxy-Auth header and no working alternative. Requesting auth header. > > 2016/07/14 12:57:03.712 kid1| 29,9| UserRequest.cc(487) > addReplyAuthHeader: > > headertype:46 authuser:NULL > > 2016/07/14 12:57:03.712 kid1| 29,9| Config.cc(188) fixHeader: Sending > > type:46 header: 'Negotiate' > > 2016/07/14 12:57:04.159 kid1| 29,4| UserRequest.cc(290) authenticate: No > > Proxy-Auth header and no working alternative. Requesting auth header. > > 2016/07/14 12:57:04.159 kid1| 29,9| UserRequest.cc(487) > addReplyAuthHeader: > > headertype:46 authuser:NULL > > 2016/07/14 12:57:04.159 kid1| 29,9| Config.cc(188) fixHeader: Sending > > type:46 header: 'Negotiate' > > > > That looks like a debug log of Negotiate/Kerberos authentication > beginning on two connections. > > A good secure client does not send credentials until it needs to. Squdi > has received a request that it needs to authenticate, but does not yet > have credentiasl. So it responds with a 407 or 401 message requesting > the client send them using "Negotiate" auth protocol. > No problem visible. > > > <snip> > > > Please could you help me? Am I doing something wrong? > > Perhapse if you described what your problem was ? >
Amos, thanks, for your clarification, I get as follows: "Sorry, you are not currently allowed to request http://www.lxer.com/ from this cache until you have authenticated yourself" ( trying to use from a Linux client:) (And in fact I've RTFM :-) ) tail /var/log/squid/access.log 192.168.50.37 - - [15/Jul/2016:12:01:05 -0300] "GET http://www.lxer.com/ HTTP/1.1" 407 4064 "-" "curl/7.43.0" TCP_DENIED:HIER_NONE I have a kerberos ticket: klist Ticket cache: KEYRING:persistent:16777216:16777216 Default principal: john.doe@EXAMPLE.LOCAL Valid starting Expires Service principal 15/07/16 12:00:31 15/07/16 22:00:31 krbtgt/EXAMPLE.LOCAL@EXAMPLE.LOCAL renew until 22/07/16 12:00:31 End of output I don't know what I'm doing wrong. Thanks in advance! > > Amos > > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > -- -- Sergio Belkin LPIC-2 Certified - http://www.lpi.org
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
