我一直试图让鱿鱼运行kerberos auth几天,但我有一些麻烦。 这个问题已经在squid-users列表和网页上多次提出并答复过,我已经阅读了所有这些问题,并试图解决这个问题。 但是还是没有运气。
我不确定为什么客户端会尝试使用NTLM而不是Kerberos进行授权,如果您向我解释如何检查原因以及如何解决问题,我将不胜感激。
这里是我的一些日志文件和testing。 (configuration文件的准备和维基一样; http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos )
--> tail -f cache.log 2012/01/11 11:54:06| squid_kerb_auth: DEBUG: Got 'YR TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==' from squid (length: 59). 2012/01/11 11:54:06| squid_kerb_auth: DEBUG: Decode 'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==' (decoded length: 40). 2012/01/11 11:54:06| squid_kerb_auth: WARNING: received type 1 NTLM token 2012/01/11 11:54:06| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH received type 1 NTLM token' --> tail -f access.log 192.168.0.147 - - [11/Jan/2012:11:54:08 +0200] "GET http://www.google.com.tr/ HTTP/1.1" 407 1524 TCP_DENIED:NONE 192.168.0.147 - - [11/Jan/2012:11:54:08 +0200] "GET http://www.google.com.tr/ HTTP/1.1" 407 1524 TCP_DENIED:NONE 我已经在服务器端testing了Kerberos;
--> klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [email protected] --> kinit -V -k -t /opt/labris/etc/labris-webcache/HTTP.keytab HTTP/test2008.labristest.com Authenticated to Kerberos v5
我已经使用wireshark捕获了一些早期的解决scheme,看起来客户端仍然尝试使用NTLM进行身份validation,而我们想使用Kerberos。
这里是wireshark日志的一些部分; (如果需要,您可以从这里获得完整的日志: http : //pastebin.com/btp9PzYu )
client to server; Hypertext Transfer Protocol GET http://www.google.com.tr/ HTTP/1.1\r\n [Expert Info (Chat/Sequence): GET http://www.google.com.tr/ HTTP/1.1\r\n] Request Method: GET Request URI: http://www.google.com.tr/ Request Version: HTTP/1.1 Host: www.google.com.tr\r\n User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:8.0) Gecko/20100101 Firefox/8.0\r\n Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n Accept-Language: tr-tr,tr;q=0.8,en-us;q=0.5,en;q=0.3\r\n Accept-Encoding: gzip, deflate\r\n Accept-Charset: ISO-8859-9,utf-8;q=0.7,*;q=0.7\r\n Proxy-Connection: keep-alive\r\n server reply; Hypertext Transfer Protocol HTTP/1.0 407 Proxy Authentication Required\r\n [Expert Info (Chat/Sequence): HTTP/1.0 407 Proxy Authentication Required\r\n] Request Version: HTTP/1.0 Status Code: 407 Response Phrase: Proxy Authentication Required Server: squid/3.1.12\r\n Mime-Version: 1.0\r\n Date: Wed, 11 Jan 2012 11:28:01 GMT\r\n Content-Type: text/html\r\n Content-Length: 1152\r\n X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0\r\n Proxy-Authenticate: Negotiate\r\n X-Cache: MISS from labris-1\r\n X-Cache-Lookup: NONE from labris-1:3128\r\n Via: 1.0 labris-1 (squid/3.1.12)\r\n Connection: keep-alive\r\n \r\n client tries authentication; Hypertext Transfer Protocol GET http://www.google.com.tr/ HTTP/1.1\r\n [Expert Info (Chat/Sequence): GET http://www.google.com.tr/ HTTP/1.1\r\n] Request Method: GET Request URI: http://www.google.com.tr/ Request Version: HTTP/1.1 Host: www.google.com.tr\r\n User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:8.0) Gecko/20100101 Firefox/8.0\r\n Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n Accept-Language: tr-tr,tr;q=0.8,en-us;q=0.5,en;q=0.3\r\n Accept-Encoding: gzip, deflate\r\n Accept-Charset: ISO-8859-9,utf-8;q=0.7,*;q=0.7\r\n Proxy-Connection: keep-alive\r\n Proxy-Authorization: Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==\r\n NTLM Secure Service Provider NTLMSSP identifier: NTLMSSP NTLM Message Type: NTLMSSP_NEGOTIATE (0x00000001) Flags: 0xe2088297 Calling workstation domain: NULL Calling workstation name: NULL Version 6.1 (Build 7601); NTLM Current Revision 15 Major Version: 6 Minor Version: 1 Build Number: 7601 NTLM Current Revision: 15
请看我作为一个新手,我真的很感谢一个详细的解决scheme,让鱿鱼与Kerberos工作。
提前致谢。
由于您使用的是Firefox,您是否configuration了Firefox允许使用kerberos进行代理协商? Firefox默认不会这样做。 您将不得不在about:config中将您的代理添加到network.negotiate-auth.trusted-uris。 如果您有多个代理,则可以input逗号分隔列表,如“proxy01.example.com,proxy02.example.com [,…]”。