几天来,我一直在尝试让 squid 使用 kerberos 身份验证,但遇到了一些麻烦。这个问题在 squid-users 列表和网络上已经被问过和回答过很多次了,我都读完了,并试图解决这个问题。但还是没有成功。
我不确定为什么客户端尝试使用 NTLM 而不是 Kerberos 进行授权,如果您能向我解释如何检查原因以及如何解决问题,我将不胜感激。
这是我的一些日志文件和测试。(配置文件的准备与 wiki 完全相同; http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos)
--> tail -f cache.log
2012/01/11 11:54:06| squid_kerb_auth: DEBUG: Got 'YR
TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==' from squid
(length: 59).
2012/01/11 11:54:06| squid_kerb_auth: DEBUG: Decode
'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==' (decoded
length: 40).
2012/01/11 11:54:06| squid_kerb_auth: WARNING: received type 1 NTLM token
2012/01/11 11:54:06| authenticateNegotiateHandleReply: Error
validating user via Negotiate. Error returned 'BH received type 1 NTLM
token'
--> tail -f access.log
192.168.0.147 - - [11/Jan/2012:11:54:08 +0200] "GET
http://www.google.com.tr/ HTTP/1.1" 407 1524 TCP_DENIED:NONE
192.168.0.147 - - [11/Jan/2012:11:54:08 +0200] "GET
http://www.google.com.tr/ HTTP/1.1" 407 1524 TCP_DENIED:NONE
我已经在服务器端测试了 Kerberos;
--> klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]
--> kinit -V -k -t /opt/labris/etc/labris-webcache/HTTP.keytab
HTTP/test2008.labristest.com
Authenticated to Kerberos v5
我按照之前的一些解决方案使用 wireshark 捕获了数据包,看起来当我们想要使用 kerberos 时客户端仍然尝试使用 NTLM 进行身份验证。
以下是 wireshark 日志的部分内容;(如果需要,您可以从这里获取完整的日志:http://pastebin.com/btp9PzYu)
client to server;
Hypertext Transfer Protocol
GET http://www.google.com.tr/ HTTP/1.1\r\n
[Expert Info (Chat/Sequence): GET http://www.google.com.tr/
HTTP/1.1\r\n]
Request Method: GET
Request URI: http://www.google.com.tr/
Request Version: HTTP/1.1
Host: www.google.com.tr\r\n
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:8.0) Gecko/20100101
Firefox/8.0\r\n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n
Accept-Language: tr-tr,tr;q=0.8,en-us;q=0.5,en;q=0.3\r\n
Accept-Encoding: gzip, deflate\r\n
Accept-Charset: ISO-8859-9,utf-8;q=0.7,*;q=0.7\r\n
Proxy-Connection: keep-alive\r\n
server reply;
Hypertext Transfer Protocol
HTTP/1.0 407 Proxy Authentication Required\r\n
[Expert Info (Chat/Sequence): HTTP/1.0 407 Proxy
Authentication Required\r\n]
Request Version: HTTP/1.0
Status Code: 407
Response Phrase: Proxy Authentication Required
Server: squid/3.1.12\r\n
Mime-Version: 1.0\r\n
Date: Wed, 11 Jan 2012 11:28:01 GMT\r\n
Content-Type: text/html\r\n
Content-Length: 1152\r\n
X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0\r\n
Proxy-Authenticate: Negotiate\r\n
X-Cache: MISS from labris-1\r\n
X-Cache-Lookup: NONE from labris-1:3128\r\n
Via: 1.0 labris-1 (squid/3.1.12)\r\n
Connection: keep-alive\r\n
\r\n
client tries authentication;
Hypertext Transfer Protocol
GET http://www.google.com.tr/ HTTP/1.1\r\n
[Expert Info (Chat/Sequence): GET http://www.google.com.tr/
HTTP/1.1\r\n]
Request Method: GET
Request URI: http://www.google.com.tr/
Request Version: HTTP/1.1
Host: www.google.com.tr\r\n
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:8.0) Gecko/20100101
Firefox/8.0\r\n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n
Accept-Language: tr-tr,tr;q=0.8,en-us;q=0.5,en;q=0.3\r\n
Accept-Encoding: gzip, deflate\r\n
Accept-Charset: ISO-8859-9,utf-8;q=0.7,*;q=0.7\r\n
Proxy-Connection: keep-alive\r\n
Proxy-Authorization: Negotiate
TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==\r\n
NTLM Secure Service Provider
NTLMSSP identifier: NTLMSSP
NTLM Message Type: NTLMSSP_NEGOTIATE (0x00000001)
Flags: 0xe2088297
Calling workstation domain: NULL
Calling workstation name: NULL
Version 6.1 (Build 7601); NTLM Current Revision 15
Major Version: 6
Minor Version: 1
Build Number: 7601
NTLM Current Revision: 15
请把我当作新手,我真的很感激一个让 squid 与 kerberos 一起工作的详细解决方案。
提前致谢。
答案1
由于您使用的是 Firefox,您是否将 Firefox 配置为允许使用 kerberos 进行相关代理协商?默认情况下,Firefox 不会这样做。您必须将您的代理添加到 about:config 中的 network.negotiate-auth.trusted-uris。如果您有多个代理,您可以输入逗号分隔的列表,例如“proxy01.example.com, proxy02.example.com[,...]”。