[squid-users] Error validating user via Negotiate. Error returned 'BH received type 1 NTLM token'

Hi all,

I have been trying to get squid running with kerberos auth for a few
days but I'm in some trouble. The problem has been asked and replied
many times on both the squid-users list and on the web, I have read
them all, and tried to solve the problem. But still no luck.

Here is some of my log files and tests.
(config files are prepared with using wiki;
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos)

--> tail -f cache.log
2012/01/11 11:54:06| squid_kerb_auth: DEBUG: Got 'YR
TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==' from squid
(length: 59).
2012/01/11 11:54:06| squid_kerb_auth: DEBUG: Decode
'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==' (decoded
length: 40).
2012/01/11 11:54:06| squid_kerb_auth: WARNING: received type 1 NTLM token
2012/01/11 11:54:06| authenticateNegotiateHandleReply: Error
validating user via Negotiate. Error returned 'BH received type 1 NTLM
token'

--> tail -f access.log
192.168.0.147 - - [11/Jan/2012:11:54:08 +0200] "GET
http://www.google.com.tr/%a0HTTP/1.1" 407 1524 TCP_DENIED:NONE
192.168.0.147 - - [11/Jan/2012:11:54:08 +0200] "GET
http://www.google.com.tr/%a0HTTP/1.1" 407 1524 TCP_DENIED:NONE

I have tested kerberos on the server side with;

--> klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal:�administrator_at_LABRISTEST.COM

--> kinit -V -k -t /opt/labris/etc/labris-webcache/HTTP.keytab
HTTP/test2008.labristest.com
Authenticated to Kerberos v5

And, on the client side, I have used kerbtray, it seems client has the tickets.

I have captured the packets with wireshark as suggested some of the
earlier messages,�it looks like client still tries to authenticate
with NTLM while we want to use kerberos.

Here is the some of the parts of wireshark log;
(if needed, you can get the full log from here:�http://pastebin.com/btp9PzYu%a0)

client to server;
Hypertext Transfer Protocol
� � GET�http://www.google.com.tr/%a0HTTP/1.1\r\n
� � � � [Expert Info (Chat/Sequence): GET�http://www.google.com.tr/
HTTP/1.1\r\n]
� � � � Request Method: GET
� � � � Request URI:�http://www.google.com.tr/
� � � � Request Version: HTTP/1.1
� � Host:�www.google.com.tr\r\n
� � User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:8.0) Gecko/20100101
Firefox/8.0\r\n
� � Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n
� � Accept-Language: tr-tr,tr;q=0.8,en-us;q=0.5,en;q=0.3\r\n
� � Accept-Encoding: gzip, deflate\r\n
� � Accept-Charset: ISO-8859-9,utf-8;q=0.7,*;q=0.7\r\n
� � Proxy-Connection: keep-alive\r\n

server reply;
Hypertext Transfer Protocol
� � HTTP/1.0 407 Proxy Authentication Required\r\n
� � � � [Expert Info (Chat/Sequence): HTTP/1.0 407 Proxy
Authentication Required\r\n]
� � � � Request Version: HTTP/1.0
� � � � Status Code: 407
� � � � Response Phrase: Proxy Authentication Required
� � Server: squid/3.1.12\r\n
� � Mime-Version: 1.0\r\n
� � Date: Wed, 11 Jan 2012 11:28:01 GMT\r\n
� � Content-Type: text/html\r\n
� � Content-Length: 1152\r\n
� � X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0\r\n
� � Proxy-Authenticate: Negotiate\r\n
� � X-Cache: MISS from labris-1\r\n
� � X-Cache-Lookup: NONE from labris-1:3128\r\n
� � Via: 1.0 labris-1 (squid/3.1.12)\r\n
� � Connection: keep-alive\r\n
� � \r\n

client tries authentication;
Hypertext Transfer Protocol
� � GET�http://www.google.com.tr/%a0HTTP/1.1\r\n
� � � � [Expert Info (Chat/Sequence): GET�http://www.google.com.tr/
HTTP/1.1\r\n]
� � � � Request Method: GET
� � � � Request URI:�http://www.google.com.tr/
� � � � Request Version: HTTP/1.1
� � Host:�www.google.com.tr\r\n
� � User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:8.0) Gecko/20100101
Firefox/8.0\r\n
� � Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n
� � Accept-Language: tr-tr,tr;q=0.8,en-us;q=0.5,en;q=0.3\r\n
� � Accept-Encoding: gzip, deflate\r\n
� � Accept-Charset: ISO-8859-9,utf-8;q=0.7,*;q=0.7\r\n
� � Proxy-Connection: keep-alive\r\n
� � Proxy-Authorization: Negotiate
TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==\r\n
� � � � NTLM Secure Service Provider
� � � � � � NTLMSSP identifier: NTLMSSP
� � � � � � NTLM Message Type: NTLMSSP_NEGOTIATE (0x00000001)
� � � � � � Flags: 0xe2088297
� � � � � � Calling workstation domain: NULL
� � � � � � Calling workstation name: NULL
� � � � � � Version 6.1 (Build 7601); NTLM Current Revision 15
� � � � � � � � Major Version: 6
� � � � � � � � Minor Version: 1
� � � � � � � � Build Number: 7601
� � � � � � � � NTLM Current Revision: 15

Please see me as a�newbie,
I'd really appreciate a detailed solution to get squid working with
kerberos and what may cause the problem.

Thanks in advance.

-- 
code is poetry!
muhammetcan.net