Re: [squid-users] Squid > Kerberos authentication

From: Malte Schröder <maltesch_at_gmx.de>
Date: Sun, 29 Nov 2009 09:57:13 +0100

On Sat, 28 Nov 2009 17:44:40 -0500
Extra Fu <extrafu_at_gmail.com> wrote:

> Hello,
>
> I'm considering dropping the use of NTLM in favor of Kerberos
> (auth_param negotiate) to authenticate users against my AD 2003
> server. To do this, I would like to use the squid_kerb_auth program.
>
> Prior starting my work on this, I was wondering what would happen for
> users not currently logged in on my domain controller (ie., users not
> having a valid Kerberos ticket) - for example, users at home or Mac OS
> X / Linux users? From my readings, Safari 3/4, Firefox 2+, IE7/8 all
> seems to support Kerberos authentication to a Squid proxy but for
> clients, it's not clear to me (after reading RFC4559) what will happen
> if no ticket is present when the user goes through the Squid proxy.
>
> Will it just fail?
>
> Thanks for any light you can shine on this.
>
> Best regards,
>

Hi,
at least on Linux it is possible to obtain a valid ticket with the
kinit command. If you want to integrate it further you should take a
look at the kerberos PAM-module (libpam-krb5 on debian).

Firefox is then able to use kerberos to authenticate to Squid. I use
this kind of setup in a productive environment.

Regards

-- 
---------------------------------------
Malte Schröder
MalteSch_at_gmx.de
---------------------------------------

Received on Sun Nov 29 2009 - 08:57:25 MST

This archive was generated by hypermail 2.2.0 : Sun Nov 29 2009 - 12:00:04 MST