[squid-users] Re: Squid > Kerberos authentication

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Sun, 29 Nov 2009 19:33:57 -0000

"Extra Fu" <extrafu_at_gmail.com> wrote in message
news:11be40100911281444x673710b7w26a337d24549660_at_mail.gmail.com...
> Hello,
>
> I'm considering dropping the use of NTLM in favor of Kerberos
> (auth_param negotiate) to authenticate users against my AD 2003
> server. To do this, I would like to use the squid_kerb_auth program.
>
> Prior starting my work on this, I was wondering what would happen for
> users not currently logged in on my domain controller (ie., users not
> having a valid Kerberos ticket) - for example, users at home or Mac OS
> X / Linux users? From my readings, Safari 3/4, Firefox 2+, IE7/8 all
> seems to support Kerberos authentication to a Squid proxy but for
> clients, it's not clear to me (after reading RFC4559) what will happen
> if no ticket is present when the user goes through the Squid proxy.
>
> Will it just fail?
>

On a Windows machine which is not part of the AD domain you will get
prompted for username password and if you have provided a WINS server the
client will determine the AD server to authenticate the username/password
against. In theory Firefox could do the same - use the username/password
and do a kinit for the user, but I haven't seen that Firefox prompts the
user.

> Thanks for any light you can shine on this.
>
> Best regards,
>
Regards
Markus
Received on Sun Nov 29 2009 - 19:35:14 MST

This archive was generated by hypermail 2.2.0 : Mon Nov 30 2009 - 12:00:04 MST