Re: [squid-users] Kerberos auth and users in another AD domain

From: Emmanuel Lacour <>
Date: Fri, 9 Dec 2011 12:04:47 +0100

On Thu, Dec 08, 2011 at 09:14:51PM +0100, Emmanuel Lacour wrote:
> As negotiate is proposed and IE support it, it always try to
> authenticate with negotiate and so it fails every time.

this is by design since XP SP2:

I did not found any workaround.

here is a setup that I tested, which allow evry kind of auth, exept from
an IE client not in the AD domain:

auth_param negotiate program /usr/lib/squid3/negotiate_kerb_auth -d -s GSS_C_NO_NAME
auth_param negotiate children 5
auth_param negotiate keep_alive off

auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=TEST
auth_param ntlm children 5
auth_param ntlm keep_alive off

auth_param basic program /usr/lib/squid3/squid_ldap_auth -R -b "dc=test,dc=local" -D "cn=Administrator,cn=Users,dc=test,dc=local" -w "xxxxx" -f sAMAccountName=%s -h win-hlbivo4bbdl.test.local -d
auth_param basic casesensitive off
auth_param basic children 5
auth_param basic realm Proxy TEST

NB: setting a default domain for ntlm allow users to just use the login,
without domain\ before
NB: keep_alive off, as written in the docs helps at least FF to not
prompt multiple time for auth
Received on Fri Dec 09 2011 - 11:04:51 MST

This archive was generated by hypermail 2.2.0 : Fri Dec 09 2011 - 12:00:03 MST