GSP
Quick Navigator

Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Support
Contact Us
Online Help
Handbooks
Domain Status
Man Pages

FAQ
Virtual Servers
Pricing
Billing
Technical

Network
Facilities
Connectivity
Topology Map

Miscellaneous
Server Agreement
Year 2038
Credits
 

USA Flag

 

 

Man Pages


Manual Reference Pages  -  NEGOTIATE_KERBEROS_AUTH (8)

NAME

negotiate_kerberos_auth - Squid kerberos based authentication helper

Version 3.0.4sq

CONTENTS

Synopsis
Description
Options
Configuration
Author
Copyright
Questions
Reporting Bugs
See Also

SYNOPSIS

DESCRIPTION

negotiate_kerberos_auth is an installed binary and allows Squid to authenticate users via the Negotiate protocol and Kerberos.

OPTIONS

Display the binary help and command line syntax info using stderr. Write debug messages to stderr. Write informational messages to stderr. Remove realm from username before returning the username to squid. Provide Service Principal Name. Provide Kerberos Keytab Name (Default: /etc/krb5.keytab) Provide Replay Cache Directory (Default: /var/tmp) Provide Replay Cache Type (Default: dfl)

CONFIGURATION

This helper is intended to be used as an authentication helper in squid.conf.

NOTE: The following squid startup file modification may be required:

Add the following lines to the squid startup script to point squid to a keytab file which contains the HTTP/fqdn service principal for the default Kerberos domain. The keytab name can also be provided by the -k <keytab name> option. The fqdn must be the proxy name set in IE
or firefox. You can not use an IP address.

KRB5_KTNAME=/etc/squid/HTTP.keytab export KRB5_KTNAME

If you use a different Kerberos domain than the machine itself is in you can point squid to the seperate Kerberos config file by setting the following environmnet variable in the startup script.

KRB5_CONFIG=/etc/krb5-squid.conf export KRB5_CONFIG

Kerberos can keep a replay cache to detect the reuse of Kerberos tickets (usually only possible in a 5 minute window) . If squid is under high load with Negotiate(Kerberos) proxy authentication requests the replay cache checks can create high CPU load. If the environment does not require high security the replay cache check can be disabled for MIT based Kerberos implementations by adding the below to the startup script or use the -t none option.

KRB5RCACHETYPE=none export KRB5RCACHETYPE

If negotiate_kerberos_auth doesn’t determine for some reason the right service principal you can provide it with -s HTTP/fqdn.

If you serve multiple Kerberos realms add a HTTP/fqdn@REALM service principal per realm to the HTTP.keytab file and use the -s GSS_C_NO_NAME option with negotiate_kerberos_auth.

AUTHOR

This program was written by

This manual was written by

COPYRIGHT

* Copyright (C) 1996-2014 The Squid Software Foundation and contributors
*
* Squid software is distributed under GPLv2+ license and includes
* contributions from numerous individuals and organizations.
* Please see the COPYING and CONTRIBUTORS files for details.

This program and documentation is copyright to the authors named above.

Distributed under the GNU General Public License (GNU GPL) version 2 or later (GPLv2+).

QUESTIONS

Questions on the usage of this program can be sent to the Squid Users mailing list

REPORTING BUGS

Bug reports need to be made in English. See http://wiki.squid-cache.org/SquidFaq/BugReporting for details of what you need to include with your bug report.

Report bugs or bug fixes using http://bugs.squid-cache.org/

Report serious security bugs to Squid Bugs <squid-bugs@squid-cache.org>

Report ideas for new improvements to the Squid Developers mailing list

SEE ALSO

RFC4559 - SPNEGO-based Kerberos and NTLM HTTP Authentication in Microsoft Windows,
RFC2478 - The Simple and Protected GSS-API Negotiation Mechanism,
RFC1964 - The Kerberos Version 5 GSS-API Mechanism,
The Squid FAQ wiki
The Squid Configuration Manual
Search for    or go to Top of page |  Section 8 |  Main Index


Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with manServer 1.07.