This helper is intended to be used as an
authentication helper in
NOTE: The following squid startup file modification may be required:
Add the following lines to the squid startup script to point squid to a keytab file which
contains the HTTP/fqdn service principal for the default Kerberos domain. The keytab name can
also be provided by the -k <keytab name> option. The fqdn must be the proxy name set in IE
or firefox. You can not use an IP address.
If you use a different Kerberos domain than the machine itself is in you can point squid to
the seperate Kerberos config file by setting the following environmnet variable in the startup
Kerberos can keep a replay cache to detect the reuse of Kerberos tickets (usually only possible
in a 5 minute window) . If squid is under high load with Negotiate(Kerberos) proxy authentication
requests the replay cache checks can create high CPU load. If the environment does not require
high security the replay cache check can be disabled for MIT based Kerberos implementations by
adding the below to the startup script or use the -t none option.
If negotiate_kerberos_auth doesnt determine for some reason the right service principal you can provide
it with -s HTTP/fqdn.
If you serve multiple Kerberos realms add a HTTP/fqdn@REALM service principal per realm to the
HTTP.keytab file and use the -s GSS_C_NO_NAME option with negotiate_kerberos_auth.
* Copyright (C) 1996-2014 The Squid Software Foundation and contributors
* Squid software is distributed under GPLv2+ license and includes
* contributions from numerous individuals and organizations.
* Please see the COPYING and CONTRIBUTORS files for details.
This program and documentation is copyright to the authors named above.
Distributed under the GNU General Public License (GNU GPL) version 2 or later (GPLv2+).