On Sat, 28 Nov 2009 17:44:40 -0500 Extra Fu <extrafu@xxxxxxxxx> wrote: > Hello, > > I'm considering dropping the use of NTLM in favor of Kerberos > (auth_param negotiate) to authenticate users against my AD 2003 > server. To do this, I would like to use the squid_kerb_auth program. > > Prior starting my work on this, I was wondering what would happen for > users not currently logged in on my domain controller (ie., users not > having a valid Kerberos ticket) - for example, users at home or Mac OS > X / Linux users? From my readings, Safari 3/4, Firefox 2+, IE7/8 all > seems to support Kerberos authentication to a Squid proxy but for > clients, it's not clear to me (after reading RFC4559) what will happen > if no ticket is present when the user goes through the Squid proxy. > > Will it just fail? > > Thanks for any light you can shine on this. > > Best regards, > Hi, at least on Linux it is possible to obtain a valid ticket with the kinit command. If you want to integrate it further you should take a look at the kerberos PAM-module (libpam-krb5 on debian). Firefox is then able to use kerberos to authenticate to Squid. I use this kind of setup in a productive environment. Regards -- --------------------------------------- Malte Schröder MalteSch@xxxxxx ---------------------------------------
Attachment:
signature.asc
Description: PGP signature
