Search squid archive

Re: Kerberos auth and users in another AD domain

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 22 Nov 2011 15:34:53 +0100, Emmanuel Lacour wrote:
I enabled kerberos auth on an AD domain with a fallback to ldap basic
auth.

It seems that if someone use the proxy from another lan in another AD
domain on which I have no control, the basic auth is not used.

Is this understandable? Any way to work around this?


Yes this is common. The client application is in complete control over which authentication methods it uses. All Squid does is offer a set of possibilities.

Also, Basic auth is sent to the client with a realm= parameter stating which domain/realm it Squid supports that method from. NTLM and Kerberos were built around SSO principles, in which a client only has one set of credentials which are globally accepted or not. The validating process (Squid) needs access to the DC (AD server) for that users credentials.

Marcus has updated the Kerberos wiki pages with a great overview of how both of those work.
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos


Amos



[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux