Search squid archive

Re: Kerberos auth and users in another AD domain

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



(sorry for the thread break, I loosed original messages and cannot find
the Message-ID)

Amos, thanks for your hints.

I did some tests to connect to a kerberos enabled squid from a windows
client not within the AD domain:

squid auth setup is: 
negotiate squid_kerb_auth
ntlm
basic (ldap)


As negotiate is proposed and IE support it, it always try to
authenticate with negotiate and so it fails every time.

I tried to invert the auth order, putting basic at first, IE always try
negotiate (when Firefox just use the first one).

With the negotiate,ntlm,basic order, firefox seems to try different
methods, because after three tries of login in, it works.

If I remove negotiate, then I can authenticate using ntlm by specifying
as username DOMAIN\user.

So as I understand, the only way to go is to have two squids:
- one with kerberos for 'domain' users (with ntlm fallback for clients
  not knowing negotiate support, but ntlm and with basic fallback for
  client without negotiate/ntlm support)
- and a second one with only basic auth


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux