Hi Amos, i'm trying to implement kerberos as you suggested me. But following the guide i read "Do not use this method if you run winbindd or other samba services as samba will reset the machine password every x days and thereby makes the keytab invalid !!" and my system guy told me we use winbindd method. How can i implement so? Thanks 2015-12-16 21:12 GMT+01:00 Amos Jeffries <squid3@xxxxxxxxxxxxx>: > On 17/12/2015 5:34 a.m., Fabio Bucci wrote: >> i'm planning to migrate to kerberos instead NTLM.....i got a question for >> you Amos: sometimes a client reports issue in navigation and searching into >> log file i cannot see "username" and all the request are 407 >> >> In these cases is there a way to reset a user session or it's a completely >> client issue? > > Usually it is the client stuck in a loop trying Negtiate/NTLM auth for > some reason. Some old Firefox, most Safari, and older IE can all get > stuck trying those credentials and ignoring the offers of Basic. > > It might be possible to figure out some LmCompatibility settings change > that makes the problem just go away (eg, forcing NTLM of all versions to > disabled on the client). > > Other than that Squid does have some workaround responses it can be made > to send back that might help the client reach the right conclusion: > > a) list Basic auth first in the config. Any properly working client will > re-sort the auth types by security level and do theKerberos anyway. But > the broken ones (particularly IE7 and older) will have more chance of > using Basic. > > b) sending 407 response with no auth headers. Such as a deny 407 status > generated by external ACL deny, or a URL-redirector. These tell the > client that auth failed, but there is no acceptible fallback. > > c) sending Connection:close. Sometimes (mostly Firefox v20-v40) it is > the client prematurely attaching the credentials to the connection and > re-using them. That is supposed to have been fixed recently, but I've > not confirmed. > > d) sending 403 status response. To just flat-out block the client once > it enters the looping state. Hoping that later requests will start to > work again. > > > HTH > Amos > _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
