Re: [squid-users] Kerberos auth and users in another AD domain

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 23 Nov 2011 10:20:25 +1300

 On Tue, 22 Nov 2011 15:34:53 +0100, Emmanuel Lacour wrote:
> I enabled kerberos auth on an AD domain with a fallback to ldap basic
> auth.
>
> It seems that if someone use the proxy from another lan in another AD
> domain on which I have no control, the basic auth is not used.
>
> Is this understandable? Any way to work around this?

 Yes this is common. The client application is in complete control over
 which authentication methods it uses. All Squid does is offer a set of
 possibilities.

 Also, Basic auth is sent to the client with a realm= parameter stating
 which domain/realm it Squid supports that method from. NTLM and Kerberos
 were built around SSO principles, in which a client only has one set of
 credentials which are globally accepted or not. The validating process
 (Squid) needs access to the DC (AD server) for that users credentials.

 Marcus has updated the Kerberos wiki pages with a great overview of how
 both of those work.
 http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos

 Amos
Received on Tue Nov 22 2011 - 21:20:29 MST

This archive was generated by hypermail 2.2.0 : Wed Nov 23 2011 - 12:00:04 MST