[squid-users] Re: Re: squid kerberos authenticators spamming AD and locking out users

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Fri, 22 Feb 2013 14:48:56 -0000

"Brett Lymn" <brett.lymn_at_baesystems.com> wrote in message
news:20130221233448.GA749_at_baea.com.au...
> On Thu, Feb 21, 2013 at 11:23:32PM +0000, Markus Moeller wrote:
>>
>> I don't think this has to do with squid and Kerberos.
>>
>
> Reasonably sure it does - for a start the machine that AD says is
> causing the errors is one of the proxy servers and if we restart squid
> on that particular machine the problem stops.
>

Hi Brett,

  A pure squid Kerberos authentication setup does not create any connection
between squid and AD. I am 100% sure of that.

 If you use additionally squid_kerb_ldap then yes there are connections. If
you use NTLM then there are connections too.

Markus

>> This is a Windows
>> client only issue. Usually the user should be prompted by Windows to
>> update the password. If the user does not update the password the client
>> won't get a Kerberos ticket and will fallback to NTLM if that also
>> doesn't
>> work it won't send anything to squid to authenticate.
>>
>
> That scenario does not match what we are observing, the user has changed
> their password, they are able to (while the account is not locked out)
> browse the web and access other internal resources. Our squid servers
> don't do NTLM.
>
> --
> Brett Lymn
> "Warning:
> The information contained in this email and any attached files is
> confidential to BAE Systems Australia. If you are not the intended
> recipient, any use, disclosure or copying of this email or any
> attachments is expressly prohibited. If you have received this email
> in error, please notify us immediately. VIRUS: Every care has been
> taken to ensure this email and its attachments are virus free,
> however, any loss or damage incurred in using this email is not the
> sender's responsibility. It is your responsibility to ensure virus
> checks are completed before installing any data sent in this email to
> your computer."
>
>
>
Received on Fri Feb 22 2013 - 14:49:20 MST

This archive was generated by hypermail 2.2.0 : Mon Feb 25 2013 - 12:00:04 MST