Hi.
I'm moving some of my caches to 3.3.x (from 3.1.x and 3.2.x).
I'm using SPNEGO on some (along with kerberos_ldap_group helper).
I noticed an important behaviour change comparing to the 3.1.x and 3.2.x:
- squid 3.3.x requires the visible_hostname to be set to the kerberos
ticket principal he's using for SPNEGO
- squid 3.3.x requires the hostname of the proxy in the browser to be set
- squid 3.3.x requires the hostname of the proxy in the browser to be
exactly the same as kerberos principal in the ticket
If any of these conditions aren't met, the authentication fails. If
these conditions are met, the authentication functions as in the
previous versions (my caches are running same configs with minor
alterations). But I find those requirements a bit uncomfortable.
When SPNEGO isn't used, these requirements aren't needed.
Is this a feature or I'm hitting some bug ?
Thanks.
Eugene.
Received on Fri Jul 19 2013 - 11:24:55 MDT
This archive was generated by hypermail 2.2.0 : Fri Jul 19 2013 - 12:00:24 MDT