Adam Majer
50777186fb
- Fix validation of Digest auth header parameters - changes since squid-6.11: - Fix Kerberos detection when cross-compiling - Improve robustness of DNS code on reconfigure - Prevent slow memory leak in TCP DNS queries - Improve errors emitted when invalid ACLs are parsed - Disble ESI. The code is removed upstream in 7.x (bsc#1232485, CVE-2024-45802) OBS-URL: https://build.opensuse.org/package/show/server:proxy/squid?expand=0&rev=301
62 lines
2.4 KiB
Plaintext
62 lines
2.4 KiB
Plaintext
This is the README.kerberos file
|
|
to have squid negotiate/authenticate via kerberos
|
|
|
|
any addons are very welcome
|
|
comments could be posted to <chris(at)computersalat.de>
|
|
|
|
|
|
1) you need to add a "USER" inside your "Domain-Computers" Container
|
|
called "squid". Yes a "USER" and not a Computer.
|
|
You may use another name, but why ?
|
|
|
|
2) After having successfully created the user, you need to create a
|
|
keytab file on your WIN box.
|
|
|
|
Example: !! This is all in one line !!
|
|
|
|
ktpass -princ HTTP/squid@DOMAIN.REALM -pType KRB5_NT_PRINCIPAL \
|
|
-mapuser squid -pass * -out HTTP.keytab
|
|
|
|
3) copy over HTTP.keytab to /etc/squid/ on your linux box
|
|
|
|
4) you have to tell your browsers to negotiate via kerberos
|
|
|
|
Have a look at:
|
|
|
|
a) Internet Explorer does not support Kerberos authentication with proxy servers
|
|
http://support.microsoft.com/?scid=kb%3Ben-us%3B321728&x=19&y=14
|
|
|
|
This limitation was removed in Windows Internet Explorer 7.
|
|
|
|
If Integrated Windows Authentication is turned on in Internet Explorer
|
|
for Windows 2000 and Windows XP, you can complete Kerberos authentication
|
|
with Web servers either directly or through a proxy server. However,
|
|
Internet Explorer cannot use Kerberos to authenticate with the proxy
|
|
server itself.
|
|
|
|
b) Unable to negotiate Kerberos authentication after upgrading to Internet Explorer 6
|
|
http://support.microsoft.com/kb/299838/EN-US/
|
|
|
|
To resolve this issue, enable Internet Explorer 6 to respond to
|
|
a negotiate challenge and perform Kerberos authentication:
|
|
|
|
1. In Internet Explorer, click Internet Options on the Tools menu.
|
|
2. Click the Advanced tab, click to select the Enable
|
|
Integrated Windows Authentication (requires restart) check box
|
|
in the Security section, and then click OK.
|
|
3. Restart Internet Explorer.
|
|
|
|
Administrators can enable Integrated Windows Authentication by
|
|
setting the EnableNegotiate DWORD value to 1 in the following registry key:
|
|
|
|
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
|
|
|
|
Note Internet Explorer 6, when used with Microsoft Windows 98,
|
|
Microsoft Windows 98 Second Edition, Microsoft Windows Millennium Edition,
|
|
and Microsoft Windows NT 4.0 does not respond to a negotiate challenge and
|
|
default to NTLM (or Windows NT Challenge/Response) authentication even if
|
|
the Enable Integrated Windows Authentication (requires restart) check
|
|
box is selected because Kerberos authentication is not available on
|
|
these operating systems.
|
|
|