c6c50dfbd7
- Changes to squid-3.5.10 (01 Oct 2015): * Regression Fix cache_peer login=PASS(THRU) after CVE-2015-5400 * Regression Bug 4326: base64 binary encoder rejects data beginning with nil byte * Bug 4323: Netfilter broken cross-includes with Linux 4.2 * Bug 4328: %un format code does not work for external ACLs in credentials-fetching rules * Bug 4208: more than one port in wccp2_service_info line causes error * Bug 4304: PeerConnector.cc:743 "!callback" assertion. * Bug 4330: Do not use SSL_METHOD::put_cipher_by_char to determine size of SSL hello ciphers * Relicense ntlm_fake_auth.pl to GPLv2+ * Relicense smb_lm auth helper to GPLv2+ * Relicense SSPI helper to GPLv2+ * ... and several minor performance optimizations OBS-URL: https://build.opensuse.org/request/show/337274 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/squid?expand=0&rev=32 |
||
---|---|---|
.gitattributes | ||
.gitignore | ||
pam.squid | ||
README.kerberos | ||
squid-3.5.10.tar.xz | ||
squid-3.5.10.tar.xz.asc | ||
squid-brokenad.patch | ||
squid-config.patch | ||
squid-old-kerberos.patch | ||
squid-rpmlintrc | ||
squid.changes | ||
squid.init | ||
squid.init.rh | ||
squid.keyring | ||
squid.logrotate | ||
squid.permissions | ||
squid.service | ||
squid.spec | ||
squid.sysconfig | ||
unsquid.pl |
This is the README.kerberos file to have squid negotiate/authenticate via kerberos any addons are very welcome comments could be posted to <chris(at)computersalat.de> 1) you need to add a "USER" inside your "Domain-Computers" Container called "squid". Yes a "USER" and not a Computer. You may use another name, but why ? 2) After having successfully created the user, you need to create a keytab file on your WIN box. Example: !! This is all in one line !! ktpass -princ HTTP/squid@DOMAIN.REALM -pType KRB5_NT_PRINCIPAL \ -mapuser squid -pass * -out HTTP.keytab 3) copy over HTTP.keytab to /etc/squid/ on your linux box 4) you have to tell your browsers to negotiate via kerberos Have a look at: a) Internet Explorer does not support Kerberos authentication with proxy servers http://support.microsoft.com/?scid=kb%3Ben-us%3B321728&x=19&y=14 This limitation was removed in Windows Internet Explorer 7. If Integrated Windows Authentication is turned on in Internet Explorer for Windows 2000 and Windows XP, you can complete Kerberos authentication with Web servers either directly or through a proxy server. However, Internet Explorer cannot use Kerberos to authenticate with the proxy server itself. b) Unable to negotiate Kerberos authentication after upgrading to Internet Explorer 6 http://support.microsoft.com/kb/299838/EN-US/ To resolve this issue, enable Internet Explorer 6 to respond to a negotiate challenge and perform Kerberos authentication: 1. In Internet Explorer, click Internet Options on the Tools menu. 2. Click the Advanced tab, click to select the Enable Integrated Windows Authentication (requires restart) check box in the Security section, and then click OK. 3. Restart Internet Explorer. Administrators can enable Integrated Windows Authentication by setting the EnableNegotiate DWORD value to 1 in the following registry key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings Note Internet Explorer 6, when used with Microsoft Windows 98, Microsoft Windows 98 Second Edition, Microsoft Windows Millennium Edition, and Microsoft Windows NT 4.0 does not respond to a negotiate challenge and default to NTLM (or Windows NT Challenge/Response) authentication even if the Enable Integrated Windows Authentication (requires restart) check box is selected because Kerberos authentication is not available on these operating systems.