negotiate_kerberos_auth - Squid kerberos based authentication helper Version 3.0.4sq
negotiate_kerberos_auth [-h] [-d] [-i] [-r] [-s Service-Principal-Name] [-k Keytab-Name] [-c Replay-Cache-Directory] [-t Replay-Cache-Type]
System Manager's Manual negotiate_kerberos_auth(8)
NAME
negotiate_kerberos_auth - Squid kerberos based authentication helper
Version 3.0.4sq
SYNOPSIS
negotiate_kerberos_auth [-h] [-d] [-i] [-r] [-s Service-Principal-Name]
[-k Keytab-Name] [-c Replay-Cache-Directory] [-t Replay-Cache-Type]
DESCRIPTION
negotiate_kerberos_auth is an installed binary and allows Squid to
authenticate users via the Negotiate protocol and Kerberos.
OPTIONS
-h Display the binary help and command line syntax info using
stderr.
-d Write debug messages to stderr.
-i Write informational messages to stderr.
-r Remove realm from username before returning the username to
squid.
-s Service-Principal-name
Provide Service Principal Name.
-k Keytab-Name
Provide Kerberos Keytab Name (Default: /etc/krb5.keytab)
-c Replay-Cache-Directory
Provide Replay Cache Directory (Default: /var/tmp)
-t Replay-Cache-Type
Provide Replay Cache Type (Default: dfl)
CONFIGURATION
This helper is intended to be used as an authentication helper in
squid.conf.
auth_param negotiate program /path/to/negotiate_kerberos_auth
auth_param negotiate children 10
auth_param negotiate keep_alive on
NOTE: The following squid startup file modification may be required:
Add the following lines to the squid startup script to point squid to a
keytab file which contains the HTTP/fqdn service principal for the
default Kerberos domain. The keytab name can also be provided by the -k
<keytab name> option. The fqdn must be the proxy name set in IE
or firefox. You can not use an IP address.
KRB5_KTNAME=/etc/squid/HTTP.keytab export KRB5_KTNAME
If you use a different Kerberos domain than the machine itself is in
you can point squid to the separate Kerberos config file by setting the
following environment variable in the startup script.
KRB5_CONFIG=/etc/krb5-squid.conf export KRB5_CONFIG
Kerberos can keep a replay cache to detect the reuse of Kerberos tick-
ets (usually only possible in a 5 minute window) . If squid is under
high load with Negotiate(Kerberos) proxy authentication requests the
replay cache checks can create high CPU load. If the environment does
not require high security the replay cache check can be disabled for
MIT based Kerberos implementations by adding the below to the startup
script or use the -t none option.
KRB5RCACHETYPE=none export KRB5RCACHETYPE
If negotiate_kerberos_auth doesn't determine for some reason the right
service principal you can provide it with -s HTTP/fqdn.
If you serve multiple Kerberos realms add a HTTP/fqdn@REALM service
principal per realm to the HTTP.keytab file and use the -s
GSS_C_NO_NAME option with negotiate_kerberos_auth.
AUTHOR
This program was written by Markus Moeller <markus_moeller@com-
puserve.com>
This manual was written by Markus Moeller <markus_moeller@com-
puserve.com>
COPYRIGHT
* Copyright (C) 1996-2014 The Squid Software Foundation and contribu-
tors
*
* Squid software is distributed under GPLv2+ license and includes
* contributions from numerous individuals and organizations.
* Please see the COPYING and CONTRIBUTORS files for details.
This program and documentation is copyright to the authors named above.
Distributed under the GNU General Public License (GNU GPL) version 2 or
later (GPLv2+).
QUESTIONS
Questions on the usage of this program can be sent to the Squid Users
mailing list <squid-users@lists.squid-cache.org>
REPORTING BUGS
Bug reports need to be made in English. See
http://wiki.squid-cache.org/SquidFaq/BugReporting for details of what
you need to include with your bug report.
Report bugs or bug fixes using http://bugs.squid-cache.org/
Report serious security bugs to Squid Bugs
<squid-bugs@lists.squid-cache.org>
Report ideas for new improvements to the Squid Developers mailing list
<squid-dev@lists.squid-cache.org>
ATTRIBUTES
See attributes(7) for descriptions of the following attributes:
+---------------+------------------+
|ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+---------------+------------------+
|Availability | web/proxy/squid |
+---------------+------------------+
|Stability | Uncommitted |
+---------------+------------------+
SEE ALSO
squid(8) ext_kerberos_ldap_group_acl(8)
RFC4559 - SPNEGO-based Kerberos and NTLM HTTP Authentication in Micro-
soft Windows,
RFC2478 - The Simple and Protected GSS-API Negotiation Mechanism,
RFC1964 - The Kerberos Version 5 GSS-API Mechanism,
The Squid FAQ wiki http://wiki.squid-cache.org/SquidFaq
The Squid Configuration Manual http://www.squid-cache.org/Doc/config/
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
NOTES
Source code for open source software components in Oracle Solaris can
be found at https://www.oracle.com/downloads/opensource/solaris-source-
code-downloads.html.
This software was built from source available at
https://github.com/oracle/solaris-userland. The original community
source was downloaded from http://www.squid-cache.org/Ver-
sions/v4/squid-4.15.tar.xz.
Further information about this software can be found on the open source
community website at http://www.squid-cache.org/.
negotiate_kerberos_auth(8)