Understanding Fallback Authentication

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Understanding Fallback Authentication

Thomas.Elsaesser

Dear all,

 

i have running squid Version 3.5.27 on SLES12SP3

 

I have configure kerberos, ntlm and basic auth with ldap

 

All authentification individually run fine. Only kerberos auth run fine, only ntlm run fin etc.

 

I enable all 3 authentications, example:

 

auth_param negotiate program /usr/local/squid/libexec/negotiate_kerberos_auth …

auth_param ntlm program /usr/local/samba/bin/ntlm_auth …

auth_param basic program /usr/local/squid/libexec/basic_ldap_auth …

 

In which case switch from kerberos to ntlm??

 

Example : if i destroy kerberos keytab file for squid, i see an error in cache.log. but not ntlm auth working. How can i configure squid,  if kerb auth give an error, switch to ntlm? If i disable kerb lines in squid.conf and restart squid, ntlm works fine.

 

 

Thanks

Regards

Thomas


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Understanding Fallback Authentication

Amos Jeffries
Administrator
On 01/03/18 21:42, Thomas.Elsaesser wrote:
>
> Example : if i destroy kerberos keytab file for squid, i see an error in
> cache.log. but not ntlm auth working. How can i configure squid,  if
> kerb auth give an error, switch to ntlm? If i disable kerb lines in
> squid.conf and restart squid, ntlm works fine.

You cannot. In HTTP the client decides which auth to perform and sends
credentials only for that scheme. The most Squid can do is offer the
schemes it can understand. Clients are supposed to select the most
secure auth they are capable of.


From your description it seems like your NTLM clients are probably
trying to use Negotiate/NTLM instead of Negotiate/Kerberos. If so you
should be able to use the negotiate_wrapper helper to allow Squid to
perform Negotiate/NTLM for those clients.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users