Man page or keyword search:   man All Sections 1 - General Commands 2 - System Calls 3 - Subroutines, Functions 4 - Special Files 5 - File Formats 6 - Games and Screensavers 7 - Macros and Conventions 8 - Maintenence Commands 9 - Kernel Interface New Commands Server 4.4BSD AIX Alpinelinux Archlinux Aros BSDOS BSDi Bifrost CentOS Cygwin Darwin Debian DigitalUNIX DragonFly ElementaryOS Fedora FreeBSD Gentoo GhostBSD HP-UX Haiku Hurd IRIX Inferno JazzOS Kali Knoppix LinuxMint MacOSX Mageia Mandriva Manjaro Minix MirBSD NeXTSTEP NetBSD OPENSTEP OSF1 OpenBSD OpenDarwin OpenIndiana OpenMandriva OpenServer OpenSuSE OpenVMS Oracle PC-BSD Peanut Pidora Plan9 QNX Raspbian RedHat Scientific Slackware SmartOS Solaris SuSE SunOS Syllable Tru64 UNIXv7 Ubuntu Ultrix UnixWare Xenix YellowDog aLinux   44335 pages apropos Keyword Search (all sections) Output format html ascii pdf view pdf save postscript

negotiate_kerberos_auth(8)			    negotiate_kerberos_auth(8)

NAME
       negotiate_kerberos_auth - Squid kerberos based authentication helper

       Version 3.0.4sq

SYNOPSIS
       negotiate_kerberos_auth [-h] [-d] [-i] [-r] [-s Service-Principal-Name]
       [-k Keytab-Name] [-c Replay-Cache-Directory] [-t Replay-Cache-Type]

DESCRIPTION
       negotiate_kerberos_auth is an installed	binary	and  allows  Squid  to
       authenticate users via the Negotiate protocol and Kerberos.

OPTIONS
       -h	   Display  the binary help and command line syntax info using
		   stderr.

       -d	   Write debug messages to stderr.

       -i	   Write informational messages to stderr.

       -r	   Remove realm from username before returning the username to
		   squid.

       -s Service-Principal-name
		   Provide Service Principal Name.

       -k Keytab-Name
		   Provide Kerberos Keytab Name (Default: /etc/krb5.keytab)

       -c Replay-Cache-Directory
		   Provide Replay Cache Directory (Default: /var/tmp)

       -t Replay-Cache-Type
		   Provide Replay Cache Type (Default: dfl)

CONFIGURATION
       This  helper  is	 intended  to  be  used as an authentication helper in
       squid.conf.

       auth_param negotiate program /path/to/negotiate_kerberos_auth
       auth_param negotiate children 10
       auth_param negotiate keep_alive on

       NOTE: The following squid startup file modification may be required:

       Add the following lines to the squid startup script to point squid to a
       keytab  file  which  contains  the  HTTP/fqdn service principal for the
       default Kerberos domain. The keytab name can also be provided by the -k
       <keytab name> option. The fqdn must be the proxy name set in IE
	or firefox. You can not use an IP address.

       KRB5_KTNAME=/etc/squid/HTTP.keytab export KRB5_KTNAME

       If  you	use  a different Kerberos domain than the machine itself is in
       you can point squid to the seperate Kerberos config file by setting the
       following environmnet variable in the startup script.

       KRB5_CONFIG=/etc/krb5-squid.conf export KRB5_CONFIG

       Kerberos	 can keep a replay cache to detect the reuse of Kerberos tick‐
       ets (usually only possible in a 5 minute window) . If  squid  is	 under
       high  load  with	 Negotiate(Kerberos) proxy authentication requests the
       replay cache checks can create high CPU load. If the  environment  does
       not  require  high  security the replay cache check can be disabled for
       MIT based Kerberos implementations by adding the below to  the  startup
       script or use the -t none option.

       KRB5RCACHETYPE=none export KRB5RCACHETYPE

       If  negotiate_kerberos_auth doesn't determine for some reason the right
       service principal you can provide it with -s HTTP/fqdn.

       If you serve multiple Kerberos realms  add  a  HTTP/fqdn@REALM  service
       principal   per	 realm	 to  the  HTTP.keytab  file  and  use  the  -s
       GSS_C_NO_NAME option with negotiate_kerberos_auth.

AUTHOR
       This  program  was  written  by	Markus	Moeller	  <markus_moeller@com‐
       puserve.com>

       This   manual   was  written  by	 Markus	 Moeller  <markus_moeller@com‐
       puserve.com>

COPYRIGHT
	* Copyright (C) 1996-2014 The Squid Software Foundation and  contribu‐
       tors
	*
	* Squid software is distributed under GPLv2+ license and includes
	* contributions from numerous individuals and organizations.
	* Please see the COPYING and CONTRIBUTORS files for details.

       This program and documentation is copyright to the authors named above.

       Distributed under the GNU General Public License (GNU GPL) version 2 or
       later (GPLv2+).

QUESTIONS
       Questions on the usage of this program can be sent to the  Squid	 Users
       mailing list <squid-users@squid-cache.org>

REPORTING BUGS
       Bug     reports	   need	    to	  be	made	in    English.	   See
       http://wiki.squid-cache.org/SquidFaq/BugReporting for details  of  what
       you need to include with your bug report.

       Report bugs or bug fixes using http://bugs.squid-cache.org/

       Report serious security bugs to Squid Bugs <squid-bugs@squid-cache.org>

       Report  ideas for new improvements to the Squid Developers mailing list
       <squid-dev@squid-cache.org>

SEE ALSO
       squid(8) ext_kerberos_ldap_group_acl(8)
       RFC4559 - SPNEGO-based Kerberos and NTLM HTTP Authentication in	Micro‐
       soft Windows,
       RFC2478 - The Simple and Protected GSS-API Negotiation Mechanism,
       RFC1964 - The Kerberos Version 5 GSS-API Mechanism,
       The Squid FAQ wiki http://wiki.squid-cache.org/SquidFaq
       The  Squid  Configuration Manual http://www.squid-cache.org/Doc/config/
       http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos

						    negotiate_kerberos_auth(8)

Vote for polarhome