[squid-users] Squid with NTLM auth behind netscaler

Fabio Bucci fabietto82 at gmail.com
Tue Dec 29 14:30:15 UTC 2015

Hi Amos,
i'm trying to implement kerberos as you suggested me. But following
the guide i read "Do not use this method if you run winbindd or other
samba services as samba will reset the machine password every x days
and thereby makes the keytab invalid !!" and my system guy told me we
use winbindd method.

How can i implement so?

2015-12-16 21:12 GMT+01:00 Amos Jeffries <squid3 at treenet.co.nz>:
> On 17/12/2015 5:34 a.m., Fabio Bucci wrote:
>> i'm planning to migrate to kerberos instead NTLM.....i got a question for
>> you Amos: sometimes a client reports issue in navigation and searching into
>> log file i cannot see "username" and all the request are 407
>> In these cases is there a way to reset a user session or it's a completely
>> client issue?
> Usually it is the client stuck in a loop trying Negtiate/NTLM auth for
> some reason. Some old Firefox, most Safari, and older IE can all get
> stuck trying those credentials and ignoring the offers of Basic.
> It might be possible to figure out some LmCompatibility settings change
> that makes the problem just go away (eg, forcing NTLM of all versions to
> disabled on the client).
> Other than that Squid does have some workaround responses it can be made
> to send back that might help the client reach the right conclusion:
> a) list Basic auth first in the config. Any properly working client will
> re-sort the auth types by security level and do theKerberos anyway. But
> the broken ones (particularly IE7 and older) will have more chance of
> using Basic.
> b) sending 407 response with no auth headers. Such as a deny 407 status
> generated by external ACL deny, or a URL-redirector. These tell the
> client that auth failed, but there is no acceptible fallback.
> c) sending Connection:close. Sometimes (mostly Firefox v20-v40) it is
> the client prematurely attaching the credentials to the connection and
> re-using them. That is supposed to have been fixed recently, but I've
> not confirmed.
> d) sending 403 status response. To just flat-out block the client once
> it enters the looping state. Hoping that later requests will start to
> work again.
> Amos

More information about the squid-users mailing list