[squid-users] Understanding Fallback Authentication
Amos Jeffries
squid3 at treenet.co.nz
Thu Mar 1 10:35:24 UTC 2018
On 01/03/18 21:42, Thomas.Elsaesser wrote:
>
> Example : if i destroy kerberos keytab file for squid, i see an error in
> cache.log. but not ntlm auth working. How can i configure squid, if
> kerb auth give an error, switch to ntlm? If i disable kerb lines in
> squid.conf and restart squid, ntlm works fine.
You cannot. In HTTP the client decides which auth to perform and sends
credentials only for that scheme. The most Squid can do is offer the
schemes it can understand. Clients are supposed to select the most
secure auth they are capable of.
>From your description it seems like your NTLM clients are probably
trying to use Negotiate/NTLM instead of Negotiate/Kerberos. If so you
should be able to use the negotiate_wrapper helper to allow Squid to
perform Negotiate/NTLM for those clients.
Amos
More information about the squid-users
mailing list