[squid-users] Kerberos authentication with multiple squids
森 隆聡
t-mori at acty-sys.co.jp
Tue Oct 12 08:33:40 UTC 2021
I made Single Sign On environment with AD+Squid and it worked fine.
[It works]
Client(Windows) -> Squid(CentOS) -> Internet
* Client is joined the domain and Squid configured Kerberos Authentication with AD.
But after add another squid, it didn't work.
[Not works]
Client -> Squid(No Auth.) -> Squid(Kerberos Auth) ->Internet
I added two line below in squid.conf of 1st Squid(No Auth.)
to relay authentication information.
---
cache_peer [host_of_second_squid] parent [port_no] 0 no-query login=PASSTHRU
never_direct allow all
---
I confirmed access.log of 1st Squid.
It seemed squid got 407 and challenged with credentials but failed.
---
"time=2021/10/12 15:46:23","un=-","credentials=-","host=[ip_of_first_squid]",
"src_ip=[ip_of_client_pc]","src_port=49776","dest_ip=-","dest_port=-",
"url=www.yahoo.co.jp:443","status=407","http_method=CONNECT"...
"time=2021/10/12 15:46:24","un=[user at domain]","credentials=KK (null)\n",
"host=[ip_of_first_squid]","src_ip=[ip_of_client_pc]","src_port=49776",
"dest_ip=[ip_of_second_squid]","dest_port=3128","url=www.yahoo.co.jp:443",
"status=407","http_method=CONNECT"....
---
I also tested with login=PASS and connection-auth=on but got same result.
I don't understand why authentication fails with relayed
authentication information by "login=PASSTHRU"
Do I misundastand something or squid originally don't support
multiple proxy those relay Kerberos authentication information?
For this question I referenced this mail of mailing list.
https://www.spinics.net/lists/squid/msg85519.html
I submitted a question with images to stackoverflow.
https://stackoverflow.com/questions/69536317/is-it-possible-to-pass-kerberos-credentials-between-multiple-squids
I would appreciate it if you could point out any points you noticed.
Regards,
More information about the squid-users
mailing list