I am happily using Kerberos authentication for my AD domain users. In fact the driving force was less prompts for my Mac users - Safari and some other browsers don't support Kerberos, so I also have a fallback for NTLM auth, but they are much happier using Kerberos (in firefox) and I don't take nearly so many calls... Plus there's one less auth req between my dcs and squid.
AFAIK winbind is used for your NTLM and Samba config but not for Kerberos authentication directly. Process for AD domain is: Get your time, network, samba, winbind and Kerberos settings configured and join squid server to the domain Kinit a user Create a dummy computer account, add the SPNs and export the keytab using msktutil Klist -k /locationto-the-keytab file i.e. /etc/squid/HTTP.keytab. This will confirm you have exported the keys properly. Ensure permissions on the keytab allow squid to use it Update the init.d/squid startup to use the keytab Update squid.conf to use the squid_kerb_auth helper >> Are the kerberos-tickets persistent, or do I have to renew them periodically? Host Kerberos tickets are by default 10 hours. They will renew automatically providing the user (for example) is valid and the SPNs are ok.. and the KVNO doesn't change for the auth account/keytab. >> What happens, if this account will locked out? Is then the squid-access >> denied? Locked out account won't matter, you are authenticating your users against AD not the domain account you created. >>Can someone help me with this? Are there some other examples, which describes >>a promptless login (SSO) with plain kerberos? Squid wiki howto on Keberos has the basics, although that example uses Samba to create and export the keytab. I have found this to cause problems as Samba periodically changes the computer account in AD and thus the KVNOs get out of sync, hence the dummy account. Search this list for squid_kerb_auth, msktutil and Kerberos for more info and help ** Please consider the environment before printing this e-mail ** The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. Company Registration details: The Conde Nast Publications Ltd Vogue House Hanover Square London W1S 1JU Registered in London No. 226900
