Squid with Kerberos user authentication
Doug Sampson
dougs at dawnsign.com
Thu Jun 30 18:02:55 UTC 2011
I'm running squid on a proxy server for several years and now my boss
wants usage reports organized by users' login names instead of IP
addresses. We're in an Active Directory environment and use Kerberos
authentication. I googled around and used this link:
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos#Squid_C
onfiguration_File
I made all the changes according to the instructions contained in the
link. I ran into a problem with setting the KRB5_KTNAME variable (as
listed in the "Squid Configuration File" section). It states as follows:
---
Add the following to the squid startup script (Make sure the keytab is
readable by the squid process owner e.g. chgrp squid
/etc/squid/HTTP.keytab; chmod g+r /etc/squid/HTTP.keytab )
KRB5_KTNAME=/etc/squid/HTTP.keytab
export KRB5_KTNAME
---
I'm using the csh shell and apparently the export command isn't part of
the csh shell. After some searching around, I came across this link:
http://www.cyberciti.biz/faq/freebsd-how-to-export-shell-variable/
which gives me the csh replacement for the bash export command. I tried
this:
# setenv KRB5_KTNAME /usr/local/etc/squid/krbcron_squid.keytab
and it appears to have worked.
On top of that, the instructions require that the establishment of the
KRB5_KTNAME variable be done in the squid startup script. In the FreeBSD
OS, would that be the /usr/local/etc/rc.d/squid file? I don't see a
section for setenv in the squid.conf file.
I know I am almost there but I need a nudge here!
~Doug
More information about the freebsd-questions
mailing list