Provided by: squid_3.5.12-1ubuntu7.16_amd64 bug

NAME
       negotiate_kerberos_auth - Squid kerberos based authentication helper

       Version 3.0.4sq


SYNOPSIS
       negotiate_kerberos_auth   [-h]   [-d]   [-i]   [-r]  [-s  Service-Principal-Name]  [-k  Keytab-Name]  [-c
       Replay-Cache-Directory] [-t Replay-Cache-Type]


DESCRIPTION
       negotiate_kerberos_auth is an installed binary and allows Squid to authenticate users via  the  Negotiate
       protocol and Kerberos.


OPTIONS
       -h          Display the binary help and command line syntax info using stderr.

       -d          Write debug messages to stderr.

       -i          Write informational messages to stderr.

       -r          Remove realm from username before returning the username to squid.

       -s Service-Principal-name
                   Provide Service Principal Name.

       -k Keytab-Name
                   Provide Kerberos Keytab Name (Default: /etc/krb5.keytab)

       -c Replay-Cache-Directory
                   Provide Replay Cache Directory (Default: /var/tmp)

       -t Replay-Cache-Type
                   Provide Replay Cache Type (Default: dfl)


CONFIGURATION
       This helper is intended to be used as an authentication helper in squid.conf.

       auth_param negotiate program /path/to/negotiate_kerberos_auth
       auth_param negotiate children 10
       auth_param negotiate keep_alive on

       NOTE: The following squid startup file modification may be required:

       Add  the  following  lines to the squid startup script to point squid to a keytab file which contains the
       HTTP/fqdn service principal for the default Kerberos domain. The keytab name can also be provided by  the
       -k <keytab name> option. The fqdn must be the proxy name set in IE
        or firefox. You can not use an IP address.

       KRB5_KTNAME=/etc/squid/HTTP.keytab export KRB5_KTNAME

       If  you use a different Kerberos domain than the machine itself is in you can point squid to the seperate
       Kerberos config file by setting the following environmnet variable in the startup script.

       KRB5_CONFIG=/etc/krb5-squid.conf export KRB5_CONFIG

       Kerberos can keep a replay cache to detect the reuse of Kerberos tickets (usually only possible  in  a  5
       minute  window)  . If squid is under high load with Negotiate(Kerberos) proxy authentication requests the
       replay cache checks can create high CPU load. If the environment  does  not  require  high  security  the
       replay  cache  check  can  be  disabled for MIT based Kerberos implementations by adding the below to the
       startup script or use the -t none option.

       KRB5RCACHETYPE=none export KRB5RCACHETYPE

       If negotiate_kerberos_auth doesn't determine for some reason the right service principal you can  provide
       it with -s HTTP/fqdn.

       If  you  serve  multiple  Kerberos  realms  add  a  HTTP/fqdn@REALM  service  principal  per realm to the
       HTTP.keytab file and use the -s GSS_C_NO_NAME option with negotiate_kerberos_auth.


AUTHOR
       This program was written by Markus Moeller <markus_moeller@compuserve.com>

       This manual was written by Markus Moeller <markus_moeller@compuserve.com>


COPYRIGHT
        * Copyright (C) 1996-2014 The Squid Software Foundation and contributors
        *
        * Squid software is distributed under GPLv2+ license and includes
        * contributions from numerous individuals and organizations.
        * Please see the COPYING and CONTRIBUTORS files for details.

       This program and documentation is copyright to the authors named above.

       Distributed under the GNU General Public License (GNU GPL) version 2 or later (GPLv2+).


QUESTIONS
       Questions  on  the  usage  of  this  program  can   be   sent   to   the   Squid   Users   mailing   list
       <squid-users@squid-cache.org>


REPORTING BUGS
       Bug  reports  need  to  be  made  in  English.  See http://wiki.squid-cache.org/SquidFaq/BugReporting for
       details of what you need to include with your bug report.

       Report bugs or bug fixes using http://bugs.squid-cache.org/

       Report serious security bugs to Squid Bugs <squid-bugs@squid-cache.org>

       Report ideas for new improvements to the Squid Developers mailing list <squid-dev@squid-cache.org>


SEE ALSO
       squid(8) ext_kerberos_ldap_group_acl(8)
       RFC4559 - SPNEGO-based Kerberos and NTLM HTTP Authentication in Microsoft Windows,
       RFC2478 - The Simple and Protected GSS-API Negotiation Mechanism,
       RFC1964 - The Kerberos Version 5 GSS-API Mechanism,
       The Squid FAQ wiki http://wiki.squid-cache.org/SquidFaq
       The          Squid          Configuration          Manual          http://www.squid-cache.org/Doc/config/
       http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos

                                                                                      negotiate_kerberos_auth(8)