Provided by: squid_3.5.12-1ubuntu7.16_amd64 bug


       negotiate_kerberos_auth - Squid kerberos based authentication helper

       Version 3.0.4sq


       negotiate_kerberos_auth  [-h]  [-d] [-i] [-r] [-s Service-Principal-Name] [-k Keytab-Name]
       [-c Replay-Cache-Directory] [-t Replay-Cache-Type]


       negotiate_kerberos_auth is an installed binary and allows Squid to authenticate users  via
       the Negotiate protocol and Kerberos.


       -h          Display the binary help and command line syntax info using stderr.

       -d          Write debug messages to stderr.

       -i          Write informational messages to stderr.

       -r          Remove realm from username before returning the username to squid.

       -s Service-Principal-name
                   Provide Service Principal Name.

       -k Keytab-Name
                   Provide Kerberos Keytab Name (Default: /etc/krb5.keytab)

       -c Replay-Cache-Directory
                   Provide Replay Cache Directory (Default: /var/tmp)

       -t Replay-Cache-Type
                   Provide Replay Cache Type (Default: dfl)


       This helper is intended to be used as an authentication helper in squid.conf.

       auth_param negotiate program /path/to/negotiate_kerberos_auth
       auth_param negotiate children 10
       auth_param negotiate keep_alive on

       NOTE: The following squid startup file modification may be required:

       Add  the following lines to the squid startup script to point squid to a keytab file which
       contains the HTTP/fqdn service principal for the default Kerberos domain. The keytab  name
       can  also  be provided by the -k <keytab name> option. The fqdn must be the proxy name set
       in IE
        or firefox. You can not use an IP address.

       KRB5_KTNAME=/etc/squid/HTTP.keytab export KRB5_KTNAME

       If you use a different Kerberos domain than the machine itself is in you can  point  squid
       to  the seperate Kerberos config file by setting the following environmnet variable in the
       startup script.

       KRB5_CONFIG=/etc/krb5-squid.conf export KRB5_CONFIG

       Kerberos can keep a replay cache to detect the reuse of  Kerberos  tickets  (usually  only
       possible  in  a  5  minute  window) . If squid is under high load with Negotiate(Kerberos)
       proxy authentication requests the replay cache checks can create high  CPU  load.  If  the
       environment  does not require high security the replay cache check can be disabled for MIT
       based Kerberos implementations by adding the below to the startup script  or  use  the  -t
       none option.


       If  negotiate_kerberos_auth  doesn't determine for some reason the right service principal
       you can provide it with -s HTTP/fqdn.

       If you serve multiple Kerberos realms add a HTTP/fqdn@REALM service principal per realm to
       the HTTP.keytab file and use the -s GSS_C_NO_NAME option with negotiate_kerberos_auth.


       This program was written by Markus Moeller <>

       This manual was written by Markus Moeller <>


        * Copyright (C) 1996-2014 The Squid Software Foundation and contributors
        * Squid software is distributed under GPLv2+ license and includes
        * contributions from numerous individuals and organizations.
        * Please see the COPYING and CONTRIBUTORS files for details.

       This program and documentation is copyright to the authors named above.

       Distributed under the GNU General Public License (GNU GPL) version 2 or later (GPLv2+).


       Questions  on  the  usage  of  this  program  can  be sent to the Squid Users mailing list


       Bug      reports      need       to       be       made       in       English.        See  for details of what you need to include
       with your bug report.

       Report bugs or bug fixes using

       Report serious security bugs to Squid Bugs <>

       Report   ideas   for   new   improvements   to   the   Squid   Developers   mailing   list


       squid(8) ext_kerberos_ldap_group_acl(8)
       RFC4559 - SPNEGO-based Kerberos and NTLM HTTP Authentication in Microsoft Windows,
       RFC2478 - The Simple and Protected GSS-API Negotiation Mechanism,
       RFC1964 - The Kerberos Version 5 GSS-API Mechanism,
       The Squid FAQ wiki
       The       Squid      Configuration      Manual