Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 30 Jun 2011 10:31:54 -0700
From:      "Doug Sampson" <dougs@dawnsign.com>
To:        <freebsd-questions@freebsd.org>
Subject:   Squid with Kerberos user authentication
Message-ID:  <D358EEF1F9124D44B25B0ED225C8FDE6070C8A@hydra.dawnsign.com>

Next in thread | Raw E-Mail | Index | Archive | Help
I'm running squid on a proxy server for several years and now my boss
wants usage reports organized by users' login names instead of IP
addresses. We're in an Active Directory environment and use Kerberos
authentication. I googled around and used this link:

http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos#Squid_C
onfiguration_File

I made all the changes according to the instructions contained in the
link. I ran into a problem with setting the KRB5_KTNAME variable (as
listed in the "Squid Configuration File" section). It states as follows:

---
Add the following to the squid startup script (Make sure the keytab is
readable by the squid process owner e.g. chgrp squid
/etc/squid/HTTP.keytab; chmod g+r /etc/squid/HTTP.keytab )

 KRB5_KTNAME=3D/etc/squid/HTTP.keytab
 export KRB5_KTNAME
---

I'm using the csh shell and apparently the export command isn't part of
the csh shell. After some searching around, I came across this link:=20

http://www.cyberciti.biz/faq/freebsd-how-to-export-shell-variable/

which gives me the csh replacement for the bash export command. I tried
this:

 # setenv KRB5_KTNAME /usr/local/etc/squid/krbcron_squid.keytab

and it appears to have worked.

On top of that, the instructions require that the establishment of the
KRB5_KTNAME variable be done in the squid startup script. In the FreeBSD
OS, would that be the /usr/local/etc/rc.d/squid file? I don't see a
section for setenv in the squid.conf file.

I know I am almost there but I need a nudge here!

~Doug



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?D358EEF1F9124D44B25B0ED225C8FDE6070C8A>