Skip to content

Commit 49eda42

Browse files
jengelhjengelh
committed
doc: delete ntlm_program_helper config directive
Addendum to f03b90d.
1 parent e3521f0 commit 49eda42

File tree

1 file changed

+10
-17
lines changed

1 file changed

+10
-17
lines changed

doc/http.8gx

Lines changed: 10 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -112,6 +112,16 @@ Negotiate-SPNEGO headers are presented. The value is rudimentarily tokenized at
112112
whitespaces, and no special characters may be used. If necessary, write your
113113
own wrapper. The special value "internal-gss" uses libgssapi directly.
114114
.br
115+
Negotiate was meant to carry GSS-API auth data (appearing as "Authorization:
116+
Negotiate YII..." in HTTP protocol dumps). NTLM can be wrapped in SPNEGO (also
117+
shows up as "YII"), but a handful of clients may also send raw NTLM tokens
118+
(appearing as "Authorization: Negotiate TlRMTVNT..."). Whether raw NTLM tokens
119+
are accepted by internal-gss depends on your GSS library and, more broadly,
120+
your Kerberos setup. Otherwise, you may need to use a helper program like the
121+
one from Squid. internal-gss also does not offer a way to specify a separate
122+
keytab or replay cache parameters, so use Squid's helper if you need such
123+
parameters.
124+
.br
115125
Default: \fIinternal\-gss\fP
116126
.br
117127
Example: \fI/usr/lib/squid/negotiate_wrapper_auth \-\-ntlm /usr/bin/ntlm_auth
@@ -250,23 +260,6 @@ all RPCs. Note the daemon log level needs to be "debug" (6), too.
250260
.br
251261
Default: \fI0\fP
252262
.TP
253-
\fBntlmssp_program\fP
254-
The helper program to use for authenticating HTTP requests when NTLM or
255-
Negotiate-NTLM (but not Negotiate-SPNEGO-NTLM) headers are presented. The value
256-
is rudimentarily tokenized at whitespaces, so no special characters may be
257-
used. If necessary, write your own wrapper.
258-
.br
259-
Negotiate was meant to carry GSS-API auth data ("Authorization: Negotiate
260-
YII..."). NTLM can be wrapped in SPNEGO (also "YII"), but a handful of clients
261-
may also send raw NTLM tokens (appearing as "Authorization: Negotiate
262-
TlRMTVNT...").
263-
.br
264-
Default: \fI/usr/bin/ntlm_auth \-\-helper\-protocol=squid\-2.5\-ntlmssp\fP
265-
.br
266-
Example: \fI/usr/lib/squid/negotiate_wrapper_auth \-\-ntlm /usr/bin/ntlm_auth
267-
\-\-helper\-protocol=squid\-2.5\-ntlmssp \-\-kerberos
268-
/usr/lib/squid/negotiate_kerberos_auth \-s GSS_C_NO_NAME\fP
269-
.TP
270263
\fBrequest_max_mem\fP
271264
The maximum hint size for fragmented RPC PDU requests that will be allowed
272265
(C706 §12.6.3.7, MS-RPCE v33 §2.2.2.6).

0 commit comments

Comments
 (0)