Re: [squid-users] different NTLM helpers

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Tue, 03 Dec 2002 23:55:15 +0100

Ilia Chipitsine wrote:

> as described in FAQ, winbind helper can be used in both Basic and NTLM
> proxy-auth. it is also stated that Winbind itself doesn't operate well
> with samba. on the other hand, there's another helpers which supposed to
> understand NTLM. SMB, for instance.

Note: winbind is currently the most stable and efficient Windows NT
domain integration you can get for Squid, but the setup is probably also
the most complex..

> 1) are Basic-SMB and NTLM-SMB the "same" helpers as there two winbind
> helpers ? I looked through the code, they seem to be different.

No, they are entirely different. Only common factor is that both uses
the (way old) SMB protocol to talk to your NT domain.

> 2) is there a way of testing NTLM-SMB helper ?
> I tried to install it, it doesn't work. At least for me. At least with
> samba.

Testing ntlm helpers is tricky as it requires something who can speak
ntlm to the helper.. not something a human can speak. The best test is
to try to put them into use.

> 3) How much do I depend on winbind when using NTLM-SMB ?

Not at all. The ntlm-SMB helper talks direcly to some NT servers in your
network. Samba/winbind is not required at all.

> 4) is anybody using NTLM-SMB helper ??

If they are then they probably should try to use the winbind helper
instead.

The ntlm-SMB helper "ntlm_auth" has some serious performance and
stability issues, partly due to Microsoft implementation of SMB in NT
Server 4/2K/XP.. partly due to the helper doing a poor job at
implementing NTLM. Also the ntlm-SMB helper only supports MS LANMAN
challenge/responses which should not be used in a modern network due to
their low security.

Regards
Henrik
Received on Tue Dec 03 2002 - 16:10:58 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:11:50 MST