Andre Albsmeier wrote:
> On Sun, 20-Sep-2009 at 00:29:12 +1200, Amos Jeffries wrote:
>> Andre Albsmeier wrote:
>>> On Thu, 10-Sep-2009 at 14:55:23 -0400, Navjeet wrote:
>>>> We have been using squid in our development environment. Squid has
>>>> been forwarding all the internet bound traffic to a proxy server that
>>>> did not need any authentication until now. But that has changed now
>>>> and now we have use another proxy server that uses NTLM based
>>>> authentication. Now our servers in this development environment only
>>>> have local users (users logging in are not authenticated Windows AD).
>>>> Does the Squid NTLM authentication setup still work in this setup? Can
>>>> the NTLM setup be configured to use specified user (and password
>>>> hopefully encrypted ) that can be specified in some configuration
>>>> file. This is needed as many of our applications (Tomcat, ESB etc )
>>>> are headless (i mean not just a web browser) and they now need to go
>>>> thru this new proxy server.
>>> If you want something like this:
>>>
>>> no auth NTLM auth
>>> clients -------> squid ---------> NTLM based proxy ---> world
>>>
>>> I think this is not possible with squid. I worked around this
>>> same problem with cntlm using:
>>>
>>> no auth no auth NTLM auth
>>> clients -------> squid -------> cntlm ---------> NTLM based proxy ---> world
>>>
>>> cntlm runs on the same machine as squid does. However, I were
>>> happy if the cntlm functionality could be brought into
>>> squid one day...
>> Your wish is granted ;)
>
> Oh, that's good news, thanks!
>
>> 3.2 will have Kerberos login to cache_peer servers. The code is already
>> committed to the 3.HEAD alpha releases.
>
> Now I am confused: You talk about Kerberos, I thought of NTLM
> (NTLMv2 to be exact). In cntlm I simply enter my NTLMv2 hash
> and it authenticates happily to its upstream. With Kerberos,
> I always think about tickets, krb-servers and so on. To be
> honest, I have never been into Windoze's NTLM stuff a lot (I
> am just happy it works) neither used Kerberos until now.
Sorry. Mea culpa. Been looking at the back-end for too long.
Kerberos is the one Squid is getting. The old NTLM is deprecated by MS,
the NTLMv2 will go out with XP before Squid 3.2 is ready for use.
>
> Will there be some kind of How-To for using this new feature?
Yes, its in the configuration manual login=NEGOTIATE setting for
http://www.squid-cache.org/Doc/config/cache_peer
>
> Thanks a lot for your great work on squid,
>
> -Andre
>
Amos
-- Please be using Current Stable Squid 2.7.STABLE7 or 3.0.STABLE19 Current Beta Squid 3.1.0.13Received on Sun Sep 20 2009 - 12:31:00 MDT
This archive was generated by hypermail 2.2.0 : Mon Sep 21 2009 - 12:00:02 MDT