Re: [squid-users] Squid configuration for NTLM

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 03 Jun 2010 04:25:29 +0000

On Wed, 2 Jun 2010 20:56:42 -0700 (PDT), "Prashant K.S"
<ksprashant_at_yahoo.com> wrote:
> Hi Amos,
>
> One more question.
>
> My primary purpose is to test a NTLM client that I have developed
against
> Linux Squid proxy.
>
> If I cannot configure squid proxy, is there any openly available squid
> proxy that uses NTLM and for which I can register myself and get a user
> name and password which I can use for authentication and test my NTLM
> client.
>
> Regards,
> Prashant

Oh, that is a different prospect.

If you are just testing that the protocol coding etc is valid you can use
the fakeauth NTLM helper:
 
http://wiki.squid-cache.org/ConfigExamples/Authenticate/LoggingOnly#NTLM_Authentication

It does NTLM challenges with random tokens and validates the client reply
blobs are self-consistent, but does not use any domain to check the coded
password/username actually match valid ones.
 If the authentication blobs or connection handling are broken they will
show up with this handler.

If you need deeper checks the that username/token were being transferred
from the client to DC, then you will need a full real domain linkage setup.

Amos

>
> ----- Original Message ----
> From: Prashant K.S <ksprashant_at_yahoo.com>
> To: Amos Jeffries <squid3_at_treenet.co.nz>; squid-users_at_squid-cache.org
> Sent: Thu, 3 June, 2010 9:11:09 AM
> Subject: Re: [squid-users] Squid configuration for NTLM
>
> Hi Amos,
>
> The domain I am talking about is my office network domain and my
computer
> cannot be a part of that domain. Is it possible to host myself a domain
or
> be a part of some domain that is available in open(Not sure how risky is
> it).
>
> Regards,
> Prashant
>
>
>
>
> ----- Original Message ----
> From: Amos Jeffries <squid3_at_treenet.co.nz>
> To: squid-users_at_squid-cache.org
> Sent: Thu, 3 June, 2010 9:05:48 AM
> Subject: Re: [squid-users] Squid configuration for NTLM
>
> On Wed, 2 Jun 2010 20:30:51 -0700 (PDT), "Prashant K.S"
> <ksprashant_at_yahoo.com> wrote:
>> Hi Amos,
>>
>> Thanks for your reply.
>>
>> I want to correct my words. I do have access to some NT domain. But
just
>> that I have the user and password to authenticate against that domain.
> But
>> my computer is not part of that domain. Will I able to achieve NTLM
>> authentication with Squid using this setup. And If yes can you please
> let
>> me know the configuration.
>
> Okay good.
>
> You won't be able to do it without making the proxy a machine account on
> the domain. Apparently the winbindd manual page has details on how the
> Linux machine needs to be configured into the domain.
>
> Details on the Squid and Samba setup can be found here:
> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm
>
> Amos
Received on Thu Jun 03 2010 - 04:25:32 MDT

This archive was generated by hypermail 2.2.0 : Tue Jun 08 2010 - 12:00:05 MDT