Re: [squid-users] Windows group authentication

From: Jean-Denis Girard <jd.girard_at_sysnux.pf>
Date: Tue, 01 Feb 2011 07:23:45 -1000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Amos,

On 31/01/2011 14:04, Amos Jeffries wrote:
> If you can get a hold of a 3.1.10 you may enjoy it more.
> We had a small audit of the NTLM and Kerberos handling with performance
> bug fixes leading up to that release.

Ok, I'll update to 3.1.10.

> Lets get the terminology right to start with then the answer may become
> clear to you...
>
> * groups CANNOT be authenticated. Because they do not have a password or
> key.
>
> * User CAN be authenticated, because they do have password or keys.
>
> * machines can have special user accounts with a key to identify them.
>
> * groups have users.
>
> * groups can only determine where a user is authorized to go or not to
> go.
>
>
> So back to your question, "what is needed to achieve Windows
> authentication".
>
> auth_param validates a users login. REQUIRED.
> squid_kerb_auth is how to authenticate Negotiate protocol users.
> ntlm_auth from Samba is how to authenticate NTLM protocol users.
>
> NOTE: these helpers ONLY check the one protocol each and have different
> sets of auth_param which can be used simultaneously. So it is entirely up
> to you whether you use only one or both.
> I suggest using both to start with so that software which has not been
> adapted to Kerberos yet may still be able to login via NTLM. Keep a watch
> on this and the main administrative task later will be fixing up these NTLM
> software to use Kerberos.
>
>
> ON TOP of this user authentication you can usually retain whatever group
> authorization you had for NTLM. Kerberos is effectively NTLM v3 or v4.
> Though it may require some extra parameters on the group checking helpers
> to make them accept the Kerberos username format.

Thanks for detailed explanations!

> This is the problem. The security key passed to Squid by the client is not
> known.
>
> There are some hints here:
> http://fixunix.com/kerberos/60700-kinit-key-table-entry-not-found-while-getting-initial-credentials.html

Ok.

I'll have access to the server later this week, and try to solve my
issues with your help.

Thanks,
- --
Jean-Denis Girard

SysNux Systèmes Linux en Polynésie française
http://www.sysnux.pf/ Tél: +689 50 10 40 / GSM: +689 79 75 27
-----BEGIN PGP SIGNATURE-----

iEYEARECAAYFAk1IQaEACgkQuu7Rv+oOo/gb0gCgrGg7cGggstmMlU5UFnVgZMjG
rjEAn1KDtC9/CLR/on/lJQkruYmTfaFf
=jSCy
-----END PGP SIGNATURE-----
Received on Tue Feb 01 2011 - 17:23:48 MST

This archive was generated by hypermail 2.2.0 : Wed Feb 02 2011 - 12:00:03 MST