[squid-users] Advice: ntlm_auth from samba4 or negotiate_wrapper ?

From: Michele Bergonzoni <bergonz_at_labs.it>
Date: Mon, 15 Jul 2013 19:02:06 +0200

I would like to hear your advice about kerberos auth configuration on a
new installation.

This will be an installation with two redundant Linux based servers,
clients will be mostly windows joined to active directory, with AD users
logged in. The main focus of the installation is authentication and
per-group or per-user policy.

I would like to keep user experience as simple as possible, avoiding
authentication dialogs whenever possible. Basic authentication with
cleartext credentials should be avoided in this installation. ntlm
fallback is OK.

I see that for windows AD authentication, kerberos and negotiate seem to
be the modern choice. My confusion begins where the squid wiki says:

Authentication helpers which perform the grunt work:
  - ntlm_auth from Samba 4 with the --helper-protocol=gss-spnego parameter
  - negotiate_wrapper or squid_kerb_auth by Markus Moeller

I did a few tests with ntlm_auth from samba4, and it seems to work, with
some residual problems with firefox and PCs not joined in the domain,
and an extra authentication popup at the beginning from IE.

I didn't get to the point of having a working negotiate_wrapper /
squid_kerb_auth config, being still confusing about hostnames,
principals, redundancy, failover, ntlm fallback with winbindd.

So before I dig into the details of what I'm seeing, I am wondering if
maybe one of the two alternatives has became a "de facto" standard over
the other, and so I should study and test it alone, or if they are both
actively deployed, and so I should study and test both to see what fits
better to me.

I will very much appreciate your suggestions and experiences.

Regards,
                                Bergonz

-- 
Ing. Michele Bergonzoni - Laboratori Guglielmo Marconi S.p.a.
Phone:+39-051-6781926 e-mail: bergonz_at_labs.it
alt.advanced.networks.design.configure.operate
Received on Mon Jul 15 2013 - 17:02:11 MDT

This archive was generated by hypermail 2.2.0 : Tue Jul 16 2013 - 12:00:17 MDT