[squid-users] Re: Advice: ntlm_auth from samba4 or negotiate_wrapper ?

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Tue, 16 Jul 2013 23:59:28 +0100

"Eugene M. Zheganin" <emz_at_norma.perm.ru> wrote in message
news:51E51ECA.2010508_at_norma.perm.ru...
> Hi.
>
> On 15.07.2013 23:02, Michele Bergonzoni wrote:
>>
>> I did a few tests with ntlm_auth from samba4, and it seems to work,
>> with some residual problems with firefox and PCs not joined in the
>> domain, and an extra authentication popup at the beginning from IE.
>>
>> I didn't get to the point of having a working negotiate_wrapper /
>> squid_kerb_auth config, being still confusing about hostnames,
>> principals, redundancy, failover, ntlm fallback with winbindd.
>>
> Actually, you should implement all the schemes - NTLM/SPNEGO/Basic for
> some obvious reasons:
>
> - in a corporate environment there will be definitely machines which
> switch from Negotiate to NTLM, so you have to handle both
> - you can leave only NTLM (and Basic), but this becomes more and more
> outdated
> - there will be tons of software that can perform only basic
> authentication, like various IMs and third-party software
> - there will be some software that claims it's capable of NTLM but in
> fact it will have only basic
> - so far I'm using PAM to handle Basic auth and to reroute it back in
> winbind
> - squid has a bunch of great helpers that work with AD, and the most
> cool and modern one is the external kerberos group helper, which
> supports nested groups (thanks, Markus !)

You are welcome

>
> I don't have digest auth in my environment, and for past 13 years I
> don't see why I should.
>
> Eugene.
>
Markus
Received on Tue Jul 16 2013 - 23:02:20 MDT

This archive was generated by hypermail 2.2.0 : Wed Jul 17 2013 - 12:00:19 MDT