-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 22/12/2013 7:15 p.m., Brian J. Murrell wrote:
> Per my previous message, it seems that if I want to have Negotiate
> authentication for my Linux machines (which use Kerberos in my
> network), I have to support Negotiate for the Windows machines,
> even though they don't actually use Kerberos. It seems they want
> to use NTLMSSP when they are offered Negotiate from Squid without
> Kerberos tickets.
>
> So, I don't want the Windows machines to join any AD domains
> here[1]. There are no AD domains or services for them to join one
> for. I simply want them to be able to use Squid, which seems to
> mean them using the Negotiate authentication method that Squid is
> offering them (as well as Basic but I suppose Windows is ignoring
> that one because it is a weaker protocol), which appears to mean
> they use NTLMSSP.
>
> So does anyone have a HOWTO they can point to on what I need to do
> to simply get Squid to be able to use ntlm_auth to authenticate the
> Windows users against PAM on the Squid machine?
>
> I have seen http://wiki.squid-cache.org/ConfigExamples/Authenticate
> and in particular
> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm but
> that seems to assume one has an existing AD domain and PDC that
> they can point Samba on the Squid machine to using:
This is not an assumption from the documentation. NTLM protocol
*requires* a DC to operate.
NP: at this point no doubt some people will pop up saying they got it
to work without one. But that is only with NTLMv1 enabled and
performing a silent downgrade to the very old LanMan protocols which
operate like Basic auth inside the NTLMSSP wrapper.
>
> password server = myPDC
>
> in the smb.conf.
>
> But as I said above, there is no AD domain here, therefore no PDC.
> I don't really have any desire to create one, just to authenticate
> Windows Squid users. I just want to be able to authenticate the
> Windows Negotiate/NTLMSSP against the local PAM passwd service on
> the Squid machine.
Good luck. You will need to start with finding a PAM service can
authenticate NTLMSSP protocol. AFAIK there is no such service.
If you do manage to find one, you will have to locate or write a NTLM
authentication helper for Squid to use it. The PAM helper provided
with Squid only supports Basic authentication.
Amos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQEcBAEBAgAGBQJSuP2ZAAoJELJo5wb/XPRjjmAIAMEHOLdtKQWoIrnhDq189zwp
wZJf2KFg1il9ME5GAidi9yTvHZOAKaoE2uVEPWLocxsTDWhPyNLrRveF5XL1bBTE
BSiEy430a35xs2NgLPhH176StnSepysde+67fuHBeCaMqUTCrwCnT/XcANZx1vZL
0gFdDz7EZzPqFDR0XoCOVRBowuHBLdVfulzOe3KZI0a8Ep8MB9sKkOlayi9OF4Zs
z/XDEItilLMHVdSOkOYpSLZ+WKchllrxPVFNLEvJd4LEICrECVZ7yQhshFNJ+lib
1i5xXm0EtgWRwKqPTxoL73osvOsWbf0wEDq428sx7PrEeMjGKaVVPc335IibU3g=
=fO7c
-----END PGP SIGNATURE-----
Received on Tue Dec 24 2013 - 03:21:01 MST
This archive was generated by hypermail 2.2.0 : Wed Dec 25 2013 - 12:00:05 MST