RE: [squid-users] Squid 2.5-Stable10 With Negotiate Patch and Sambe 3.x

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Wed, 28 Sep 2005 00:56:45 +0200 (CEST)

On Wed, 28 Sep 2005, Cole wrote:

> I understand SPNEGO to be the Kerberos Authentication Method that is being built into the latest
> browsers? Like firefox and IE 5.5+?

Firefox has experimental SPNEGO support available. By default disabled
from what I have been told, but once enabled happily uses SPNEGO both to
web servers and proxies.

IE has support for SPNEGO to web servers only, not proxies. Why Microsoft
has not added SPNEGO support to proxy connections is a mystery that only
Microsoft can answer.

> The main problem stopping us from using ntlm is that we have multiple
> levels of cache. The top level cache is responsible for user auth and
> acls. According to your previous posts, this cannot be done with ntlm.

And it cannot be done with Negotiate either. Both share the same design
flaws causing breakage when run over HTTP compliant proxies.

In setups requiring NTLM of Negotiate authentication you need to run the
authentiction on the leaf caches closest to the client. With a little
tinkering you can then have the login (but not password) forwarded in the
proxy chain by using the login=*:secret cache_peer option if needed but
this is extra bonus. The simpler path is to allow requests from trusted
child caches without requiring authentication again.

> Thats why I was trying to use a Samba-3.x, but I used the wrong helper obviously. Is there a
> specific Samba-3.x that I would have to use here, that has SPNEGO built into it? Or are all the
> Samba-3.x SPNEGO enabled?

The exact Samba versions needed to use SPNEGO over HTTP it still a bit
uncertain. From what it looks Samba 4 may be required at this time, but
maybe it works in current Samba-3.3.X as well.

Regards
Henrik
Received on Tue Sep 27 2005 - 16:56:47 MDT

This archive was generated by hypermail pre-2.1.9 : Sat Oct 01 2005 - 12:00:04 MDT