Re: [squid-users] Advice: ntlm_auth from samba4 or negotiate_wrapper ?

From: Eugene M. Zheganin <emz_at_norma.perm.ru>
Date: Tue, 16 Jul 2013 16:22:02 +0600

Hi.

On 15.07.2013 23:02, Michele Bergonzoni wrote:
>
> I did a few tests with ntlm_auth from samba4, and it seems to work,
> with some residual problems with firefox and PCs not joined in the
> domain, and an extra authentication popup at the beginning from IE.
>
> I didn't get to the point of having a working negotiate_wrapper /
> squid_kerb_auth config, being still confusing about hostnames,
> principals, redundancy, failover, ntlm fallback with winbindd.
>
Actually, you should implement all the schemes - NTLM/SPNEGO/Basic for
some obvious reasons:

- in a corporate environment there will be definitely machines which
switch from Negotiate to NTLM, so you have to handle both
- you can leave only NTLM (and Basic), but this becomes more and more
outdated
- there will be tons of software that can perform only basic
authentication, like various IMs and third-party software
- there will be some software that claims it's capable of NTLM but in
fact it will have only basic
- so far I'm using PAM to handle Basic auth and to reroute it back in
winbind
- squid has a bunch of great helpers that work with AD, and the most
cool and modern one is the external kerberos group helper, which
supports nested groups (thanks, Markus !)

I don't have digest auth in my environment, and for past 13 years I
don't see why I should.

Eugene.
Received on Tue Jul 16 2013 - 10:22:16 MDT

This archive was generated by hypermail 2.2.0 : Wed Jul 17 2013 - 12:00:19 MDT