Re: [SQU] NTLM in Multi domain environment

From: Craig Fels <[email protected]>
Date: Thu, 21 Sep 2000 10:12:30 -0500

thanks, and I've taken your tongue-lashing personally and will no longer use
Outlook Express send html-based email. My apologies.

good news...domain2 has a trustING relationship with domain1 and domain3.

I'll alpha test this, but it will be on small scale. Its a development
proxy server and only our IT department currently uses it. (POLITICAL THING
FOR NOW!)

Thanks again.
Craig

----- Original Message -----
From: "Chemolli Francesco (USI)" <ChemolliF@GruppoCredit.it>
To: "'Craig Fels'" <csfels@swbell.net>; <squid-users@ircache.net>
Sent: Thursday, September 21, 2000 10:06 AM
Subject: RE: [SQU] NTLM in Multi domain environment

> First a but of foreword: fscked Outlook, and curses on you for posting
> in HTML. It's a capital offense.
> Now on with you questions (but I won't go easy on you if you
> persist in your error).
>
>
> >I have been reading up on the NTLM authentication FAQ.
> >I saw that currently the development only supports one domain controller.
>
> Correct.
>
> >I am in an environment where we have one SQUID proxy serving 2
> >locations with a total of 3 domains. There are only a HANDFULL
> >of users in 2 of the domains, with 90%+ in the 3rd domain.
> >If I configure Squid to use NTLM for authentication and specify
> >the domain controller for the domain with the largest user pool,
> >what happens with the people in the other 2 domains?
>
> Depends on what version of Squid you're using, and what authenticator
> you're using, and on the trust relationships between the domains.
> If you're using the multi-domain-NTLM authentication module, you'll
> be able to do what you're asking as long as the DC you're talking to
> is in a domain trustING the domain the users belong to.
>
> >With they be blocked?
> >I understand this will be based on the order my ACL's are in,
> >but I'm asking because I have to accomplish a certain number of
things....
>
> >1) Use a proxy to cache and monitor internet access
> >2) Block inappropriate internet access using ACL's
>
> >Currently, these are working nicely...
>
> >3) authenticate using NTLM (seemless to user) and record
> >the domain\userid to access.log
>
>
> >#3 is pretty important. If I implement it with domain3's domain
> >controller and in the process block domain1 and domain2 users, this
> >implementation will be useless.
>
> No problem there. Be aware that since the squid-client auth-protocol
> is the basic protocol, users will get the popup window.
> If you don't want that, try the NTLM devel-branch out. Alpha-testers
> wanted.
>
> --
> /kinkie

--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
Received on Thu Sep 21 2000 - 09:15:24 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:55:26 MST