Re: [squid-users] Authentication with Samba

From: Henrik Nordstrom <[email protected]>
Date: Tue, 6 Apr 2004 12:01:15 +0200 (CEST)

On Tue, 6 Apr 2004, Tilo Lutz wrote:

> I want everyone using the squid-proxy to authenticate.
> Users who are logged in from an MS-Client should not be asked
> for a password.

Then you need to join the domain and use winbind NTLM helpers..

> I think I need a NTLM-helper to authenticate.
> In several postings I found the advice to use the ntlm-client
> which is included in the samba sources. Where is it? I took a look
> at the samba-sources and didn't find it.

ntlm_auth is part of Samba-3.0, automatically installed.

> I only found examples with a real AD-Domain and winbind.

There is also plenty of examples on how to join a NT4 domain using
winbind.. found both in Samba and Squid documentation.

> Do I really have to use winbind?

Yes, if you want any kind of reliable operation.

> Can't Proxy-Server just join the NT4-style domain?

With the help of Samba yes.

> 1. join domain with proxy-server

Yes.

> 2. create and compile the ntml-helper.

Only needed if you are using Samba-2.X. If using Samba-3.0 then you
already have this installed.

> Which helper do I really need. There are many NTLM-helpers in
> squid-source
> Which part of samba source do I need.

The winbind helpers in the Squid source is only relevant for Samba-2.X
where no winbind helper is included in Samba.

For Samba-3.0 you must use the ntlm_auth helper included in Samba.

> 3. Testing NTML.
> Do I only need to pass IP-address of client and username to helper?

NTLM helpers expects NTLMSSP binary blob messages. Because of this it is
virtually impossible to test NTLM without using a NTLM aware browser
connecting to the proxy.

> 4. Configuring ACLs in squid.

Yes, as in any authentication setup. Nothing special with ntlm.

You also need to configure the ntlm scheme in Squid, specifying which NTLM
helper to use etc..

Regards
Henrik
Received on Tue Apr 06 2004 - 04:01:20 MDT

This archive was generated by hypermail pre-2.1.9 : Fri Apr 30 2004 - 12:00:01 MDT