Re: [squid-users] NTLM Auth without SAMBA

From: Henrik Nordstrom <[email protected]>
Date: Tue, 27 Apr 2004 23:03:00 +0200 (CEST)

On Tue, 27 Apr 2004, Flavio Borup wrote:

> I want to make Squid 2.5 (most of the time on RH9) to verifiy if the
> user was authenticated in a MS Domain

Ok.

> I have a customer with this feature, using fakeauth. In the Logs, the
> names of the users are not important, the important, is: The user must
> be an authenticated user. The Browser, also, must be configured to be
> Proxy Client.

Then you should not be using fakeauth as it is trivial for a user to fake
the login.. Any login is accepted by fakeauth, real or fake.

> How can i compile Squid to support NTLM authentication?

http://www.squid-cache.org/Doc/FAQ/FAQ-23.html#ss23.5

Note: for the Samba side of things I would recommend following the
procedures on how to join NT or ADS domains as outlined in the Samba
documentation as the Samba documentation much better describes Samba
operations than what is possible in the Squid FAQ..

> Some oppinios are very differente and use differente ./configure
> parameters, as we can see here:
> Some use NTLMSSP, some uses fakeuauth, som uses both...

Neither NTLMSSP or fakeauth should be used in production.

NTLMSSP is inherently unreliable and known to fail randomly.

fakeauth is what is sounds like.. a fake authentication model in reality
little or no better than the IDENT protocol as there is no guarantee at
all that the user is who he claims.

Real authentication via Samba-3 is strongly adviced if you are looking
into NTLM authentication.

Regards
Henrik
Received on Tue Apr 27 2004 - 15:03:03 MDT

This archive was generated by hypermail pre-2.1.9 : Fri Apr 30 2004 - 12:00:03 MDT