Re: [squid-users] Squid, Samba3 and winbind with NTLM authentication

From: Kinkie <[email protected]>
Date: Fri, 26 Oct 2007 17:19:11 +0200

On 10/26/07, samer khalil <samerk1@gmail.com> wrote:
> I am using Squid, Samba3 and winbind with NTLM authentication with a
> proper configuration for samba, krb5.conf and squid.conf as follows:
> auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 5
> auth_param ntlm max_challenge_reuses 0
> auth_param ntlm max_challenge_lifetime 2 minutes
>
> The solution works great for computers who are joined to Active
> Directory domain however i have a couple of questions regarding
> clients that are NOT joined:
>
> 1- a NON-joined client using IE will have to logon using
> realm/username and passwd. Is there a way to make him authenticate
> with only his username and passwd ?
> NB:It works fine with other browsers such as Firefox.

MAYBE the Winbindd default domain can help. YMMV tho. This is an
intentional design decision by Microsoft.

> 2- If you use IE with this NTLM auth (on an NON-joined pc) and select
> the 'save password' checkbox the password gets stored in the registry
> as if it was for a network location. To delete the record you will
> have to run
> "rundll32.exe keymgr.dll, KRShowKeyMgr"
> This is causing real problems to users. Have you encountered this? and
> were you able to figure a way out?

Nope; it seems a Microsoft design misfeature tho..

-- 
    /kinkie
Received on Fri Oct 26 2007 - 09:19:14 MDT

This archive was generated by hypermail pre-2.1.9 : Thu Nov 01 2007 - 13:00:02 MDT