Re: [squid-users] squid NTLM setup question

From: Andre Albsmeier <Andre.Albsmeier_at_siemens.com>
Date: Mon, 21 Sep 2009 07:29:28 +0200

On Mon, 21-Sep-2009 at 00:30:46 +1200, Amos Jeffries wrote:
> Andre Albsmeier wrote:
> > On Sun, 20-Sep-2009 at 00:29:12 +1200, Amos Jeffries wrote:
> >> Andre Albsmeier wrote:
> >>> On Thu, 10-Sep-2009 at 14:55:23 -0400, Navjeet wrote:
> >>>> We have been using squid in our development environment. Squid has
> >>>> been forwarding all the internet bound traffic to a proxy server that
> >>>> did not need any authentication until now. But that has changed now
> >>>> and now we have use another proxy server that uses NTLM based
> >>>> authentication. Now our servers in this development environment only
> >>>> have local users (users logging in are not authenticated Windows AD).
> >>>> Does the Squid NTLM authentication setup still work in this setup? Can
> >>>> the NTLM setup be configured to use specified user (and password
> >>>> hopefully encrypted ) that can be specified in some configuration
> >>>> file. This is needed as many of our applications (Tomcat, ESB etc )
> >>>> are headless (i mean not just a web browser) and they now need to go
> >>>> thru this new proxy server.
> >>> If you want something like this:
> >>>
> >>> no auth NTLM auth
> >>> clients -------> squid ---------> NTLM based proxy ---> world
> >>>
> >>> I think this is not possible with squid. I worked around this
> >>> same problem with cntlm using:
> >>>
> >>> no auth no auth NTLM auth
> >>> clients -------> squid -------> cntlm ---------> NTLM based proxy ---> world
> >>>
> >>> cntlm runs on the same machine as squid does. However, I were
> >>> happy if the cntlm functionality could be brought into
> >>> squid one day...
> >> Your wish is granted ;)
> >
> > Oh, that's good news, thanks!
> >
> >> 3.2 will have Kerberos login to cache_peer servers. The code is already
> >> committed to the 3.HEAD alpha releases.
> >
> > Now I am confused: You talk about Kerberos, I thought of NTLM
> > (NTLMv2 to be exact). In cntlm I simply enter my NTLMv2 hash
> > and it authenticates happily to its upstream. With Kerberos,
> > I always think about tickets, krb-servers and so on. To be
> > honest, I have never been into Windoze's NTLM stuff a lot (I
> > am just happy it works) neither used Kerberos until now.
>
> Sorry. Mea culpa. Been looking at the back-end for too long.

Nevermind. Maybe one day I will hack my own NTLMv2 implementation
into squid. Shouldn't be too hard...

> Kerberos is the one Squid is getting. The old NTLM is deprecated by MS,
> the NTLMv2 will go out with XP before Squid 3.2 is ready for use.

So you think it will take 5 years until 3.2 will be ready? :-)

Thanks,

        -Andre

-- 
In a world without walls and fences, who needs windows and gates?
Received on Mon Sep 21 2009 - 05:29:33 MDT

This archive was generated by hypermail 2.2.0 : Mon Sep 21 2009 - 12:00:02 MDT