Hi. I may have gotten a few things wrong, so please let me know where my understanding is totally flawed/mis-whatever. I understand SPNEGO to be the Kerberos Authentication Method that is being built into the latest browsers? Like firefox and IE 5.5+? The main problem stopping us from using ntlm is that we have multiple levels of cache. The top level cache is responsible for user auth and acls. According to your previous posts, this cannot be done with ntlm. What we dont want to do is send username/passwords as clear text. So thats why Ive been looking into SPNEGO. But from all the mails ive read and articles ive tried to find, I think I may be a bit confused in my understanding of the protocol. So im trying to use a Firefox client to auth with a AD via squid using SPNEGO as the protocol. I read in the patch this: + "program" cmdline + Specify the command for the external SPNEGO authenticator. Such a + program participates in the SPNEGO exchanges between Squid and the + client and reads commands according to the Squid ntlmssp helper + protocol. See helpers/ntlm_auth/ for details. Recommended SPNEGO + authenticator is ntlm_auth from Samba-3.X. Thats why I was trying to use a Samba-3.x, but I used the wrong helper obviously. Is there a specific Samba-3.x that I would have to use here, that has SPNEGO built into it? Or are all the Samba-3.x SPNEGO enabled? Anyway, if I am totally wrong somewhere, please let me know, or even just send me to read a link, so that I can understand where im going wrong. I dont wish to waste your time, im sure you are more than busy. But any information would be great. Thanks /Cole -----Original Message----- From: Henrik Nordstrom [mailto:hno@xxxxxxxxxxxxxxx] Sent: Tuesday, September 27, 2005 11:26 PM To: Cole Cc: Squid Users Subject: Re: Squid 2.5-Stable10 With Negotiate Patch and Sambe 3.x On Tue, 27 Sep 2005, Cole wrote: > The problem comes in that, wb_authntlm cannot contact winbindd. I get this error. > "wb_ntlmauth[466](wb_ntlm_auth.c:414): Can't contact winbindd. Dying". wb_ntlmauth is for Samba-2.2.X only. For Samba-3.X you should use ntlm_auth shipped with Samba. For Negotiate support you probably will need Samba4. I do not think the required support is in Samba-3.X yet. > If so, what is the furtherest back samba-3.x that squid-2.5-StableX will work with, cause I ran into > another problem trying to use the very latest samba 3 release from ports. Starting with Samba-3.X there no longer is any versioning dependency between Squid and Samba. > Which is a problem cause I am actually trying to use squid to auth using Negotiate against a Windows > 2003 AD/KDC. Do you have clients willing to use Negotiate in this setup? As far as I know MSIE does not support Negotiate to proxies, only web servers (including reverse proxies). Is there any reason you do not want to use NTLM? NTLM is supported by AD unless explicitly disabled in the AD. Regards Henrik
