On Wed, 28 Sep 2005, Cole wrote:
I understand SPNEGO to be the Kerberos Authentication Method that is being built into the latest browsers? Like firefox and IE 5.5+?
Firefox has experimental SPNEGO support available. By default disabled from what I have been told, but once enabled happily uses SPNEGO both to web servers and proxies.
IE has support for SPNEGO to web servers only, not proxies. Why Microsoft has not added SPNEGO support to proxy connections is a mystery that only Microsoft can answer.
The main problem stopping us from using ntlm is that we have multiple levels of cache. The top level cache is responsible for user auth and acls. According to your previous posts, this cannot be done with ntlm.
And it cannot be done with Negotiate either. Both share the same design flaws causing breakage when run over HTTP compliant proxies.
In setups requiring NTLM of Negotiate authentication you need to run the authentiction on the leaf caches closest to the client. With a little tinkering you can then have the login (but not password) forwarded in the proxy chain by using the login=*:secret cache_peer option if needed but this is extra bonus. The simpler path is to allow requests from trusted child caches without requiring authentication again.
Thats why I was trying to use a Samba-3.x, but I used the wrong helper obviously. Is there a specific Samba-3.x that I would have to use here, that has SPNEGO built into it? Or are all the Samba-3.x SPNEGO enabled?
The exact Samba versions needed to use SPNEGO over HTTP it still a bit uncertain. From what it looks Samba 4 may be required at this time, but maybe it works in current Samba-3.3.X as well.
Regards Henrik
