Hello, How does this login=*:secret option work? I have set up two caches and put the authentication on the bottom unit, setting a cache peer with login=*:secret (intead of PASS) and it doesn't work? Well, it all works, but with no username in the log file at the top... Any advice? Thanks Dave -----Original Message----- From: Henrik Nordstrom [mailto:hno@xxxxxxxxxxxxxxx] Sent: 28 September 2005 12:57 AM To: Cole Cc: 'Henrik Nordstrom'; 'Squid Users' Subject: RE: Squid 2.5-Stable10 With Negotiate Patch and Sambe 3.x On Wed, 28 Sep 2005, Cole wrote: > I understand SPNEGO to be the Kerberos Authentication Method that is > being built into the latest browsers? Like firefox and IE 5.5+? Firefox has experimental SPNEGO support available. By default disabled from what I have been told, but once enabled happily uses SPNEGO both to web servers and proxies. IE has support for SPNEGO to web servers only, not proxies. Why Microsoft has not added SPNEGO support to proxy connections is a mystery that only Microsoft can answer. > The main problem stopping us from using ntlm is that we have multiple > levels of cache. The top level cache is responsible for user auth and > acls. According to your previous posts, this cannot be done with ntlm. And it cannot be done with Negotiate either. Both share the same design flaws causing breakage when run over HTTP compliant proxies. In setups requiring NTLM of Negotiate authentication you need to run the authentiction on the leaf caches closest to the client. With a little tinkering you can then have the login (but not password) forwarded in the proxy chain by using the login=*:secret cache_peer option if needed but this is extra bonus. The simpler path is to allow requests from trusted child caches without requiring authentication again. > Thats why I was trying to use a Samba-3.x, but I used the wrong helper > obviously. Is there a specific Samba-3.x that I would have to use > here, that has SPNEGO built into it? Or are all the Samba-3.x SPNEGO enabled? The exact Samba versions needed to use SPNEGO over HTTP it still a bit uncertain. From what it looks Samba 4 may be required at this time, but maybe it works in current Samba-3.3.X as well. Regards Henrik
