Search squid archive

Re: NTLM authentication testing

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

At 16:36 19/02/2008, Richard Wall wrote:

Guido,

Yep, I've looked at it, but have not completely absorbed it yet :)

But you should, probably it's the better NTLM explanation on the net ... :-)

>  Another question, what type of NTLM authentication is supported by curl ?
>  Lan manager/NTLMv1 or full NTLMv2 ? (See the previous link for details)

I'm not sure, but in full debug mode, curl will show the various
headers it exchanges with the server.
It seems to correspond to:
 * http://devel.squid-cache.org/ntlm/client_proxy_protocol.html

...but of course we're starting at point 4 which means that in real
life, there'd be even more squid requests I guess.

Likely should be NTLMv1, NTLMv2 requires client and server mutual authentication provided by Domain Controllers.


Doesn't the --helper-protocol=squid-2.5-ntlmssp in squid.conf
determine that NLTMv2 will be used? Looking at the man page for
ntlm_auth suggests that lanman auth would require different
parameters:

 * http://us1.samba.org/samba/docs/man/manpages-3/ntlm_auth.1.html

No, this ALLOW the support for the NTLM NEGOTIATE packet needed for NTLMv2, but the NTLM version is always negotiated between winbindd and the browser.

This may seem like a stupid question, and my vague understanding of
kerberos may be way off, but aren't there better alternatives to NTLM
proxy auth if you're authenticating only against Active Directory
servers?

Doesn't Kerberos provide a time limited token to the authenticated
windows domain client that can be passed to other machines in the
domain as proof that the client is authenticated; and which can be
used to lookup what services the client has acces to.

In a perfect world shouldn't Internet Explorer just pass this token
along with all requests to other machines in the same domain.

Negotiate it's the future: it's Kerberos based and the packet exchange is shorter than NTLM (but packets are larger). The only drawback is that Samba 3 doesn't support it .....

Other limit is that you need at least Internet Explorer 7 or Firexox 1.5.

It's very easy to use running Squid on Windows with native helpers, or you can try the new squid_kerb_auth helper:
http://www.squid-cache.org/mail-archive/squid-users/200801/0257.html

My aims are:
* to have a proxy that is only available to authenticated windows domain users.
 * that Internet Explorer should not prompt the user for their
username and password if they have already logged onto the domain.
* that squid should be able to record usernames alongside requests in its logs.
 * That dans guardian should be able to identify the username of the client.

Is there some way I can get all this without paying the penalty of NTLM auth?

Sure, negotiate.

Regards

Guido



-
========================================================
Guido Serassio
Acme Consulting S.r.l. - Microsoft Certified Partner
Via Lucia Savarino, 1           10098 - Rivoli (TO) - ITALY
Tel. : +39.011.9530135  Fax. : +39.011.9781115
Email: guido.serassio@xxxxxxxxxxxxxxxxx
WWW: http://www.acmeconsulting.it/


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux