Andre Albsmeier wrote:
On Sun, 20-Sep-2009 at 00:29:12 +1200, Amos Jeffries wrote:
Andre Albsmeier wrote:
On Thu, 10-Sep-2009 at 14:55:23 -0400, Navjeet wrote:
We have been using squid in our development environment. Squid has
been forwarding all the internet bound traffic to a proxy server that
did not need any authentication until now. But that has changed now
and now we have use another proxy server that uses NTLM based
authentication. Now our servers in this development environment only
have local users (users logging in are not authenticated Windows AD).
Does the Squid NTLM authentication setup still work in this setup? Can
the NTLM setup be configured to use specified user (and password
hopefully encrypted ) that can be specified in some configuration
file. This is needed as many of our applications (Tomcat, ESB etc )
are headless (i mean not just a web browser) and they now need to go
thru this new proxy server.
If you want something like this:
no auth NTLM auth
clients -------> squid ---------> NTLM based proxy ---> world
I think this is not possible with squid. I worked around this
same problem with cntlm using:
no auth no auth NTLM auth
clients -------> squid -------> cntlm ---------> NTLM based proxy ---> world
cntlm runs on the same machine as squid does. However, I were
happy if the cntlm functionality could be brought into
squid one day...
Your wish is granted ;)
Oh, that's good news, thanks!
3.2 will have Kerberos login to cache_peer servers. The code is already
committed to the 3.HEAD alpha releases.
Now I am confused: You talk about Kerberos, I thought of NTLM
(NTLMv2 to be exact). In cntlm I simply enter my NTLMv2 hash
and it authenticates happily to its upstream. With Kerberos,
I always think about tickets, krb-servers and so on. To be
honest, I have never been into Windoze's NTLM stuff a lot (I
am just happy it works) neither used Kerberos until now.
Sorry. Mea culpa. Been looking at the back-end for too long.
Kerberos is the one Squid is getting. The old NTLM is deprecated by MS,
the NTLMv2 will go out with XP before Squid 3.2 is ready for use.
Will there be some kind of How-To for using this new feature?
Yes, its in the configuration manual login=NEGOTIATE setting for
http://www.squid-cache.org/Doc/config/cache_peer
Thanks a lot for your great work on squid,
-Andre
Amos
--
Please be using
Current Stable Squid 2.7.STABLE7 or 3.0.STABLE19
Current Beta Squid 3.1.0.13