On Mon, 21-Sep-2009 at 00:30:46 +1200, Amos Jeffries wrote: > Andre Albsmeier wrote: > > On Sun, 20-Sep-2009 at 00:29:12 +1200, Amos Jeffries wrote: > >> Andre Albsmeier wrote: > >>> On Thu, 10-Sep-2009 at 14:55:23 -0400, Navjeet wrote: > >>>> We have been using squid in our development environment. Squid has > >>>> been forwarding all the internet bound traffic to a proxy server that > >>>> did not need any authentication until now. But that has changed now > >>>> and now we have use another proxy server that uses NTLM based > >>>> authentication. Now our servers in this development environment only > >>>> have local users (users logging in are not authenticated Windows AD). > >>>> Does the Squid NTLM authentication setup still work in this setup? Can > >>>> the NTLM setup be configured to use specified user (and password > >>>> hopefully encrypted ) that can be specified in some configuration > >>>> file. This is needed as many of our applications (Tomcat, ESB etc ) > >>>> are headless (i mean not just a web browser) and they now need to go > >>>> thru this new proxy server. > >>> If you want something like this: > >>> > >>> no auth NTLM auth > >>> clients -------> squid ---------> NTLM based proxy ---> world > >>> > >>> I think this is not possible with squid. I worked around this > >>> same problem with cntlm using: > >>> > >>> no auth no auth NTLM auth > >>> clients -------> squid -------> cntlm ---------> NTLM based proxy ---> world > >>> > >>> cntlm runs on the same machine as squid does. However, I were > >>> happy if the cntlm functionality could be brought into > >>> squid one day... > >> Your wish is granted ;) > > > > Oh, that's good news, thanks! > > > >> 3.2 will have Kerberos login to cache_peer servers. The code is already > >> committed to the 3.HEAD alpha releases. > > > > Now I am confused: You talk about Kerberos, I thought of NTLM > > (NTLMv2 to be exact). In cntlm I simply enter my NTLMv2 hash > > and it authenticates happily to its upstream. With Kerberos, > > I always think about tickets, krb-servers and so on. To be > > honest, I have never been into Windoze's NTLM stuff a lot (I > > am just happy it works) neither used Kerberos until now. > > Sorry. Mea culpa. Been looking at the back-end for too long. Nevermind. Maybe one day I will hack my own NTLMv2 implementation into squid. Shouldn't be too hard... > Kerberos is the one Squid is getting. The old NTLM is deprecated by MS, > the NTLMv2 will go out with XP before Squid 3.2 is ready for use. So you think it will take 5 years until 3.2 will be ready? :-) Thanks, -Andre -- In a world without walls and fences, who needs windows and gates?
