Tom Tux wrote:
Hi Jorge
Is it possible to have ad-group-permissions with kerb_auth like I can
do it with ntlm_auth?
What are the disadvantages using ntlm_auth?
* Weak security algorithms. Which can be broken in near real-time today.
* It's officially being obsoleted by MS.
* requires an HTTP-level handshake to setup credentials key exchange
(wastes bandwidth and fills logs with 407 responses).
* does not fit with HTTP/1.0
* winbind helpers are locked during handshake and are capped at a low
number of parallel requests being authenticated.
I don't understand exactly, if it's possible or not (with kerb_auth)
to have an ad-group with all users, who have squid-permissions. Does
Users and groups work identical in Kerberos as NTLM. Indeed the concept
works the same in all auth protocols that consider groups.
the kerberos-authentication works without user-interaction (no prompt
for username/password)?
The prompt is a browser feature. It only appears if the browser has no
known credentials to pass to the proxy. Even Basic auth does not prompt
if the browser password manager already knows the username/password to send.
Kerberos is just an upgraded version of NTLM. Which has been altered to:
* use stronger encryption algorithms
* omit the resource-hungry challenge handshake (type 1 and 2 NTLM
commands)
The system configuration is quite different since Kerberos requires you
to install a KeyTab which essentially contains a pre-seeded handshake
response (type 3 NTLM command) to send with authentication credentials.
2010/6/24 Jorge Armando Medina <jmedina@xxxxxxxxxxxxxxx>:
Tom Tux wrote:
I didn't configured kerberos-helper like squid_kerb_auth. I'm just
using ntlm_auth. So why do I have this message?
If you want to use ntlm_auth ( NTLMv1?) you need to change some
compatibility settings in windows, specially windows vista and 7 are
configure by default to only use NTLMv2 honoring kerberos, you need to
edit windows registry and change/create
*HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\LmCompatibilityLevel*
*DWORD value 1
You can automate this with a logon script o with a group policy
Security:LAN Manager Authentication Level
Anyway, I think is time to migrate to kerb_auth.
Best regards.
*
2010/6/24 Amos Jeffries <squid3@xxxxxxxxxxxxx>:
On Wed, 23 Jun 2010 09:28:38 +0200, Tom Tux <tomtux80@xxxxxxxxx> wrote:
Hi
A few days ago, I already wrote a post concerning the following
messages in the cache.log (squid 3.1.3):
[2010/06/23 09:13:46, 1] libsmb/ntlmssp.c:335(ntlmssp_update)
got NTLMSSP command 3, expected 1
[2010/06/23 09:13:46, 1] libsmb/ntlmssp.c:335(ntlmssp_update)
got NTLMSSP command 3, expected 1
[2010/06/23 09:13:46, 1] libsmb/ntlmssp.c:335(ntlmssp_update)
got NTLMSSP command 3, expected 1
Our authentication is ntlm-based.
http://markmail.org/message/aumkxcehqmlnuhbu?q=NTLMSSP+command+3+expected+1
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.4
