Hi If I want to realise a promptless (SSO) login with squid, do I have - to use ntlm as a auth_param? Or is plain kerberos also possible? - to configure the "smb.conf" and start the winbind-daemon? - to join the squid-server to the ad-domain? If yes, is it necessary to take winbind for this step? Are the kerberos-tickets persistent, or do I have to renew them periodically? While creating a keytab-file, I have to enter an domain-admin-account. I think, that this account appears in the keytab-file. What happens, if this account will locked out? Is then the squid-access denied? I read a lot documents with ntlm/kerberos. But I don't understand, why I need to have winbind AND kerberos configured. A lot of examples describes the auth_param with ntlm instead (my opinion) with kerberos. Can someone help me with this? Are there some other examples, which describes a promptless login (SSO) with plain kerberos? Thanks a lot. Regards, Tom 2010/6/25 Amos Jeffries <squid3@xxxxxxxxxxxxx>: > Tom Tux wrote: >> >> Hi Jorge >> >> Is it possible to have ad-group-permissions with kerb_auth like I can >> do it with ntlm_auth? >> What are the disadvantages using ntlm_auth? > > * Weak security algorithms. Which can be broken in near real-time today. > * It's officially being obsoleted by MS. > * requires an HTTP-level handshake to setup credentials key exchange (wastes > bandwidth and fills logs with 407 responses). > * does not fit with HTTP/1.0 > * winbind helpers are locked during handshake and are capped at a low number > of parallel requests being authenticated. > >> >> I don't understand exactly, if it's possible or not (with kerb_auth) >> to have an ad-group with all users, who have squid-permissions. Does > > Users and groups work identical in Kerberos as NTLM. Indeed the concept > works the same in all auth protocols that consider groups. > >> the kerberos-authentication works without user-interaction (no prompt >> for username/password)? > > The prompt is a browser feature. It only appears if the browser has no known > credentials to pass to the proxy. Even Basic auth does not prompt if the > browser password manager already knows the username/password to send. > > Kerberos is just an upgraded version of NTLM. Which has been altered to: > * use stronger encryption algorithms > * omit the resource-hungry challenge handshake (type 1 and 2 NTLM commands) > The system configuration is quite different since Kerberos requires you to > install a KeyTab which essentially contains a pre-seeded handshake response > (type 3 NTLM command) to send with authentication credentials. > > >> >> 2010/6/24 Jorge Armando Medina <jmedina@xxxxxxxxxxxxxxx>: >>> >>> Tom Tux wrote: >>>> >>>> I didn't configured kerberos-helper like squid_kerb_auth. I'm just >>>> using ntlm_auth. So why do I have this message? >>>> >>> If you want to use ntlm_auth ( NTLMv1?) you need to change some >>> compatibility settings in windows, specially windows vista and 7 are >>> configure by default to only use NTLMv2 honoring kerberos, you need to >>> edit windows registry and change/create >>> >>> >>> *HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\LmCompatibilityLevel* >>> >>> *DWORD value 1 >>> >>> You can automate this with a logon script o with a group policy >>> Security:LAN Manager Authentication Level >>> >>> Anyway, I think is time to migrate to kerb_auth. >>> >>> Best regards. >>> * >>>> >>>> 2010/6/24 Amos Jeffries <squid3@xxxxxxxxxxxxx>: >>>> >>>>> On Wed, 23 Jun 2010 09:28:38 +0200, Tom Tux <tomtux80@xxxxxxxxx> wrote: >>>>> >>>>>> Hi >>>>>> >>>>>> A few days ago, I already wrote a post concerning the following >>>>>> messages in the cache.log (squid 3.1.3): >>>>>> >>>>>> [2010/06/23 09:13:46, 1] libsmb/ntlmssp.c:335(ntlmssp_update) >>>>>> got NTLMSSP command 3, expected 1 >>>>>> [2010/06/23 09:13:46, 1] libsmb/ntlmssp.c:335(ntlmssp_update) >>>>>> got NTLMSSP command 3, expected 1 >>>>>> [2010/06/23 09:13:46, 1] libsmb/ntlmssp.c:335(ntlmssp_update) >>>>>> got NTLMSSP command 3, expected 1 >>>>>> >>>>>> >>>>>> Our authentication is ntlm-based. >>>>>> >>>>> >>>>> http://markmail.org/message/aumkxcehqmlnuhbu?q=NTLMSSP+command+3+expected+1 > > > > Amos > -- > Please be using > Current Stable Squid 2.7.STABLE9 or 3.1.4 >
