-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Amos, On 31/01/2011 14:04, Amos Jeffries wrote: > If you can get a hold of a 3.1.10 you may enjoy it more. > We had a small audit of the NTLM and Kerberos handling with performance > bug fixes leading up to that release. Ok, I'll update to 3.1.10. > Lets get the terminology right to start with then the answer may become > clear to you... > > * groups CANNOT be authenticated. Because they do not have a password or > key. > > * User CAN be authenticated, because they do have password or keys. > > * machines can have special user accounts with a key to identify them. > > * groups have users. > > * groups can only determine where a user is authorized to go or not to > go. > > > So back to your question, "what is needed to achieve Windows > authentication". > > auth_param validates a users login. REQUIRED. > squid_kerb_auth is how to authenticate Negotiate protocol users. > ntlm_auth from Samba is how to authenticate NTLM protocol users. > > NOTE: these helpers ONLY check the one protocol each and have different > sets of auth_param which can be used simultaneously. So it is entirely up > to you whether you use only one or both. > I suggest using both to start with so that software which has not been > adapted to Kerberos yet may still be able to login via NTLM. Keep a watch > on this and the main administrative task later will be fixing up these NTLM > software to use Kerberos. > > > ON TOP of this user authentication you can usually retain whatever group > authorization you had for NTLM. Kerberos is effectively NTLM v3 or v4. > Though it may require some extra parameters on the group checking helpers > to make them accept the Kerberos username format. Thanks for detailed explanations! > This is the problem. The security key passed to Squid by the client is not > known. > > There are some hints here: > http://fixunix.com/kerberos/60700-kinit-key-table-entry-not-found-while-getting-initial-credentials.html Ok. I'll have access to the server later this week, and try to solve my issues with your help. Thanks, - -- Jean-Denis Girard SysNux SystÃmes Linux en PolynÃsie franÃaise http://www.sysnux.pf/ TÃl: +689 50 10 40 / GSM: +689 79 75 27 -----BEGIN PGP SIGNATURE----- iEYEARECAAYFAk1IQaEACgkQuu7Rv+oOo/gb0gCgrGg7cGggstmMlU5UFnVgZMjG rjEAn1KDtC9/CLR/on/lJQkruYmTfaFf =jSCy -----END PGP SIGNATURE-----
