Hi. On 15.07.2013 23:02, Michele Bergonzoni wrote: > > I did a few tests with ntlm_auth from samba4, and it seems to work, > with some residual problems with firefox and PCs not joined in the > domain, and an extra authentication popup at the beginning from IE. > > I didn't get to the point of having a working negotiate_wrapper / > squid_kerb_auth config, being still confusing about hostnames, > principals, redundancy, failover, ntlm fallback with winbindd. > Actually, you should implement all the schemes - NTLM/SPNEGO/Basic for some obvious reasons: - in a corporate environment there will be definitely machines which switch from Negotiate to NTLM, so you have to handle both - you can leave only NTLM (and Basic), but this becomes more and more outdated - there will be tons of software that can perform only basic authentication, like various IMs and third-party software - there will be some software that claims it's capable of NTLM but in fact it will have only basic - so far I'm using PAM to handle Basic auth and to reroute it back in winbind - squid has a bunch of great helpers that work with AD, and the most cool and modern one is the external kerberos group helper, which supports nested groups (thanks, Markus !) I don't have digest auth in my environment, and for past 13 years I don't see why I should. Eugene.
