"Eugene M. Zheganin" <emz@xxxxxxxxxxxxx> wrote in message
news:51E51ECA.2010508@xxxxxxxxxxxxx...
Hi.
On 15.07.2013 23:02, Michele Bergonzoni wrote:
I did a few tests with ntlm_auth from samba4, and it seems to work,
with some residual problems with firefox and PCs not joined in the
domain, and an extra authentication popup at the beginning from IE.
I didn't get to the point of having a working negotiate_wrapper /
squid_kerb_auth config, being still confusing about hostnames,
principals, redundancy, failover, ntlm fallback with winbindd.
Actually, you should implement all the schemes - NTLM/SPNEGO/Basic for
some obvious reasons:
- in a corporate environment there will be definitely machines which
switch from Negotiate to NTLM, so you have to handle both
- you can leave only NTLM (and Basic), but this becomes more and more
outdated
- there will be tons of software that can perform only basic
authentication, like various IMs and third-party software
- there will be some software that claims it's capable of NTLM but in
fact it will have only basic
- so far I'm using PAM to handle Basic auth and to reroute it back in
winbind
- squid has a bunch of great helpers that work with AD, and the most
cool and modern one is the external kerberos group helper, which
supports nested groups (thanks, Markus !)
You are welcome
I don't have digest auth in my environment, and for past 13 years I
don't see why I should.
Eugene.
Markus
