-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 22/12/2013 7:15 p.m., Brian J. Murrell wrote: > Per my previous message, it seems that if I want to have Negotiate > authentication for my Linux machines (which use Kerberos in my > network), I have to support Negotiate for the Windows machines, > even though they don't actually use Kerberos. It seems they want > to use NTLMSSP when they are offered Negotiate from Squid without > Kerberos tickets. > > So, I don't want the Windows machines to join any AD domains > here[1]. There are no AD domains or services for them to join one > for. I simply want them to be able to use Squid, which seems to > mean them using the Negotiate authentication method that Squid is > offering them (as well as Basic but I suppose Windows is ignoring > that one because it is a weaker protocol), which appears to mean > they use NTLMSSP. > > So does anyone have a HOWTO they can point to on what I need to do > to simply get Squid to be able to use ntlm_auth to authenticate the > Windows users against PAM on the Squid machine? > > I have seen http://wiki.squid-cache.org/ConfigExamples/Authenticate > and in particular > http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm but > that seems to assume one has an existing AD domain and PDC that > they can point Samba on the Squid machine to using: This is not an assumption from the documentation. NTLM protocol *requires* a DC to operate. NP: at this point no doubt some people will pop up saying they got it to work without one. But that is only with NTLMv1 enabled and performing a silent downgrade to the very old LanMan protocols which operate like Basic auth inside the NTLMSSP wrapper. > > password server = myPDC > > in the smb.conf. > > But as I said above, there is no AD domain here, therefore no PDC. > I don't really have any desire to create one, just to authenticate > Windows Squid users. I just want to be able to authenticate the > Windows Negotiate/NTLMSSP against the local PAM passwd service on > the Squid machine. Good luck. You will need to start with finding a PAM service can authenticate NTLMSSP protocol. AFAIK there is no such service. If you do manage to find one, you will have to locate or write a NTLM authentication helper for Squid to use it. The PAM helper provided with Squid only supports Basic authentication. Amos -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJSuP2ZAAoJELJo5wb/XPRjjmAIAMEHOLdtKQWoIrnhDq189zwp wZJf2KFg1il9ME5GAidi9yTvHZOAKaoE2uVEPWLocxsTDWhPyNLrRveF5XL1bBTE BSiEy430a35xs2NgLPhH176StnSepysde+67fuHBeCaMqUTCrwCnT/XcANZx1vZL 0gFdDz7EZzPqFDR0XoCOVRBowuHBLdVfulzOe3KZI0a8Ep8MB9sKkOlayi9OF4Zs z/XDEItilLMHVdSOkOYpSLZ+WKchllrxPVFNLEvJd4LEICrECVZ7yQhshFNJ+lib 1i5xXm0EtgWRwKqPTxoL73osvOsWbf0wEDq428sx7PrEeMjGKaVVPc335IibU3g= =fO7c -----END PGP SIGNATURE-----
