[ Changed the subject to get down to the more basic issue ] On Tue, 2013-12-24 at 16:20 +1300, Amos Jeffries wrote: > > This is not an assumption from the documentation. NTLM protocol > *requires* a DC to operate. TL;DR: Do windows machines *have* to join a domain in order to use NTLM with Squid? Perhaps I mis-stated my desires. I don't mind setting up Samba as a DC. But surely Samba users use the same password for Samba as they do for other PAM based services (i.e. loging, etc.), which here, actually utilizes Kerberos for account access. Does Samba need the clear-text value of the password for creating challenges, etc. or can it leverage PAM and/or Kerberos? But I digress. My only real hard requirement is to not to require the Windows users to "join a domain" here just to use Squid. I have no desire for the network infrastructure here to be the account control for these windows laptops as they are not within my administrative domain. Is that impossible? I simply want users to be able to just bring their own Windows machine and be able to use an existing PAM (kerberos actually) account and just use my Negotiate protocol offering Squid proxy. > Good luck. You will need to start with finding a PAM service can > authenticate NTLMSSP protocol. AFAIK there is no such service. I think you are misunderstanding. What I was saying is that the NTLM authentication mechanism documentation from http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm seems to assume that one already has a separate AD domain that they can join Samba to: workgroup = mydomain password server = myPDC security = domain ... Join the NT domain as outlined in the winbindd man page for your version of samba. I don't have an AD/NT domain here. Surely I can use Samba to provide NTLM authentication for Squid, using the account information on the Samba server without having to create a whole MS-Windows based NT domain just for Samba to join to, can't I? Is there a different NTLM example configuration for that? I don't see one that seems to cover just using Samba alone as the NTLM authentication mechanism for Squid. > If you do manage to find one, you will have to locate or write a NTLM > authentication helper for Squid to use it. The PAM helper provided > with Squid only supports Basic authentication. And TBH, I would be perfectly happy with Basic for these Windows users. Nobody is sniffing the network here. But it seems that I cannot provide Negotiate only to my Linux/Kerberos using users and Basic to the Windows users. The Windows users also end up getting offered Negotiate which is what opens up this whole NTLM can of worms. Cheers, b.
Attachment:
signature.asc
Description: This is a digitally signed message part