Search squid archive

Re: authenticate to pam's DB on squid machine with NTLM

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Brian,

The users Windows machine does not require to join the domain. When you configure Squid with negotiate and the user has squid as proxy configured he will get a popup into which he can type <user>@<domain> e.g. markus@xxxxxxxxxxxxxx plus the password. The Windows machine will use a process described here http://technet.microsoft.com/en-us/library/cc978011.aspx to determine the DC.

The most commeon would be via DNS which is

◦For a DNS name, Net Logon queries DNS by using the IP/DNS-compatible Locator — that is, DsGetDcName calls DnsQuery to read the SRV records and A records from DNS after it appends an appropriate string to the front of the domain name that specifies the SRV record (see http://technet.microsoft.com/en-us/library/cc961719.aspx).

Once the windows machine has determined the DC it will do a cldap query(and this is the only reason as far as I know why you need an AD or Samba server) and if that is successful the user will attempt to authenticate against that DC using Kerberos. In the next step the client will attempt to get a TGS for the proxy HTTP/<proxy>@<domain>. So you need to create a service principal in AD/Samba and add the key to your proxy keytab or you need to create a trust between you AD/Samba server and you Linux kdc which would point the windows client to your Linuc kdc for the proxy TGS.

It might sound a bit complicated but  I think it is the only option.

Kind Regards
Markus

"Brian J. Murrell" wrote in message news:1387908649.6356.40.camel@xxxxxxxxxxxxxxxxxx...

On Tue, 2013-12-24 at 13:42 +0000, Markus Moeller wrote:
Hi Brian,

Hi Markus,

   Based on my knowledge it is not possible to use negotiate ( Kerberos or
NTLM ) without AD/Samba.

Yeah, I guess I mis-represented my limitations.  I don't mind setting up
a Samba PDC if that's necessary.  Where the limitation comes in would be
in requiring the Windows users to join a domain here, just to use Squid.
I can't require (nor do I want to, TBH) the Windows users join a domain.
Their laptops should remain in purely local-authentication mode entirely
with any username/password required for Squid to come in the form of a
browser (or other application) pop-up.

Given the lack of ability to require joining a domin, I wonder how much
of a complete AD configuration I need in Samba.

I did restate this in a message I sent to the list in response to Amos'
message but it does not seem to have been posted yet.  I wonder if it's
gotten lost on the way.

So I guess the most pressing question becomes, can a Windows machine
authenticate to Squid using NTLM[SSP] without joining a domain?

Cheers,
b.







[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux