Hi Brian,
I forgot to say that I have not tested the case where there is a trust
between the AD/Samba server and the Linux kdc. I have tested the other case
though.
Markus
"Markus Moeller" wrote in message news:l9co5k$672$1@xxxxxxxxxxxxx...
Hi Brian,
The users Windows machine does not require to join the domain. When
you configure Squid with negotiate and the user has squid as proxy
configured he will get a popup into which he can type <user>@<domain> e.g.
markus@xxxxxxxxxxxxxx plus the password. The Windows machine will use a
process described here
http://technet.microsoft.com/en-us/library/cc978011.aspx to determine the
DC.
The most commeon would be via DNS which is
◦For a DNS name, Net Logon queries DNS by using the IP/DNS-compatible
Locator — that is, DsGetDcName calls DnsQuery to read the SRV records and A
records from DNS after it appends an appropriate string to the front of the
domain name that specifies the SRV record (see
http://technet.microsoft.com/en-us/library/cc961719.aspx).
Once the windows machine has determined the DC it will do a cldap query(and
this is the only reason as far as I know why you need an AD or Samba server)
and if that is successful the user will attempt to authenticate against that
DC using Kerberos. In the next step the client will attempt to get a TGS
for the proxy HTTP/<proxy>@<domain>. So you need to create a service
principal in AD/Samba and add the key to your proxy keytab or you need to
create a trust between you AD/Samba server and you Linux kdc which would
point the windows client to your Linuc kdc for the proxy TGS.
It might sound a bit complicated but I think it is the only option.
Kind Regards
Markus
"Brian J. Murrell" wrote in message
news:1387908649.6356.40.camel@xxxxxxxxxxxxxxxxxx...
On Tue, 2013-12-24 at 13:42 +0000, Markus Moeller wrote:
Hi Brian,
Hi Markus,
Based on my knowledge it is not possible to use negotiate ( Kerberos or
NTLM ) without AD/Samba.
Yeah, I guess I mis-represented my limitations. I don't mind setting up
a Samba PDC if that's necessary. Where the limitation comes in would be
in requiring the Windows users to join a domain here, just to use Squid.
I can't require (nor do I want to, TBH) the Windows users join a domain.
Their laptops should remain in purely local-authentication mode entirely
with any username/password required for Squid to come in the form of a
browser (or other application) pop-up.
Given the lack of ability to require joining a domin, I wonder how much
of a complete AD configuration I need in Samba.
I did restate this in a message I sent to the list in response to Amos'
message but it does not seem to have been posted yet. I wonder if it's
gotten lost on the way.
So I guess the most pressing question becomes, can a Windows machine
authenticate to Squid using NTLM[SSP] without joining a domain?
Cheers,
b.
