-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 7/10/2014 4:39 a.m., Victor Sudakov wrote: > Dear Francesco, > > I have never used the helper provided by Samba, and I am not > willing to start using it. > > I don't want to install Samba on a proxy server, maintain a > smb.conf and TDB databases there, join a domain, see hundreds of > winbindd processes etc. Thats the price of NTLM. > > The ntlm_auth plugin has always been sufficient for my needs. I > hoped it would continue to be usable, but something is broken in > it. > The Squid "ntlm_auth" helper (now ntlm_smb_lm_auth) does not, and never has, performed NTLM in any way. What it does is this http://en.wikipedia.org/wiki/LM_hash. Note how it says the protocol was obsoleted by ... *Windows 3.1* The *Basic* authentication provided in HTTP is actually a superior form of authentication. If you convert your proxy to requesting Basic auth you will find your system just as secure as before, has a far wider range of software support, and greater performance. > I would be glad to migrate to Kerberos though, if I can only make > browsers use it. No success so far. If anybody can help with it, I > would greatly appreciate. Since your environment was accepting the old versions of ntlm_smb_lm_auth helper I predict that most of that software will attempt to use the Negotiate/NTLM form of Negotiate authentication over HTTP. To prevent that you will have to disable NTLM use on the machine(s) you are trying to convert to Kerberos. Adding Basic as a fallback offering you can test the Kerberos is working without cutting the service or /user off completely. Amos -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJUMsFSAAoJELJo5wb/XPRjr6cH/iMaFrWhroq6pOZCVW+gTWwI BL8sT6xd45vp1jSeIofD4MpkDSeInmjpjD6nT0ZPaanhVq24Wxi7s+h6p4eGccts 5G5GV8ST0tXW03vtOaYTDfuKy4rcmwaf/8ncyKU4gCo4KwMXvGDUxgI5HSSoSkqT 9xe5pLrJMnZzqHB+862zZZqTyu5Sttxu2ACn/lI5WeZMv85YV6EhrZFRQDRc8WNS ay/iD4VghEdKBQ41f8nt4Ecnghz25oHCU/VsDDptdPXnE5XJc2HD6Je7348uqK3+ yrSscF90qGBd/Tg8BXL7+u5cM9uzx80EPqxax71WD4KOiC6+3uSCO+vBUc7PvNo= =Nqfn -----END PGP SIGNATURE----- _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users