-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Amos Jeffries wrote: > >>> > >>> I have never used the helper provided by Samba, and I am not > >>> willing to start using it. > >>> > >>> I don't want to install Samba on a proxy server, maintain a > >>> smb.conf and TDB databases there, join a domain, see hundreds > >>> of winbindd processes etc. > >> > >> Thats the price of NTLM. > > > > This price is too high for my objectives. > > > >>> The ntlm_auth plugin has always been sufficient for my needs. > >>> I hoped it would continue to be usable, but something is broken > >>> in it. > >> > >> The Squid "ntlm_auth" helper (now ntlm_smb_lm_auth) does not, > >> and never has, performed NTLM in any way. > >> > >> What it does is this http://en.wikipedia.org/wiki/LM_hash. > > > > I am perfectly aware of that. The problem is that this LM > > authentication did work with the squid27 ntlm_auth helper and does > > not work with the squid34 newer ntlm_smb_lm_auth helper. There was > > no need to break what was working. > > SMB LM supports both ASCII and UNICODE. Each packet is explicitly > flagged as one or other. Apparently your client software wants to > authenticate using a character 171 out of an array of length 127. Apparently so, but as I said, the very same client software does work with the old "ntlm_auth" helper and does not work with the new ntlm_smb_lm_auth one. That's why I am saying that the problem is on the authenticator side and not on the client side. > >> The *Basic* authentication provided in HTTP is actually a > >> superior form of authentication. If you convert your proxy to > >> requesting Basic auth you will find your > > > > I am afraid you are mistaken. If I convert my proxy to Basic, it > > will start asking users for their login/password for proxy access, > > instead of authenticating them transparently with their Windows > > credentials. > > That is a limitation of your software. Basic itself is superior to SMB > LM. I am not so sure about it. In Basic, you just base64 decode the relevant HTTP header to obtain a plain text password. In LM, it is a bit more difficult. > You are just given no access to use it for SSO by the tools > currently in use. All right, what tools are there for proxy SSO with Windows credentials? Please specify. [dd] I will reply to the rest of the mail after I experiment if disabling LM actutlly does enable Negotiate/Kerberos. - -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:sudakov@xxxxxxxxxxxxxxxx -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJUM2k6AAoJEA2k8lmbXsY0Y4IH/1KE7zea2njCKWCHp5wY0bsz 9QIW3ds0T+JCj9Fvfsdt+4cRAzGMu1ILnlC5FtosRz5Bi1sPBva3BRcBQRdilxfc dmlL/XVmfs/F39iGKJnIM7Xy9gs2D5a7pBfvo+J6Ph3lxhbKEvDLQTET3IO9eF99 BH2La23Rk1+3rFyrL6eapt9/F3q2ndwspzqiKUcHeJFGRzfcuEzYto9YxJXWy1t1 eRi0Y9yVw+QiVlz6NxTShLg/TRGS+CPPhLFRTwSwqmeC+rtUzBNKyB7UqCUe/cM1 rkoGoaNzYPNkbJda8RW64pl2EYHDZANjAoAb+LoZBFfW7T3JBfNpzj1zEBSqDq4= =7PmE -----END PGP SIGNATURE----- _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
