|
Home > Archive > Squid > April 2004 > [squid-users] NTLM Auth without SAMBA
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
[squid-users] NTLM Auth without SAMBA
|
|
| Flavio Borup 2004-04-29, 6:54 pm |
| I'm really confused, please help me.
I want to make Squid 2.5 (most of the time on RH9) to verifiy if the
user was authenticated in a MS Domain
I have a customer with this feature, using fakeauth. In the Logs, the
names of the users are not important, the important, is: The user must
be an authenticated user. The Browser, also, must be configured to be
Proxy Client.
How can i compile Squid to support NTLM authentication?
Some oppinios are very differente and use differente ./configure
parameters, as we can see here:
Some use NTLMSSP, some uses fakeuauth, som uses both...
1st guy:
" I use: '--enable-ntlm-auth-helpers=NTLMSSP fakeauth no_check'
2nd guy
Here is my squid compile parameters:
--enable-ntlm-auth-helpers="fakeauth,no_check,SMB,winbind" \
3rd guy:
2. howto get NTLM authentication working
- download the source
- configure with (at a minimum) --enable-ntlm-authentication and
--enable-ntlm-auth-modules=NTLMSSP
Here the squid.conf of a custome wich succesfully authenticate user
before grant internet access
=== Sample ===
auth_param ntlm program /usr/local/squid/libexec/fakeauth_auth
DOMAIN/SERVERNAME
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
acl DOM proxy_auth_regex -i DOMAIN\\
http_access allow DOM
http_access deny all
=== Sample ===
| |
| Henrik Nordstrom 2004-04-29, 6:54 pm |
| On Tue, 27 Apr 2004, Flavio Borup wrote:
> I want to make Squid 2.5 (most of the time on RH9) to verifiy if the
> user was authenticated in a MS Domain
Ok.
> I have a customer with this feature, using fakeauth. In the Logs, the
> names of the users are not important, the important, is: The user must
> be an authenticated user. The Browser, also, must be configured to be
> Proxy Client.
Then you should not be using fakeauth as it is trivial for a user to fake
the login.. Any login is accepted by fakeauth, real or fake.
> How can i compile Squid to support NTLM authentication?
http://www.squid-cache.org/Doc/FAQ/FAQ-23.html#ss23.5
Note: for the Samba side of things I would recommend following the
procedures on how to join NT or ADS domains as outlined in the Samba
documentation as the Samba documentation much better describes Samba
operations than what is possible in the Squid FAQ..
> Some oppinios are very differente and use differente ./configure
> parameters, as we can see here:
> Some use NTLMSSP, some uses fakeuauth, som uses both...
Neither NTLMSSP or fakeauth should be used in production.
NTLMSSP is inherently unreliable and known to fail randomly.
fakeauth is what is sounds like.. a fake authentication model in reality
little or no better than the IDENT protocol as there is no guarantee at
all that the user is who he claims.
Real authentication via Samba-3 is strongly adviced if you are looking
into NTLM authentication.
Regards
Henrik
|
|
|
|
|