RE: [squid-users] NTLM + NTLMSSP (2)

From: Chemolli Francesco (USI) <ChemolliF@dont-contact.us>
Date: Fri, 19 Apr 2002 12:24:08 +0200

> (Sorry for the previous post in HTML - here i use netscape :)
>
> Hi,
>
> I am trying Squid2.5-PRE6 with NTLM authentication using the NTLMSSP
> helper. It wokrs quite well but I have a question : is there a way to
> define which NT user account can have access to the proxy and
> which not
> ?

Normal squid http_access acl's. The users are referred to as
domain\user, lower-case.

> On my production SQUID2.4 I am using smb_auth and this is possible by
> managing the NT read right on the \\netlogon\proxyauth text file.
>
> Is there a similar mechanism with NTLMSSP ?

If you mean "using user and group acl's from NT", then no.

> My other question is : I am ALSO using (on the test squid2.5) basic
> authentication after NTLM for users using an old IE version
> or Netscape.
> But with :
>
> auth_param ntlm program /usr/local/squid/libexec/ntlm_auth
> DOMAIN1/PDC1
> DOMAIN2/PDC2
> auth_param ntlm children 5
> auth_param ntlm max_challenge_reuses 0
> auth_param ntlm max_challenge_lifetime 2 minutes
>
> auth_param basic program /usr/local/squid/libexec/msnt_auth
> auth_param basic children 5
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 2 hours
>
> acl domainusers proxy_auth REQUIRED
> http_access allow domainusers
> http_access deny all
>
> even when the NTLM authentication succeeds (IE 6.0), I get the
> authentication dialog box (msnt_auth) although the requested
> web page is
> already displayed. Is there a way to use basic/msnt_auth ONLY as a
> fall-back method if NTLM/NTLMSSP fails ?

No.
They're fundamentally different, and it's the user-agent that chooses
which authentication method to use.

-- 
	/kinkie 
Received on Fri Apr 19 2002 - 04:26:10 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:07:36 MST