Re: [squid-users] squid NTLM setup question

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Mon, 21 Sep 2009 22:58:40 +1200

Andre Albsmeier wrote:
> On Mon, 21-Sep-2009 at 00:30:46 +1200, Amos Jeffries wrote:
>> Andre Albsmeier wrote:
>>> On Sun, 20-Sep-2009 at 00:29:12 +1200, Amos Jeffries wrote:
>>>> Andre Albsmeier wrote:
>>>>> On Thu, 10-Sep-2009 at 14:55:23 -0400, Navjeet wrote:
>>>>>> We have been using squid in our development environment. Squid has
>>>>>> been forwarding all the internet bound traffic to a proxy server that
>>>>>> did not need any authentication until now. But that has changed now
>>>>>> and now we have use another proxy server that uses NTLM based
>>>>>> authentication. Now our servers in this development environment only
>>>>>> have local users (users logging in are not authenticated Windows AD).
>>>>>> Does the Squid NTLM authentication setup still work in this setup? Can
>>>>>> the NTLM setup be configured to use specified user (and password
>>>>>> hopefully encrypted ) that can be specified in some configuration
>>>>>> file. This is needed as many of our applications (Tomcat, ESB etc )
>>>>>> are headless (i mean not just a web browser) and they now need to go
>>>>>> thru this new proxy server.
>>>>> If you want something like this:
>>>>>
>>>>> no auth NTLM auth
>>>>> clients -------> squid ---------> NTLM based proxy ---> world
>>>>>
>>>>> I think this is not possible with squid. I worked around this
>>>>> same problem with cntlm using:
>>>>>
>>>>> no auth no auth NTLM auth
>>>>> clients -------> squid -------> cntlm ---------> NTLM based proxy ---> world
>>>>>
>>>>> cntlm runs on the same machine as squid does. However, I were
>>>>> happy if the cntlm functionality could be brought into
>>>>> squid one day...
>>>> Your wish is granted ;)
>>> Oh, that's good news, thanks!
>>>
>>>> 3.2 will have Kerberos login to cache_peer servers. The code is already
>>>> committed to the 3.HEAD alpha releases.
>>> Now I am confused: You talk about Kerberos, I thought of NTLM
>>> (NTLMv2 to be exact). In cntlm I simply enter my NTLMv2 hash
>>> and it authenticates happily to its upstream. With Kerberos,
>>> I always think about tickets, krb-servers and so on. To be
>>> honest, I have never been into Windoze's NTLM stuff a lot (I
>>> am just happy it works) neither used Kerberos until now.
>> Sorry. Mea culpa. Been looking at the back-end for too long.
>
> Nevermind. Maybe one day I will hack my own NTLMv2 implementation
> into squid. Shouldn't be too hard...
>
>> Kerberos is the one Squid is getting. The old NTLM is deprecated by MS,
>> the NTLMv2 will go out with XP before Squid 3.2 is ready for use.
>
> So you think it will take 5 years until 3.2 will be ready? :-)

Shifted again has it? :) I was thinking XP is scheduled EOL for 2011
nowdays. Maybe wrong.

18 months is our ideal release timeframe. Starting last July when 3.1
was frozen.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE7 or 3.0.STABLE19
   Current Beta Squid 3.1.0.13
Received on Mon Sep 21 2009 - 10:58:59 MDT

This archive was generated by hypermail 2.2.0 : Mon Sep 21 2009 - 12:00:02 MDT