Per my previous message, it seems that if I want to have Negotiate
authentication for my Linux machines (which use Kerberos in my network),
I have to support Negotiate for the Windows machines, even though they
don't actually use Kerberos. It seems they want to use NTLMSSP when
they are offered Negotiate from Squid without Kerberos tickets.
So, I don't want the Windows machines to join any AD domains here[1].
There are no AD domains or services for them to join one for. I simply
want them to be able to use Squid, which seems to mean them using the
Negotiate authentication method that Squid is offering them (as well as
Basic but I suppose Windows is ignoring that one because it is a weaker
protocol), which appears to mean they use NTLMSSP.
So does anyone have a HOWTO they can point to on what I need to do to
simply get Squid to be able to use ntlm_auth to authenticate the Windows
users against PAM on the Squid machine?
I have seen http://wiki.squid-cache.org/ConfigExamples/Authenticate and
in particular
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm but that
seems to assume one has an existing AD domain and PDC that they can
point Samba on the Squid machine to using:
password server = myPDC
in the smb.conf.
But as I said above, there is no AD domain here, therefore no PDC. I
don't really have any desire to create one, just to authenticate Windows
Squid users. I just want to be able to authenticate the Windows
Negotiate/NTLMSSP against the local PAM passwd service on the Squid
machine.
I'm using Squid
Cheers,
b.
[1] These Windows users are not really members of my network but
"guests" being given access to our Squid. It's not really
reasonable to ask them to reconfigure their machines to be domain
clients for an AD domain here.
This archive was generated by hypermail 2.2.0 : Wed Dec 25 2013 - 12:00:05 MST