Re: [squid-users] authenticate to pam's DB on squid machine with NTLM

From: Eliezer Croitoru <eliezer_at_ngtech.co.il>
Date: Wed, 25 Dec 2013 00:47:39 +0200

Hey Brian,

Please try to define from scratch the issue and the needs.
Describe the network in a manner of IP level and also in the users level.
As I understood that it's a LAN with a proxy it will be very different
to setup this squid instance in a way that will fit your needs.

If it's a wifi network you can use RADIUS server\service and allow usage
of squid using a radius external_acl helper.

If it's a wired network it's another story.
A windows network and clients is not bad but gives a specific level of
operation..

To clarify my vision on the issue:
If for example this network has 192.168.0.0/24 subnet, who are these
that are allowed to use the proxy that his ip is 192.168.0.200 for example?
Also do you expect them to configure the proxy settings in the browser\OS?
What level of security is needed on this network?

Eliezer

On 22/12/13 08:15, Brian J. Murrell wrote:
> Per my previous message, it seems that if I want to have Negotiate
> authentication for my Linux machines (which use Kerberos in my network),
> I have to support Negotiate for the Windows machines, even though they
> don't actually use Kerberos. It seems they want to use NTLMSSP when
> they are offered Negotiate from Squid without Kerberos tickets.
>
> So, I don't want the Windows machines to join any AD domains here[1].
> There are no AD domains or services for them to join one for. I simply
> want them to be able to use Squid, which seems to mean them using the
> Negotiate authentication method that Squid is offering them (as well as
> Basic but I suppose Windows is ignoring that one because it is a weaker
> protocol), which appears to mean they use NTLMSSP.
>
> So does anyone have a HOWTO they can point to on what I need to do to
> simply get Squid to be able to use ntlm_auth to authenticate the Windows
> users against PAM on the Squid machine?
>
> I have seen http://wiki.squid-cache.org/ConfigExamples/Authenticate and
> in particular
> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm but that
> seems to assume one has an existing AD domain and PDC that they can
> point Samba on the Squid machine to using:
>
> password server = myPDC
>
> in the smb.conf.
>
> But as I said above, there is no AD domain here, therefore no PDC. I
> don't really have any desire to create one, just to authenticate Windows
> Squid users. I just want to be able to authenticate the Windows
> Negotiate/NTLMSSP against the local PAM passwd service on the Squid
> machine.
>
> I'm using Squid
> Cheers,
> b.
>
> [1] These Windows users are not really members of my network but
> "guests" being given access to our Squid. It's not really
> reasonable to ask them to reconfigure their machines to be domain
> clients for an AD domain here.
>
Received on Tue Dec 24 2013 - 22:52:51 MST

This archive was generated by hypermail 2.2.0 : Wed Dec 25 2013 - 12:00:05 MST