Re: [squid-users] squid NTLM setup question

From: Andre Albsmeier <Andre.Albsmeier_at_siemens.com>
Date: Mon, 21 Sep 2009 13:23:20 +0200

On Mon, 21-Sep-2009 at 22:58:40 +1200, Amos Jeffries wrote:
> Andre Albsmeier wrote:
> > On Mon, 21-Sep-2009 at 00:30:46 +1200, Amos Jeffries wrote:
> >> Andre Albsmeier wrote:
> >>> On Sun, 20-Sep-2009 at 00:29:12 +1200, Amos Jeffries wrote:
> >>>> Andre Albsmeier wrote:
> >>>>> On Thu, 10-Sep-2009 at 14:55:23 -0400, Navjeet wrote:
> >>>>>> We have been using squid in our development environment. Squid has
> >>>>>> been forwarding all the internet bound traffic to a proxy server that
> >>>>>> did not need any authentication until now. But that has changed now
> >>>>>> and now we have use another proxy server that uses NTLM based
> >>>>>> authentication. Now our servers in this development environment only
> >>>>>> have local users (users logging in are not authenticated Windows AD).
> >>>>>> Does the Squid NTLM authentication setup still work in this setup? Can
> >>>>>> the NTLM setup be configured to use specified user (and password
> >>>>>> hopefully encrypted ) that can be specified in some configuration
> >>>>>> file. This is needed as many of our applications (Tomcat, ESB etc )
> >>>>>> are headless (i mean not just a web browser) and they now need to go
> >>>>>> thru this new proxy server.
> >>>>> If you want something like this:
> >>>>>
> >>>>> no auth NTLM auth
> >>>>> clients -------> squid ---------> NTLM based proxy ---> world
> >>>>>
> >>>>> I think this is not possible with squid. I worked around this
> >>>>> same problem with cntlm using:
> >>>>>
> >>>>> no auth no auth NTLM auth
> >>>>> clients -------> squid -------> cntlm ---------> NTLM based proxy ---> world
> >>>>>
> >>>>> cntlm runs on the same machine as squid does. However, I were
> >>>>> happy if the cntlm functionality could be brought into
> >>>>> squid one day...
> >>>> Your wish is granted ;)
> >>> Oh, that's good news, thanks!
> >>>
> >>>> 3.2 will have Kerberos login to cache_peer servers. The code is already
> >>>> committed to the 3.HEAD alpha releases.
> >>> Now I am confused: You talk about Kerberos, I thought of NTLM
> >>> (NTLMv2 to be exact). In cntlm I simply enter my NTLMv2 hash
> >>> and it authenticates happily to its upstream. With Kerberos,
> >>> I always think about tickets, krb-servers and so on. To be
> >>> honest, I have never been into Windoze's NTLM stuff a lot (I
> >>> am just happy it works) neither used Kerberos until now.
> >> Sorry. Mea culpa. Been looking at the back-end for too long.
> >
> > Nevermind. Maybe one day I will hack my own NTLMv2 implementation
> > into squid. Shouldn't be too hard...
> >
> >> Kerberos is the one Squid is getting. The old NTLM is deprecated by MS,
> >> the NTLMv2 will go out with XP before Squid 3.2 is ready for use.
> >
> > So you think it will take 5 years until 3.2 will be ready? :-)
>
> Shifted again has it? :) I was thinking XP is scheduled EOL for 2011

No idea, to be honest. I have heard something of an
extended support until 2014...

        -Andre

> nowdays. Maybe wrong.
>
> 18 months is our ideal release timeframe. Starting last July when 3.1
> was frozen.
>
> Amos
> --
> Please be using
> Current Stable Squid 2.7.STABLE7 or 3.0.STABLE19
> Current Beta Squid 3.1.0.13

-- 
"I think there is a world market for maybe five computers."
                     - Thomas Watson, chairman of IBM, 1943
Received on Mon Sep 21 2009 - 11:23:27 MDT

This archive was generated by hypermail 2.2.0 : Mon Sep 21 2009 - 12:00:02 MDT