Re: [squid-users] squid NTLM setup question
On Mon, 21-Sep-2009 at 22:58:40 +1200, Amos Jeffries wrote: > Andre Albsmeier wrote: > > On Mon, 21-Sep-2009 at 00:30:46 +1200, Amos Jeffries wrote: > >> Andre Albsmeier wrote: > >>> On Sun, 20-Sep-2009 at 00:29:12 +1200, Amos Jeffries wrote: > >>>> Andre Albsmeier wrote: > >>>>> On Thu, 10-Sep-2009 at 14:55:23 -0400, Navjeet wrote: > >>>>>> We have been using squid in our development environment. Squid has > >>>>>> been forwarding all the internet bound traffic to a proxy server that > >>>>>> did not need any authentication until now. But that has changed now > >>>>>> and now we have use another proxy server that uses NTLM based > >>>>>> authentication. Now our servers in this development environment only > >>>>>> have local users (users logging in are not authenticated Windows AD). > >>>>>> Does the Squid NTLM authentication setup still work in this setup? Can > >>>>>> the NTLM setup be configured to use specified user (and password > >>>>>> hopefully encrypted ) that can be specified in some configuration > >>>>>> file. This is needed as many of our applications (Tomcat, ESB etc ) > >>>>>> are headless (i mean not just a web browser) and they now need to go > >>>>>> thru this new proxy server. > >>>>> If you want something like this: > >>>>> > >>>>> no authNTLM auth > >>>>> clients ---> squid -> NTLM based proxy ---> world > >>>>> > >>>>> I think this is not possible with squid. I worked around this > >>>>> same problem with cntlm using: > >>>>> > >>>>> no authno authNTLM auth > >>>>> clients ---> squid ---> cntlm -> NTLM based proxy ---> > >>>>> world > >>>>> > >>>>> cntlm runs on the same machine as squid does. However, I were > >>>>> happy if the cntlm functionality could be brought into > >>>>> squid one day... > >>>> Your wish is granted ;) > >>> Oh, that's good news, thanks! > >>> > >>>> 3.2 will have Kerberos login to cache_peer servers. The code is already > >>>> committed to the 3.HEAD alpha releases. > >>> Now I am confused: You talk about Kerberos, I thought of NTLM > >>> (NTLMv2 to be exact). In cntlm I simply enter my NTLMv2 hash > >>> and it authenticates happily to its upstream. With Kerberos, > >>> I always think about tickets, krb-servers and so on. To be > >>> honest, I have never been into Windoze's NTLM stuff a lot (I > >>> am just happy it works) neither used Kerberos until now. > >> Sorry. Mea culpa. Been looking at the back-end for too long. > > > > Nevermind. Maybe one day I will hack my own NTLMv2 implementation > > into squid. Shouldn't be too hard... > > > >> Kerberos is the one Squid is getting. The old NTLM is deprecated by MS, > >> the NTLMv2 will go out with XP before Squid 3.2 is ready for use. > > > > So you think it will take 5 years until 3.2 will be ready? :-) > > Shifted again has it? :) I was thinking XP is scheduled EOL for 2011 No idea, to be honest. I have heard something of an extended support until 2014... -Andre > nowdays. Maybe wrong. > > 18 months is our ideal release timeframe. Starting last July when 3.1 > was frozen. > > Amos > -- > Please be using >Current Stable Squid 2.7.STABLE7 or 3.0.STABLE19 >Current Beta Squid 3.1.0.13 -- "I think there is a world market for maybe five computers." - Thomas Watson, chairman of IBM, 1943
Re: [squid-users] squid NTLM setup question
On Mon, 21-Sep-2009 at 00:30:46 +1200, Amos Jeffries wrote: > Andre Albsmeier wrote: > > On Sun, 20-Sep-2009 at 00:29:12 +1200, Amos Jeffries wrote: > >> Andre Albsmeier wrote: > >>> On Thu, 10-Sep-2009 at 14:55:23 -0400, Navjeet wrote: > >>>> We have been using squid in our development environment. Squid has > >>>> been forwarding all the internet bound traffic to a proxy server that > >>>> did not need any authentication until now. But that has changed now > >>>> and now we have use another proxy server that uses NTLM based > >>>> authentication. Now our servers in this development environment only > >>>> have local users (users logging in are not authenticated Windows AD). > >>>> Does the Squid NTLM authentication setup still work in this setup? Can > >>>> the NTLM setup be configured to use specified user (and password > >>>> hopefully encrypted ) that can be specified in some configuration > >>>> file. This is needed as many of our applications (Tomcat, ESB etc ) > >>>> are headless (i mean not just a web browser) and they now need to go > >>>> thru this new proxy server. > >>> If you want something like this: > >>> > >>> no authNTLM auth > >>> clients ---> squid -> NTLM based proxy ---> world > >>> > >>> I think this is not possible with squid. I worked around this > >>> same problem with cntlm using: > >>> > >>> no authno authNTLM auth > >>> clients ---> squid ---> cntlm -> NTLM based proxy ---> > >>> world > >>> > >>> cntlm runs on the same machine as squid does. However, I were > >>> happy if the cntlm functionality could be brought into > >>> squid one day... > >> Your wish is granted ;) > > > > Oh, that's good news, thanks! > > > >> 3.2 will have Kerberos login to cache_peer servers. The code is already > >> committed to the 3.HEAD alpha releases. > > > > Now I am confused: You talk about Kerberos, I thought of NTLM > > (NTLMv2 to be exact). In cntlm I simply enter my NTLMv2 hash > > and it authenticates happily to its upstream. With Kerberos, > > I always think about tickets, krb-servers and so on. To be > > honest, I have never been into Windoze's NTLM stuff a lot (I > > am just happy it works) neither used Kerberos until now. > > Sorry. Mea culpa. Been looking at the back-end for too long. Nevermind. Maybe one day I will hack my own NTLMv2 implementation into squid. Shouldn't be too hard... > Kerberos is the one Squid is getting. The old NTLM is deprecated by MS, > the NTLMv2 will go out with XP before Squid 3.2 is ready for use. So you think it will take 5 years until 3.2 will be ready? :-) Thanks, -Andre -- In a world without walls and fences, who needs windows and gates?
Re: [squid-users] squid NTLM setup question
On Sun, 20-Sep-2009 at 00:29:12 +1200, Amos Jeffries wrote: > Andre Albsmeier wrote: > > On Thu, 10-Sep-2009 at 14:55:23 -0400, Navjeet wrote: > >> We have been using squid in our development environment. Squid has > >> been forwarding all the internet bound traffic to a proxy server that > >> did not need any authentication until now. But that has changed now > >> and now we have use another proxy server that uses NTLM based > >> authentication. Now our servers in this development environment only > >> have local users (users logging in are not authenticated Windows AD). > >> Does the Squid NTLM authentication setup still work in this setup? Can > >> the NTLM setup be configured to use specified user (and password > >> hopefully encrypted ) that can be specified in some configuration > >> file. This is needed as many of our applications (Tomcat, ESB etc ) > >> are headless (i mean not just a web browser) and they now need to go > >> thru this new proxy server. > > > > If you want something like this: > > > > no authNTLM auth > > clients ---> squid -> NTLM based proxy ---> world > > > > I think this is not possible with squid. I worked around this > > same problem with cntlm using: > > > > no authno authNTLM auth > > clients ---> squid ---> cntlm -> NTLM based proxy ---> world > > > > cntlm runs on the same machine as squid does. However, I were > > happy if the cntlm functionality could be brought into > > squid one day... > > Your wish is granted ;) Oh, that's good news, thanks! > > 3.2 will have Kerberos login to cache_peer servers. The code is already > committed to the 3.HEAD alpha releases. Now I am confused: You talk about Kerberos, I thought of NTLM (NTLMv2 to be exact). In cntlm I simply enter my NTLMv2 hash and it authenticates happily to its upstream. With Kerberos, I always think about tickets, krb-servers and so on. To be honest, I have never been into Windoze's NTLM stuff a lot (I am just happy it works) neither used Kerberos until now. Will there be some kind of How-To for using this new feature? Thanks a lot for your great work on squid, -Andre -- Note: No Micro$oft programs were used in the creation or distribution of this message. If you are using a Micro$oft program to view or forward this message, be forewarned that I am not responsible for any harm you may encounter as a result.
Re: [squid-users] squid NTLM setup question
On Thu, 10-Sep-2009 at 14:55:23 -0400, Navjeet wrote: > We have been using squid in our development environment. Squid has > been forwarding all the internet bound traffic to a proxy server that > did not need any authentication until now. But that has changed now > and now we have use another proxy server that uses NTLM based > authentication. Now our servers in this development environment only > have local users (users logging in are not authenticated Windows AD). > Does the Squid NTLM authentication setup still work in this setup? Can > the NTLM setup be configured to use specified user (and password > hopefully encrypted ) that can be specified in some configuration > file. This is needed as many of our applications (Tomcat, ESB etc ) > are headless (i mean not just a web browser) and they now need to go > thru this new proxy server. If you want something like this: no authNTLM auth clients ---> squid -> NTLM based proxy ---> world I think this is not possible with squid. I worked around this same problem with cntlm using: no authno authNTLM auth clients ---> squid ---> cntlm -> NTLM based proxy ---> world cntlm runs on the same machine as squid does. However, I were happy if the cntlm functionality could be brought into squid one day... -Andre -- Failure is not an option -- it comes bundled with Windows.