Re: [SLUG] Squid, smb_auth and transparent proxying.

[Robert Collins]

On Tue, 2003-03-18 at 09:05, [EMAIL PROTECTED] wrote:
> Theoretically, yes.

No. NTLM does not fix the problems caused by interception (aka
transparent) caching.

What can I do to kill this meme?

Rob

> Practically, I'm wading through documentation... Any pointers or 
> references appreciated...
> 
> Michael.
> ...

> 
> 
> > > Is there a way to make smb_auth work with squid and transparent
> > > proxying?
> > 
> > No. 
> > 
> > It's in the FAQ. IIRC it's in squid.conf.default. And it was on this 
> list
> > about a week ago.
> > 
> > There is a theoretical approach, but no-one has had time to implement 
> it.
> 
> You can do it with NTLM though, can't you?
> 
> - Jeff




-- 
Robert Collins <[EMAIL PROTECTED]>


signature.asc
Description: This is a digitally signed message part

Re: [SLUG] Squid, smb_auth and transparent proxying.

[mkraus]

Theoretically, yes.

Practically, I'm wading through documentation... Any pointers or 
references appreciated...

Michael.
---
Michael S. E. Kraus
Administration
Capital Holdings Group (NSW) Pty Ltd
p: (02) 9955 8000




Jeff Waugh <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]
17/03/2003 05:21 PM

 
To: [EMAIL PROTECTED]
cc: 
Subject:    Re: [SLUG] Squid, smb_auth and transparent proxying.




> > Is there a way to make smb_auth work with squid and transparent
> > proxying?
> 
> No. 
> 
> It's in the FAQ. IIRC it's in squid.conf.default. And it was on this 
list
> about a week ago.
> 
> There is a theoretical approach, but no-one has had time to implement 
it.

You can do it with NTLM though, can't you?

- Jeff

-- 
  No pants is good pants.  
-- 
SLUG - Sydney Linux User's Group - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug



-- 
SLUG - Sydney Linux User's Group - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug

Re: [SLUG] Squid, smb_auth and transparent proxying.

[Robert Collins]

On Mon, 2003-03-17 at 17:23, Kevin Saenz wrote:
> > I'm trialling using smb_auth for access to our squid proxy.
> > 
> 
> I guess that is good for a small network what happens when the
> network grows to a larger size and fixing acls for each user
> in squid becomes a pain in the proverbial. But I can see an
> up side given that Authentication through smb would be completely
> transparent unlike ldap authentication with squid.

smb != NTLM.
smb is a 'basic' scheme auth helper for squid.
you are referring to 'ntlm' scheme auth helpers, of which the samba
winbind one is one.

> > I'm using transparent proxying with squid, however I've found that this 
> > won't allow access to permitted users, and I have to point the browser at 
> > the proxy manually.
> > 
> Didn't someone previously post how much of a bad idea transparent
> proxying is in the real world? (By redirecting port 80 to squid's ports)

That would be me.

> 
> > Is there a way to make smb_auth work with squid and transparent proxying?
> > 
> obviously to authenticate with smb you must allow smb protocols
> to your squid server.

Yep. I'll enlarge on this, the canonical answer:

when a client has it's TCP session hijacked, the only http
authentication it will do is server-authentication (prompted for by a
401 return code).

If the hijacking proxy uses that to force authentication, it will
a) need to do it for every different website browsed too,
b) break any website that uses authentication.

Thus, to get authentication working on your local proxy, you MUST NOT
use tcp hijacking.

There is an even more substantial answer in the archives a few weeks
back.

Rob

-- 
GPG key available at: .


signature.asc
Description: This is a digitally signed message part

Re: [SLUG] Squid, smb_auth and transparent proxying.

[Robert Collins]

On Mon, 2003-03-17 at 17:31, Anthony Wood wrote:
> On Mon, Mar 17, 2003 at 05:23:08PM +1100, Kevin Saenz wrote:
> > 
> > > I'm trialling using smb_auth for access to our squid proxy.
> > > 
> > 
> > I guess that is good for a small network what happens when the
> > network grows to a larger size and fixing acls for each user
> > in squid becomes a pain in the proverbial. But I can see an
> > up side given that Authentication through smb would be completely
> > transparent unlike ldap authentication with squid.
> > 
> > > I'm using transparent proxying with squid, however I've found that this 
> > > won't allow access to permitted users, and I have to point the browser at 
> > > the proxy manually.
> > > 
> > Didn't someone previously post how much of a bad idea transparent
> > proxying is in the real world? (By redirecting port 80 to squid's ports)
> 
> Transparent Proxying OK
> Proxy Authentication OK (403? Proxy Authorisation Required)
> 
> Transparent Proxy Authentication I read was bad, depends whether the
> smb_auth thing sends Proxy Auth REquired to the browser, or if it
> sends denied, based on other hacky things in the background.
> 
> Maybe it's OK with certain browsers.

Nope. Never. Full Stop. Finito. 

Interception and Authentication DO NOT MIX *without* a virtual
authentication server (which squid does not currently support).

Rob
-- 
GPG key available at: .


signature.asc
Description: This is a digitally signed message part

Re: [SLUG] Squid, smb_auth and transparent proxying.

[Anthony Wood]

On Mon, Mar 17, 2003 at 05:23:08PM +1100, Kevin Saenz wrote:
> 
> > I'm trialling using smb_auth for access to our squid proxy.
> > 
> 
> I guess that is good for a small network what happens when the
> network grows to a larger size and fixing acls for each user
> in squid becomes a pain in the proverbial. But I can see an
> up side given that Authentication through smb would be completely
> transparent unlike ldap authentication with squid.
> 
> > I'm using transparent proxying with squid, however I've found that this 
> > won't allow access to permitted users, and I have to point the browser at 
> > the proxy manually.
> > 
> Didn't someone previously post how much of a bad idea transparent
> proxying is in the real world? (By redirecting port 80 to squid's ports)

Transparent Proxying OK
Proxy Authentication OK (403? Proxy Authorisation Required)

Transparent Proxy Authentication I read was bad, depends whether the
smb_auth thing sends Proxy Auth REquired to the browser, or if it
sends denied, based on other hacky things in the background.

Maybe it's OK with certain browsers.

cheers,
Woody

-- 
SLUG - Sydney Linux User's Group - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug

Re: [SLUG] Squid, smb_auth and transparent proxying.

[Robert Collins]

On Mon, 2003-03-17 at 17:21, Jeff Waugh wrote:
> 
> 
> > > Is there a way to make smb_auth work with squid and transparent
> > > proxying?
> > 
> > No. 
> > 
> > It's in the FAQ. IIRC it's in squid.conf.default. And it was on this list
> > about a week ago.
> > 
> > There is a theoretical approach, but no-one has had time to implement it.
> 
> You can do it with NTLM though, can't you?

Nope.
http://www.squid-cache.org/Doc/FAQ/FAQ-17.html#ss17.15

Rob


 
-- 
GPG key available at: .


signature.asc
Description: This is a digitally signed message part

Re: [SLUG] Squid, smb_auth and transparent proxying.

[Kevin Saenz]

> I'm trialling using smb_auth for access to our squid proxy.
> 

I guess that is good for a small network what happens when the
network grows to a larger size and fixing acls for each user
in squid becomes a pain in the proverbial. But I can see an
up side given that Authentication through smb would be completely
transparent unlike ldap authentication with squid.

> I'm using transparent proxying with squid, however I've found that this 
> won't allow access to permitted users, and I have to point the browser at 
> the proxy manually.
> 
Didn't someone previously post how much of a bad idea transparent
proxying is in the real world? (By redirecting port 80 to squid's ports)


> Is there a way to make smb_auth work with squid and transparent proxying?
> 
obviously to authenticate with smb you must allow smb protocols
to your squid server.


> Thanks
> 
> Mike
> ---
> Michael S. E. Kraus
> Administration
> Capital Holdings Group (NSW) Pty Ltd
> p: (02) 9955 8000

-- 
SLUG - Sydney Linux User's Group - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug

Re: [SLUG] Squid, smb_auth and transparent proxying.

[Jeff Waugh]

> > Is there a way to make smb_auth work with squid and transparent
> > proxying?
> 
> No. 
> 
> It's in the FAQ. IIRC it's in squid.conf.default. And it was on this list
> about a week ago.
> 
> There is a theoretical approach, but no-one has had time to implement it.

You can do it with NTLM though, can't you?

- Jeff

-- 
  No pants is good pants.   
-- 
SLUG - Sydney Linux User's Group - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug

Re: [SLUG] Squid, smb_auth and transparent proxying.

[Robert Collins]

On Mon, 2003-03-17 at 17:00, [EMAIL PROTECTED] wrote:
> G'day all,
> 
> I'm trialling using smb_auth for access to our squid proxy.
> 
> I'm using transparent proxying with squid, however I've found that this 
> won't allow access to permitted users, and I have to point the browser at 
> the proxy manually.
> 
> Is there a way to make smb_auth work with squid and transparent proxying?

No. 

It's in the FAQ. IIRC it's in squid.conf.default. And it was on this
list about a week ago.

There is a theoretical approach, but no-one has had time to implement
it.

Rob
-- 
GPG key available at: .


signature.asc
Description: This is a digitally signed message part

Re: [SLUG] Squid, smb_auth and transparent proxying.

[Matthew Palmer]

On Mon, 17 Mar 2003 [EMAIL PROTECTED] wrote:

> I'm using transparent proxying with squid, however I've found that this 
> won't allow access to permitted users, and I have to point the browser at 
> the proxy manually.
> 
> Is there a way to make smb_auth work with squid and transparent proxying?

Can you make authentication work with other forms of squid authentication? 
Have you tried to do it using multiple browsers?

I'm wondering if, perhaps, since you haven't told the browser that it's
using a proxy if maybe it's seriously confused that it's being asked for a
proxy password when, from it's world view, there is no proxy...

If that's OK, I can't imagine why there'd be a problem.

-- 
---
#include 
Matthew Palmer, Geek In Residence
http://ieee.uow.edu.au/~mjp16


-- 
SLUG - Sydney Linux User's Group - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug