Re: [squid-users] Squid configuration for NTLM
Hi Amos, I am trying to host the domain controller and domain user on the same machine. Is it possible. When I do a net rpc join -Uusername, I get a create user account failed because the account already exists. How to overcome this error? Regards, Prashant - Original Message From: Amos Jeffries squ...@treenet.co.nz To: squid-users@squid-cache.org Sent: Thu, 3 June, 2010 9:55:29 AM Subject: Re: [squid-users] Squid configuration for NTLM On Wed, 2 Jun 2010 20:56:42 -0700 (PDT), Prashant K.S ksprash...@yahoo.com wrote: Hi Amos, One more question. My primary purpose is to test a NTLM client that I have developed against Linux Squid proxy. If I cannot configure squid proxy, is there any openly available squid proxy that uses NTLM and for which I can register myself and get a user name and password which I can use for authentication and test my NTLM client. Regards, Prashant Oh, that is a different prospect. If you are just testing that the protocol coding etc is valid you can use the fakeauth NTLM helper: http://wiki.squid-cache.org/ConfigExamples/Authenticate/LoggingOnly#NTLM_Authentication It does NTLM challenges with random tokens and validates the client reply blobs are self-consistent, but does not use any domain to check the coded password/username actually match valid ones. If the authentication blobs or connection handling are broken they will show up with this handler. If you need deeper checks the that username/token were being transferred from the client to DC, then you will need a full real domain linkage setup. Amos - Original Message From: Prashant K.S ksprash...@yahoo.com To: Amos Jeffries squ...@treenet.co.nz; squid-users@squid-cache.org Sent: Thu, 3 June, 2010 9:11:09 AM Subject: Re: [squid-users] Squid configuration for NTLM Hi Amos, The domain I am talking about is my office network domain and my computer cannot be a part of that domain. Is it possible to host myself a domain or be a part of some domain that is available in open(Not sure how risky is it). Regards, Prashant - Original Message From: Amos Jeffries squ...@treenet.co.nz To: squid-users@squid-cache.org Sent: Thu, 3 June, 2010 9:05:48 AM Subject: Re: [squid-users] Squid configuration for NTLM On Wed, 2 Jun 2010 20:30:51 -0700 (PDT), Prashant K.S ksprash...@yahoo.com wrote: Hi Amos, Thanks for your reply. I want to correct my words. I do have access to some NT domain. But just that I have the user and password to authenticate against that domain. But my computer is not part of that domain. Will I able to achieve NTLM authentication with Squid using this setup. And If yes can you please let me know the configuration. Okay good. You won't be able to do it without making the proxy a machine account on the domain. Apparently the winbindd manual page has details on how the Linux machine needs to be configured into the domain. Details on the Squid and Samba setup can be found here: http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm Amos
[squid-users] Squid configuration for NTLM
Hi, I am new to Squid. I am also new to Samba and the network configuration parameters. I have a squid 3.1 installed on my ubuntu linux machine. I have a requirement to set up a squid proxy on a ubuntu/red hat linux machine that does NTLM authentication for all the requests from browser. I do not have access to any NT domain from the linux machine. Can you please help by detailing the steps needed for doing this. Regards, Prashant
Re: [squid-users] Squid configuration for NTLM
On Wed, 2 Jun 2010 20:10:56 -0700 (PDT), Prashant K.S ksprash...@yahoo.com wrote: Hi, I am new to Squid. I am also new to Samba and the network configuration parameters. I have a squid 3.1 installed on my ubuntu linux machine. I have a requirement to set up a squid proxy on a ubuntu/red hat linux machine that does NTLM authentication for all the requests from browser. I do not have access to any NT domain from the linux machine. This lack of domain access will be a problem if you want to setup full NTLM. The proxy will need access to the domain controller which is the only machine able to check the security tokens are true. The SMB LM helper bundled with Squid can do checks without domain access or Samba. However it cannot do real NTLMv2. Linux machines can be setup as trusted domain members, so if you have digital access to the domain controller server you can configure the domain access. NP: You also want to be looking at switching the NTLM to Kerberos, or Kerberos with NTLM as a backup. The newer Windows systems use Kerberos instead of NTLM. It also is less resource hungry. Amos
Re: [squid-users] Squid configuration for NTLM
On Wed, 2 Jun 2010 20:30:51 -0700 (PDT), Prashant K.S ksprash...@yahoo.com wrote: Hi Amos, Thanks for your reply. I want to correct my words. I do have access to some NT domain. But just that I have the user and password to authenticate against that domain. But my computer is not part of that domain. Will I able to achieve NTLM authentication with Squid using this setup. And If yes can you please let me know the configuration. Okay good. You won't be able to do it without making the proxy a machine account on the domain. Apparently the winbindd manual page has details on how the Linux machine needs to be configured into the domain. Details on the Squid and Samba setup can be found here: http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm Amos
Re: [squid-users] Squid configuration for NTLM
Hi Amos, The domain I am talking about is my office network domain and my computer cannot be a part of that domain. Is it possible to host myself a domain or be a part of some domain that is available in open(Not sure how risky is it). Regards, Prashant - Original Message From: Amos Jeffries squ...@treenet.co.nz To: squid-users@squid-cache.org Sent: Thu, 3 June, 2010 9:05:48 AM Subject: Re: [squid-users] Squid configuration for NTLM On Wed, 2 Jun 2010 20:30:51 -0700 (PDT), Prashant K.S ksprash...@yahoo.com wrote: Hi Amos, Thanks for your reply. I want to correct my words. I do have access to some NT domain. But just that I have the user and password to authenticate against that domain. But my computer is not part of that domain. Will I able to achieve NTLM authentication with Squid using this setup. And If yes can you please let me know the configuration. Okay good. You won't be able to do it without making the proxy a machine account on the domain. Apparently the winbindd manual page has details on how the Linux machine needs to be configured into the domain. Details on the Squid and Samba setup can be found here: http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm Amos
Re: [squid-users] Squid configuration for NTLM
Hi Amos, One more question. My primary purpose is to test a NTLM client that I have developed against Linux Squid proxy. If I cannot configure squid proxy, is there any openly available squid proxy that uses NTLM and for which I can register myself and get a user name and password which I can use for authentication and test my NTLM client. Regards, Prashant - Original Message From: Prashant K.S ksprash...@yahoo.com To: Amos Jeffries squ...@treenet.co.nz; squid-users@squid-cache.org Sent: Thu, 3 June, 2010 9:11:09 AM Subject: Re: [squid-users] Squid configuration for NTLM Hi Amos, The domain I am talking about is my office network domain and my computer cannot be a part of that domain. Is it possible to host myself a domain or be a part of some domain that is available in open(Not sure how risky is it). Regards, Prashant - Original Message From: Amos Jeffries squ...@treenet.co.nz To: squid-users@squid-cache.org Sent: Thu, 3 June, 2010 9:05:48 AM Subject: Re: [squid-users] Squid configuration for NTLM On Wed, 2 Jun 2010 20:30:51 -0700 (PDT), Prashant K.S ksprash...@yahoo.com wrote: Hi Amos, Thanks for your reply. I want to correct my words. I do have access to some NT domain. But just that I have the user and password to authenticate against that domain. But my computer is not part of that domain. Will I able to achieve NTLM authentication with Squid using this setup. And If yes can you please let me know the configuration. Okay good. You won't be able to do it without making the proxy a machine account on the domain. Apparently the winbindd manual page has details on how the Linux machine needs to be configured into the domain. Details on the Squid and Samba setup can be found here: http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm Amos
Re: [squid-users] Squid configuration for NTLM
On Wed, 2 Jun 2010 20:56:42 -0700 (PDT), Prashant K.S ksprash...@yahoo.com wrote: Hi Amos, One more question. My primary purpose is to test a NTLM client that I have developed against Linux Squid proxy. If I cannot configure squid proxy, is there any openly available squid proxy that uses NTLM and for which I can register myself and get a user name and password which I can use for authentication and test my NTLM client. Regards, Prashant Oh, that is a different prospect. If you are just testing that the protocol coding etc is valid you can use the fakeauth NTLM helper: http://wiki.squid-cache.org/ConfigExamples/Authenticate/LoggingOnly#NTLM_Authentication It does NTLM challenges with random tokens and validates the client reply blobs are self-consistent, but does not use any domain to check the coded password/username actually match valid ones. If the authentication blobs or connection handling are broken they will show up with this handler. If you need deeper checks the that username/token were being transferred from the client to DC, then you will need a full real domain linkage setup. Amos - Original Message From: Prashant K.S ksprash...@yahoo.com To: Amos Jeffries squ...@treenet.co.nz; squid-users@squid-cache.org Sent: Thu, 3 June, 2010 9:11:09 AM Subject: Re: [squid-users] Squid configuration for NTLM Hi Amos, The domain I am talking about is my office network domain and my computer cannot be a part of that domain. Is it possible to host myself a domain or be a part of some domain that is available in open(Not sure how risky is it). Regards, Prashant - Original Message From: Amos Jeffries squ...@treenet.co.nz To: squid-users@squid-cache.org Sent: Thu, 3 June, 2010 9:05:48 AM Subject: Re: [squid-users] Squid configuration for NTLM On Wed, 2 Jun 2010 20:30:51 -0700 (PDT), Prashant K.S ksprash...@yahoo.com wrote: Hi Amos, Thanks for your reply. I want to correct my words. I do have access to some NT domain. But just that I have the user and password to authenticate against that domain. But my computer is not part of that domain. Will I able to achieve NTLM authentication with Squid using this setup. And If yes can you please let me know the configuration. Okay good. You won't be able to do it without making the proxy a machine account on the domain. Apparently the winbindd manual page has details on how the Linux machine needs to be configured into the domain. Details on the Squid and Samba setup can be found here: http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm Amos
Re: [squid-users] Squid configuration for NTLM
Hi Amos, Thanks for the suggestion. I guess I would be able to partially validate my client with this approach. Is there any publicly hosted squid proxy which provides full NTLM authentication that I can make use of? Regards, Prashant - Original Message From: Amos Jeffries squ...@treenet.co.nz To: squid-users@squid-cache.org Sent: Thu, 3 June, 2010 9:55:29 AM Subject: Re: [squid-users] Squid configuration for NTLM On Wed, 2 Jun 2010 20:56:42 -0700 (PDT), Prashant K.S ksprash...@yahoo.com wrote: Hi Amos, One more question. My primary purpose is to test a NTLM client that I have developed against Linux Squid proxy. If I cannot configure squid proxy, is there any openly available squid proxy that uses NTLM and for which I can register myself and get a user name and password which I can use for authentication and test my NTLM client. Regards, Prashant Oh, that is a different prospect. If you are just testing that the protocol coding etc is valid you can use the fakeauth NTLM helper: http://wiki.squid-cache.org/ConfigExamples/Authenticate/LoggingOnly#NTLM_Authentication It does NTLM challenges with random tokens and validates the client reply blobs are self-consistent, but does not use any domain to check the coded password/username actually match valid ones. If the authentication blobs or connection handling are broken they will show up with this handler. If you need deeper checks the that username/token were being transferred from the client to DC, then you will need a full real domain linkage setup. Amos - Original Message From: Prashant K.S ksprash...@yahoo.com To: Amos Jeffries squ...@treenet.co.nz; squid-users@squid-cache.org Sent: Thu, 3 June, 2010 9:11:09 AM Subject: Re: [squid-users] Squid configuration for NTLM Hi Amos, The domain I am talking about is my office network domain and my computer cannot be a part of that domain. Is it possible to host myself a domain or be a part of some domain that is available in open(Not sure how risky is it). Regards, Prashant - Original Message From: Amos Jeffries squ...@treenet.co.nz To: squid-users@squid-cache.org Sent: Thu, 3 June, 2010 9:05:48 AM Subject: Re: [squid-users] Squid configuration for NTLM On Wed, 2 Jun 2010 20:30:51 -0700 (PDT), Prashant K.S ksprash...@yahoo.com wrote: Hi Amos, Thanks for your reply. I want to correct my words. I do have access to some NT domain. But just that I have the user and password to authenticate against that domain. But my computer is not part of that domain. Will I able to achieve NTLM authentication with Squid using this setup. And If yes can you please let me know the configuration. Okay good. You won't be able to do it without making the proxy a machine account on the domain. Apparently the winbindd manual page has details on how the Linux machine needs to be configured into the domain. Details on the Squid and Samba setup can be found here: http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm Amos