RE: [squid-users] Squid 2.5-Stable10 With Negotiate Patch and Sambe 3.x
Hello, How does this login=*:secret option work? I have set up two caches and put the authentication on the bottom unit, setting a cache peer with login=*:secret (intead of PASS) and it doesn't work? Well, it all works, but with no username in the log file at the top... Any advice? Thanks Dave -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: 28 September 2005 12:57 AM To: Cole Cc: 'Henrik Nordstrom'; 'Squid Users' Subject: RE: [squid-users] Squid 2.5-Stable10 With Negotiate Patch and Sambe 3.x On Wed, 28 Sep 2005, Cole wrote: I understand SPNEGO to be the Kerberos Authentication Method that is being built into the latest browsers? Like firefox and IE 5.5+? Firefox has experimental SPNEGO support available. By default disabled from what I have been told, but once enabled happily uses SPNEGO both to web servers and proxies. IE has support for SPNEGO to web servers only, not proxies. Why Microsoft has not added SPNEGO support to proxy connections is a mystery that only Microsoft can answer. The main problem stopping us from using ntlm is that we have multiple levels of cache. The top level cache is responsible for user auth and acls. According to your previous posts, this cannot be done with ntlm. And it cannot be done with Negotiate either. Both share the same design flaws causing breakage when run over HTTP compliant proxies. In setups requiring NTLM of Negotiate authentication you need to run the authentiction on the leaf caches closest to the client. With a little tinkering you can then have the login (but not password) forwarded in the proxy chain by using the login=*:secret cache_peer option if needed but this is extra bonus. The simpler path is to allow requests from trusted child caches without requiring authentication again. Thats why I was trying to use a Samba-3.x, but I used the wrong helper obviously. Is there a specific Samba-3.x that I would have to use here, that has SPNEGO built into it? Or are all the Samba-3.x SPNEGO enabled? The exact Samba versions needed to use SPNEGO over HTTP it still a bit uncertain. From what it looks Samba 4 may be required at this time, but maybe it works in current Samba-3.3.X as well. Regards Henrik
RE: [squid-users] Squid 2.5-Stable10 With Negotiate Patch and Sambe 3.x
Hello, How does this login=*:secret option work? I have set up two caches and put the authentication on the bottom unit, setting a cache peer with login=*:secret (intead of PASS) and it doesn't work? Well, it all works, but with no username in the log file at the top... Any advice? Thanks Dave -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: 28 September 2005 12:57 AM To: Cole Cc: 'Henrik Nordstrom'; 'Squid Users' Subject: RE: [squid-users] Squid 2.5-Stable10 With Negotiate Patch and Sambe 3.x On Wed, 28 Sep 2005, Cole wrote: I understand SPNEGO to be the Kerberos Authentication Method that is being built into the latest browsers? Like firefox and IE 5.5+? Firefox has experimental SPNEGO support available. By default disabled from what I have been told, but once enabled happily uses SPNEGO both to web servers and proxies. IE has support for SPNEGO to web servers only, not proxies. Why Microsoft has not added SPNEGO support to proxy connections is a mystery that only Microsoft can answer. The main problem stopping us from using ntlm is that we have multiple levels of cache. The top level cache is responsible for user auth and acls. According to your previous posts, this cannot be done with ntlm. And it cannot be done with Negotiate either. Both share the same design flaws causing breakage when run over HTTP compliant proxies. In setups requiring NTLM of Negotiate authentication you need to run the authentiction on the leaf caches closest to the client. With a little tinkering you can then have the login (but not password) forwarded in the proxy chain by using the login=*:secret cache_peer option if needed but this is extra bonus. The simpler path is to allow requests from trusted child caches without requiring authentication again. Thats why I was trying to use a Samba-3.x, but I used the wrong helper obviously. Is there a specific Samba-3.x that I would have to use here, that has SPNEGO built into it? Or are all the Samba-3.x SPNEGO enabled? The exact Samba versions needed to use SPNEGO over HTTP it still a bit uncertain. From what it looks Samba 4 may be required at this time, but maybe it works in current Samba-3.3.X as well. Regards Henrik
RE: [squid-users] Squid 2.5-Stable10 With Negotiate Patch and Sambe 3.x
On Thu, 29 Sep 2005, Dave Raven wrote: How does this login=*:secret option work? I have set up two caches and put the authentication on the bottom unit, setting a cache peer with login=*:secret (intead of PASS) and it doesn't work? Well, it all works, but with no username in the log file at the top... The top proxy needs to have authentication configured in such manner that it accepts basic HTTP authentication with the password you have specified in the login= option in the child proxy. Regards Henrik
RE: [squid-users] Squid 2.5-Stable10 With Negotiate Patch and Sambe 3.x
-Original Message- From: Cole [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 27, 2005 12:41 AM To: squid-users@squid-cache.org Subject: [squid-users] Squid 2.5-Stable10 With Negotiate Patch and Sambe 3.x Hi Im running FreeBSD 4.9 and 4.11. What im trying to do is setup squid-2.5-Stable10 to allow authentication using the Negotiate patch. http://devel.squid-cache.org/projects.html#negotiate. The patch applies fine, the compile completes no errors, everything on squid side seems to work fine. Did you run bootstrap.sh? http://www.squid-cache.org/mail-archive/squid-users/200506/0102.html Beyond that I can be no help... I have Samba 3.0.10 installed, winbindd works fine, wbinfo -u produces all the correct results. The problem comes in that, wb_authntlm cannot contact winbindd. I get this error. wb_ntlmauth[466](wb_ntlm_auth.c:414): Can't contact winbindd. Dying. I spent some time reading the mailing lists, and I see they talk about the samba winbindd interface changing quite a lot. I was wondering if this interface changed, and squid-2.5-Stable10 was updated to use a new version of Samba 3 than I am currently running? If so, what is the furtherest back samba-3.x that squid-2.5-StableX will work with, cause I ran into another problem trying to use the very latest samba 3 release from ports. === samba-3.0.20,1 Broken dependency between OpenSSL, OpenLDAP and Heimdal for FreeBSD 4.x. Disable ADS support. Which is a problem cause I am actually trying to use squid to auth using Negotiate against a Windows 2003 AD/KDC. Any suggestions or help or information would be gladly appreciated. Regards /Cole Chris
Re: [squid-users] Squid 2.5-Stable10 With Negotiate Patch and Sambe 3.x
On Tue, 27 Sep 2005, Cole wrote: The problem comes in that, wb_authntlm cannot contact winbindd. I get this error. wb_ntlmauth[466](wb_ntlm_auth.c:414): Can't contact winbindd. Dying. wb_ntlmauth is for Samba-2.2.X only. For Samba-3.X you should use ntlm_auth shipped with Samba. For Negotiate support you probably will need Samba4. I do not think the required support is in Samba-3.X yet. If so, what is the furtherest back samba-3.x that squid-2.5-StableX will work with, cause I ran into another problem trying to use the very latest samba 3 release from ports. Starting with Samba-3.X there no longer is any versioning dependency between Squid and Samba. Which is a problem cause I am actually trying to use squid to auth using Negotiate against a Windows 2003 AD/KDC. Do you have clients willing to use Negotiate in this setup? As far as I know MSIE does not support Negotiate to proxies, only web servers (including reverse proxies). Is there any reason you do not want to use NTLM? NTLM is supported by AD unless explicitly disabled in the AD. Regards Henrik
RE: [squid-users] Squid 2.5-Stable10 With Negotiate Patch and Sambe 3.x
Hi. I may have gotten a few things wrong, so please let me know where my understanding is totally flawed/mis-whatever. I understand SPNEGO to be the Kerberos Authentication Method that is being built into the latest browsers? Like firefox and IE 5.5+? The main problem stopping us from using ntlm is that we have multiple levels of cache. The top level cache is responsible for user auth and acls. According to your previous posts, this cannot be done with ntlm. What we dont want to do is send username/passwords as clear text. So thats why Ive been looking into SPNEGO. But from all the mails ive read and articles ive tried to find, I think I may be a bit confused in my understanding of the protocol. So im trying to use a Firefox client to auth with a AD via squid using SPNEGO as the protocol. I read in the patch this: + program cmdline + Specify the command for the external SPNEGO authenticator. Such a + program participates in the SPNEGO exchanges between Squid and the + client and reads commands according to the Squid ntlmssp helper + protocol. See helpers/ntlm_auth/ for details. Recommended SPNEGO + authenticator is ntlm_auth from Samba-3.X. Thats why I was trying to use a Samba-3.x, but I used the wrong helper obviously. Is there a specific Samba-3.x that I would have to use here, that has SPNEGO built into it? Or are all the Samba-3.x SPNEGO enabled? Anyway, if I am totally wrong somewhere, please let me know, or even just send me to read a link, so that I can understand where im going wrong. I dont wish to waste your time, im sure you are more than busy. But any information would be great. Thanks /Cole -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 27, 2005 11:26 PM To: Cole Cc: Squid Users Subject: Re: [squid-users] Squid 2.5-Stable10 With Negotiate Patch and Sambe 3.x On Tue, 27 Sep 2005, Cole wrote: The problem comes in that, wb_authntlm cannot contact winbindd. I get this error. wb_ntlmauth[466](wb_ntlm_auth.c:414): Can't contact winbindd. Dying. wb_ntlmauth is for Samba-2.2.X only. For Samba-3.X you should use ntlm_auth shipped with Samba. For Negotiate support you probably will need Samba4. I do not think the required support is in Samba-3.X yet. If so, what is the furtherest back samba-3.x that squid-2.5-StableX will work with, cause I ran into another problem trying to use the very latest samba 3 release from ports. Starting with Samba-3.X there no longer is any versioning dependency between Squid and Samba. Which is a problem cause I am actually trying to use squid to auth using Negotiate against a Windows 2003 AD/KDC. Do you have clients willing to use Negotiate in this setup? As far as I know MSIE does not support Negotiate to proxies, only web servers (including reverse proxies). Is there any reason you do not want to use NTLM? NTLM is supported by AD unless explicitly disabled in the AD. Regards Henrik
RE: [squid-users] Squid 2.5-Stable10 With Negotiate Patch and Sambe 3.x
Hi. I may have gotten a few things wrong, so please let me know where my understanding is totally flawed/mis-whatever. I understand SPNEGO to be the Kerberos Authentication Method that is being built into the latest browsers? Like firefox and IE 5.5+? The main problem stopping us from using ntlm is that we have multiple levels of cache. The top level cache is responsible for user auth and acls. According to your previous posts, this cannot be done with ntlm. What we dont want to do is send username/passwords as clear text. So thats why Ive been looking into SPNEGO. But from all the mails ive read and articles ive tried to find, I think I may be a bit confused in my understanding of the protocol. So im trying to use a Firefox client to auth with a AD via squid using SPNEGO as the protocol. I read in the patch this: + program cmdline + Specify the command for the external SPNEGO authenticator. Such a + program participates in the SPNEGO exchanges between Squid and the + client and reads commands according to the Squid ntlmssp helper + protocol. See helpers/ntlm_auth/ for details. Recommended SPNEGO + authenticator is ntlm_auth from Samba-3.X. Thats why I was trying to use a Samba-3.x, but I used the wrong helper obviously. Is there a specific Samba-3.x that I would have to use here, that has SPNEGO built into it? Or are all the Samba-3.x SPNEGO enabled? Anyway, if I am totally wrong somewhere, please let me know, or even just send me to read a link, so that I can understand where im going wrong. I dont wish to waste your time, im sure you are more than busy. But any information would be great. Thanks /Cole -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 27, 2005 11:26 PM To: Cole Cc: Squid Users Subject: Re: [squid-users] Squid 2.5-Stable10 With Negotiate Patch and Sambe 3.x On Tue, 27 Sep 2005, Cole wrote: The problem comes in that, wb_authntlm cannot contact winbindd. I get this error. wb_ntlmauth[466](wb_ntlm_auth.c:414): Can't contact winbindd. Dying. wb_ntlmauth is for Samba-2.2.X only. For Samba-3.X you should use ntlm_auth shipped with Samba. For Negotiate support you probably will need Samba4. I do not think the required support is in Samba-3.X yet. If so, what is the furtherest back samba-3.x that squid-2.5-StableX will work with, cause I ran into another problem trying to use the very latest samba 3 release from ports. Starting with Samba-3.X there no longer is any versioning dependency between Squid and Samba. Which is a problem cause I am actually trying to use squid to auth using Negotiate against a Windows 2003 AD/KDC. Do you have clients willing to use Negotiate in this setup? As far as I know MSIE does not support Negotiate to proxies, only web servers (including reverse proxies). Is there any reason you do not want to use NTLM? NTLM is supported by AD unless explicitly disabled in the AD. Regards Henrik
RE: [squid-users] Squid 2.5-Stable10 With Negotiate Patch and Sambe 3.x
On Wed, 28 Sep 2005, Cole wrote: I understand SPNEGO to be the Kerberos Authentication Method that is being built into the latest browsers? Like firefox and IE 5.5+? Firefox has experimental SPNEGO support available. By default disabled from what I have been told, but once enabled happily uses SPNEGO both to web servers and proxies. IE has support for SPNEGO to web servers only, not proxies. Why Microsoft has not added SPNEGO support to proxy connections is a mystery that only Microsoft can answer. The main problem stopping us from using ntlm is that we have multiple levels of cache. The top level cache is responsible for user auth and acls. According to your previous posts, this cannot be done with ntlm. And it cannot be done with Negotiate either. Both share the same design flaws causing breakage when run over HTTP compliant proxies. In setups requiring NTLM of Negotiate authentication you need to run the authentiction on the leaf caches closest to the client. With a little tinkering you can then have the login (but not password) forwarded in the proxy chain by using the login=*:secret cache_peer option if needed but this is extra bonus. The simpler path is to allow requests from trusted child caches without requiring authentication again. Thats why I was trying to use a Samba-3.x, but I used the wrong helper obviously. Is there a specific Samba-3.x that I would have to use here, that has SPNEGO built into it? Or are all the Samba-3.x SPNEGO enabled? The exact Samba versions needed to use SPNEGO over HTTP it still a bit uncertain. From what it looks Samba 4 may be required at this time, but maybe it works in current Samba-3.3.X as well. Regards Henrik
