Hi Henrik and Brian, and happy new year to the squid mailing list !
Hrm. Firefox seems to disagree, at least in it's implementation. Squid
sends Negotiate as the authentication mechanism and Firefox responds
with Kerberos.
The Negotiate HTTP scheme is defined by Internet RFC4559
Hi again,
I have been looking for the same setup as you are (transparent
authentication proxy in a full linux environment, ie linux/firefox +
linux/heimdal kerberos + linux/squid) for some time already, and I
asked the same question a few month ago with the same answer (need of
a helper). So
mån 2006-12-18 klockan 23:41 -0500 skrev Brian J. Murrell:
Indeed. And it can be done, I think, by adding native KRB5 support to
ntlm_auth (right now ntlm_auth assumes everything will be wrapped in
SPNEGO), but it would be less hacking there if Firefox could be
convinced to use SPNEGO on
On Wed, 2006-12-20 at 11:06 +0100, Henrik Nordstrom wrote:
The Negotiate scheme is SPNEGO by definition.
Hrm. Firefox seems to disagree, at least in it's implementation. Squid
sends Negotiate as the authentication mechanism and Firefox responds
with Kerberos.
Native KRB5 is the Kerberos
ons 2006-12-20 klockan 07:47 -0500 skrev Brian J. Murrell:
Hrm. Firefox seems to disagree, at least in it's implementation. Squid
sends Negotiate as the authentication mechanism and Firefox responds
with Kerberos.
The Negotiate HTTP scheme is defined by Internet RFC4559 SPNEGO-based
On Sat, 2006-12-16 at 21:21 -0500, Brian J. Murrell wrote:
Probably, a helper supporting this native KRB5 blob is ideal,
It has further occurred to me, that ntlm_auth *has* to be the helper
that supports this native KRB5 Negotiate goop, unless one can ensure
that no AD authenticating windows
On Mon, Dec 18, 2006, Brian J. Murrell wrote:
On Sat, 2006-12-16 at 21:21 -0500, Brian J. Murrell wrote:
Probably, a helper supporting this native KRB5 blob is ideal,
It has further occurred to me, that ntlm_auth *has* to be the helper
that supports this native KRB5 Negotiate goop,
On Tue, 2006-12-19 at 12:14 +0800, Adrian Chadd wrote:
On Mon, Dec 18, 2006, Brian J. Murrell wrote:
This is probably staring to grow a little OT for this list though.
Nope, its definitely not off-topic for the list.
I think I just meant the discussion on how to make firefox on linux do
On Mon, Dec 18, 2006, Brian J. Murrell wrote:
I think we'd all agree that being able to offer digest
digest or Negotiate?
:) Probably the latter; I'm still not up to date on how the various
non-basic authentication methods work.
Indeed. And it can be done, I think, by adding native KRB5
On Tue, 2006-12-19 at 12:14 +0800, Adrian Chadd wrote:
I think we'd all agree that being able to offer digest authentication
in this
method to non-Windows platforms would be rather shiny.
digest as in rfc2617? Or did you mean kerberos ?:).
SPNEGO is the closest thing to a standard going,
OK.
I sat down to do some hacking of ntlm_auth and came to an interesting
discovery...
Firefox in Linux does not appear to actually use SPNEGO when it's told
to use Negotiate (i.e. by setting the
network.negotiate-auth.{delgation,trusted}-uris. Or at least I could
not find any magic keys to
mån 2006-12-11 klockan 23:37 -0500 skrev Brian J. Murrell:
But my suggestion of using ntlm_auth was not so much in it's binary form
but as a source of SPNEGO handling. IIUC, ntlm_auth takes the SPNEGO
blob from the client via squid and unpacks it and does the NTLM auth
with the MS Goop(tm)
On Mon, 2006-12-11 at 00:11 +0100, Henrik Nordstrom wrote:
What is missing is the helper...
Indeed. I think that is basically what I summarized in my followup
e-mail. Pity.
None of the squid developers knows Kerberos APIs or Microsoft SPNEGO
packet format to write such helper, but we
mån 2006-12-11 klockan 18:54 -0500 skrev Brian J. Murrell:
Wouldn't an existing helper, like the ntlm_auth helper in Samba be of
use? Does it not take the SPNEGO data from the browser and hand it off
to some MS Goop(tm) for an authentication response? That would at least
take care of the
On Tue, 2006-12-12 at 05:29 +0100, Henrik Nordstrom wrote:
In theory it may be possible to use Samba ntlm_auth without an ADS
setup.
Yeah, I had wondered too if ntlm_auth could be used with Samba
configured to use either PAM locally, which would use kerberos or if
Samba had any direct
15 matches
Mail list logo