On Thu, 7 Oct 2004 03:14 pm, Dean Hamstead wrote: > its pretty straight forward, just follow the doco > > you can either have full on transparent authentification > against windows or you can prompt through the browser > for username and password (coming from windows) > > which ever suits your needs. > > Dean
For the OP, "transparent authentication" and "transparent proxy" are two
very different and conflicting terms; they are mutually exclusive.
transparent authentication: read "NTLM Authentication". This works via the
magic of Samba and winbind and is VERY well documented in the Squid FAQ's.
If you go through it all step-by-step, it "Just Works" (tm). It's even
easier now with Samba 3, compared to the earlier Samba versions (2.2 et
al).
transparent proxy: means all your outgoing port 80/443 requests are
transparently redirected to the proxy irrespective of the users' proxy
configuration. This is usually done at the perimeter router/firewall using
iptables and destination NAT (or similar).
Whilst transparent proxying sounds attractive you CANNOT use this AND
authentication at the same time. Think about it; if you were connecting to
"www.foo.com" and got prompted for authentication credentials from
something other than "www.foo.com" when you weren't expecting it, would be
considered a "man-in-the-middle" type attack. However, if your browser is
expecting proxy authentication challenge (by being configured to use a
proxy) then it's all good. NTLM authentication only works on Windows and
only with IE. All other OS/Browser combinations use "basic" authentication
- which means the users will be prompted for a user-id+password. This is a
protocol level restriction and comes up regularly on the squid users list.
BTW, if you're using "basic" authentication in an Active Directory
environment, the users will need to use "DOMAIN\userid" and their AD
password. IE will usually present a "triple" dialogue box for userid,
domain and password. You can configure squid to use BOTH NTLM and basic
authentication at the same time; that way IE users will be authenticated
transparently, with all other users (with REAL browsers) entering
DOMAIN\userid+password.
E-mail me off list if you want some help with the fine tuning :) I am the
the proxy admin for our company - we use FreeBSD+Squid+Samba to
authenticate back to the Active Directory....but the squid+samba configs
are almost identical regardless of OS :)
Cheers,
James
--
Man is the only animal that can remain on friendly terms with the
victims he intends to eat until he eats them.
-- Samuel Butler
pgpfPQHVJem84.pgp
Description: PGP signature
-- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
