On Thu, 7 Oct 2004 03:14 pm, Dean Hamstead wrote: > its pretty straight forward, just follow the doco > > you can either have full on transparent authentification > against windows or you can prompt through the browser > for username and password (coming from windows) > > which ever suits your needs. > > Dean
For the OP, "transparent authentication" and "transparent proxy" are two very different and conflicting terms; they are mutually exclusive. transparent authentication: read "NTLM Authentication". This works via the magic of Samba and winbind and is VERY well documented in the Squid FAQ's. If you go through it all step-by-step, it "Just Works" (tm). It's even easier now with Samba 3, compared to the earlier Samba versions (2.2 et al). transparent proxy: means all your outgoing port 80/443 requests are transparently redirected to the proxy irrespective of the users' proxy configuration. This is usually done at the perimeter router/firewall using iptables and destination NAT (or similar). Whilst transparent proxying sounds attractive you CANNOT use this AND authentication at the same time. Think about it; if you were connecting to "www.foo.com" and got prompted for authentication credentials from something other than "www.foo.com" when you weren't expecting it, would be considered a "man-in-the-middle" type attack. However, if your browser is expecting proxy authentication challenge (by being configured to use a proxy) then it's all good. NTLM authentication only works on Windows and only with IE. All other OS/Browser combinations use "basic" authentication - which means the users will be prompted for a user-id+password. This is a protocol level restriction and comes up regularly on the squid users list. BTW, if you're using "basic" authentication in an Active Directory environment, the users will need to use "DOMAIN\userid" and their AD password. IE will usually present a "triple" dialogue box for userid, domain and password. You can configure squid to use BOTH NTLM and basic authentication at the same time; that way IE users will be authenticated transparently, with all other users (with REAL browsers) entering DOMAIN\userid+password. E-mail me off list if you want some help with the fine tuning :) I am the the proxy admin for our company - we use FreeBSD+Squid+Samba to authenticate back to the Active Directory....but the squid+samba configs are almost identical regardless of OS :) Cheers, James -- Man is the only animal that can remain on friendly terms with the victims he intends to eat until he eats them. -- Samuel Butler
pgpfPQHVJem84.pgp
Description: PGP signature
-- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html