[squid-users] [Samba] Two questions about cache for squid authentication

Tue Aug 17 09:11:54 UTC 2021

> 
> Small Addon here. 
> 
> NTLM V1 and V2.. 
> Most uses still NTLMv1 but thats being disabled in windows 
> and samba these days. 
> 
> 
> To make sure you do use NTLMv2. 
> With Samba 4.2.x and up, use the following setting on the 
> Squid and/or Freeradius
> and on all the Samba AD-DC's and involved members that use ntlm_auth
> 
> Per example :
> Add to the [global] section of smb.conf 
> 
> ntlm auth = mschapv2-and-ntlmv2-only
> 
> And add in the client commands : "/path/to/ntlm_auth 
> --allow-mschapv2 "
> 
> But, personaly i would recommend to move to kerberos auth. 
> 
> Greetz, 
> 
> Louis
> 
>  
> 
> > -----Oorspronkelijk bericht-----
> > Van: squid-users 
> > [mailto:squid-users-bounces at lists.squid-cache.org] Namens 
> > Amos Jeffries
> > Verzonden: dinsdag 17 augustus 2021 9:40
> > Aan: squid-users at lists.squid-cache.org
> > Onderwerp: Re: [squid-users] Two questions about cache for 
> > squid authentication
> > 
> > On 17/08/21 6:25 pm, ?????? wrote:
> > > Dear all,
> > > 
> > > I have two questions about cache for squid authentication.
> > > 
> > > 1. Can I skip authentication for a certain period of time 
> > after I've 
> > > authenticated once?
> > > 
> > > When I do the following, the authentication screen appears.
> > > 
> > > Start browser -> access site after authentication (Kerberos 
> > > authentication) -> close browser -> start another 
> application (LDAP 
> > > authentication)
> > > 
> > 
> > Negotiate/Kerberos authentication authenticates the TCP 
> > connection. All 
> > messages on that connection require the Kerberos tokens to 
> > prove it is 
> > valid on that connection.
> > 
> > 
> > > So, even using Kerberos and LDAP auth at the same time, I 
> > want to skip 
> > > the authentication process by clientIPaddress, etc.
> > > 
> > 
> > This is authorization *not* authentication.
> > 
> > 
> > > 2. About authentication data passing in NTLM authentication 
> > on website.
> > > 
> > 
> > NTLM, just like Negotiate/Kerberos authenticates the TCP 
> > connection and 
> > requires all messages to have teh appropriate tokens.
> > 
> > 
> > > SingleSignOn is not working for some sites with NTLM 
> authentication.
> > > 
> > 
> > That is a Browser issue. "single sign-on" is a behaviour of 
> clients, 
> > where they choose to send the same credentials to all 
> > services. It has 
> > nothing to do with the service like Squid.
> > 
> > 
> > > For example, when the authentication pop-up message 
> > appears, you can 
> > > enter the auth information to access the page, but if you visit a 
> > > different URL, you will be prompted to authenticate again.
> > > 
> > > Can someone give me some advice?
> > > 
> > 
> > The client doing that is broken or confused.
> > 
> > Maybe the confusion happened because of your mixed up squid config 
> > rules. Or maybe not. You have not provided any information 
> about your 
> > squid.conf, network topology, or how the clients are using 
> > the proxy - 
> > so we cannot tell.
> > 
> > Amos
> > _______________________________________________
> > squid-users mailing list
> > squid-users at lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
> > 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>