FW: [jcifs] NTLM authentication

Giampaolo Tomassoni Giampaolo at Tomassoni.biz
Fri Apr 24 18:16:44 GMT 2009

> -----Original Message-----
> From: jcifs-bounces+giampaolo=tomassoni.biz at lists.samba.org
> [mailto:jcifs-bounces+giampaolo=tomassoni.biz at lists.samba.org] On
> Behalf Of Michael B Allen
> Sent: Friday, April 24, 2009 7:28 PM
> To: Giampaolo Tomassoni
> Cc: jcifs at lists.samba.org
> Subject: Re: FW: [jcifs] NTLM authentication
> ...omissis...
> Very interesting.
> So does anyone even really using NTLM proxy authentication?

Yes, they are: squid can adopt NTLM to authenticate proxy users.

In the full-fledged config, you usually run winbind in the same server
hosting squid, and configure squid to use the wb_ntlmauth application (an
external squid helper devoted to this).

> Does Squid even support NTLMv2? I would imaging it cannot unless it
> interfaced with Samba.

My last experience (which was two years ago in migrating the old MS Proxy to
squid ;) ), says "no: only NTLMv1".

I see, however, that some development had been done in this area so I'm not
sure about this.

> It sounds like NTLM proxy authentication is not as common as I first
> thought.

Well, I think that most of the companies running a proxy use the NTLM
authentication. The fact is that web proxies are not that common. Many are
the reasons, among which the fact that a proxy is one more thing to maintain
and tune in a company. You really have the need to have your systems as safe
as possible: actually most of the appeal of a WEB Proxy is to avoid people
in a company to accidentally download stuff which could hurt the whole
network. Then management likes also the fact they can control the time
people can freely surf and can even limit surfing of sites not related to
work. Finally they like the fact that they can track the sites visited by
people, as a further way to know what happened when a virus eventually
entered in the network (and possibly yellowing at the responsible). Please
note that occasionally people don't like to have a proxy and can manage to
dismiss it. This is due to the fact that many sites play (accidentally)
dirty through a proxy and to the fact that most of the time management likes
to enforce high security levels in jscripts and the like, often resulting in
a frustrating user experience on the sites people so smoothly access from
home. I think that if the company installing the proxy doesn't really know
what they want to do with it, they'll dismiss it in a couple of months...

Transparent web proxy caching was probably used by some small provider, but
it used not to be authenticated and actually the most part of internet
traffic is due to p2p, not http...

In summary, few companies work on web proxies because there is a limited
market need and you need to have the right channels to enter into it: proxy
demanding orgs are mostly middle and big ones...


> Mike
> --
> Michael B Allen
> Java Active Directory Integration
> http://www.ioplex.com/

More information about the jcifs mailing list