Transparent Squid Proxy with Samba 3 NTLM_AUTH and multiple
domain controllers
Dave Augustus
davea at support.kcm.org
Wed Dec 31 12:52:44 GMT 2003
OK Now I am confused....
We use wpad.
We use the DHCP method of making client machines proxy-aware.
We set IE to automatically detect proxy settings.
We use ntlm_auth within squid for logging of NT Domain usernames/web
traffic.
Is this a transparent proxy?
--Dave
On Wed, 2003-12-31 at 00:47, Andrew Bartlett wrote:
> On Wed, Dec 31, 2003 at 11:08:30AM -0600, Ed Plese wrote:
> > > We are using Squid in a transparent proxy fashion for logging. This
> > > setup works great in every fashion except its transparency. (yuck!!)
> > >
> > > Problem: Occasionally (like once every 4 hours), a Windows client user
> > > will call help desk saying "Internet Explorer" is asking for my
> > > username/password/domain to access a web page.
> >
> > I'll say right away that I've never tried transparent proxying with squid
> > along with NTLM authentication. The reason for this is that everything I've
> > read sternly indicates that transparent proxying with squid does not work
> > with proxy_auth.
> >
> >
> > >From the squid FAQ:
> > (http://www.squid-cache.org/Doc/FAQ/FAQ-17.html#ss17.15)
> >
> > 17.15 Can I use proxy_auth with interception?
> >
> > No, you cannot. With interception proxying, the client thinks it is talking
> > to an origin server and would never send the Proxy-authorization request
> > header.
> >
> >
> > >From squid.conf:
> > # WARNING: proxy_auth can't be used in a transparent proxy. It
> > # collides with any authentication done by origin servers. It may
> > # seem like it works at first, but it doesn't.
> >
> >
> > Unless somehow ntlm_auth doesn't count as proxy_auth then what you're trying
> > to do is not possible with squid. Someone please correct me if I'm wrong
> > here because squid and samba work great together and I'd love to see this work
> > transparently.
>
> You are 100% correct. I was thinking about 'transparent'
> authentication, ie see no boxes stuff. The only way to get close to
> 'transparnet proxying' is to setup WPAD and automatic proxy
> configuration scripts. This allows users to select 'automaticly
> detect' proxy settings, which alongside a good firewall, or even a
> redirection to an 'instructions' page should do the trick.
>
> Andrew Bartlett
More information about the samba-technical
mailing list