[Samba] [squid-users] Two questions about cache for squid authentication

L.P.H. van Belle belle at bazuin.nl
Tue Aug 17 08:49:53 UTC 2021 

Small Addon here. 

NTLM V1 and V2.. 
Most uses still NTLMv1 but thats being disabled in windows and samba these days. 


To make sure you do use NTLMv2. 
With Samba 4.2.x and up, use the following setting on the Squid and/or Freeradius
and on all the Samba AD-DC's and involved members that use ntlm_auth

Per example :
Add to the [global] section of smb.conf 

ntlm auth = mschapv2-and-ntlmv2-only

And add in the client commands : "/path/to/ntlm_auth --allow-mschapv2 "

But, personaly i would recommend to move to kerberos auth. 

Greetz, 

Louis

 

> -----Oorspronkelijk bericht-----
> Van: squid-users 
> [mailto:squid-users-bounces at lists.squid-cache.org] Namens 
> Amos Jeffries
> Verzonden: dinsdag 17 augustus 2021 9:40
> Aan: squid-users at lists.squid-cache.org
> Onderwerp: Re: [squid-users] Two questions about cache for 
> squid authentication
> 
> On 17/08/21 6:25 pm, ?????? wrote:
> > Dear all,
> > 
> > I have two questions about cache for squid authentication.
> > 
> > 1. Can I skip authentication for a certain period of time 
> after I've 
> > authenticated once?
> > 
> > When I do the following, the authentication screen appears.
> > 
> > Start browser -> access site after authentication (Kerberos 
> > authentication) -> close browser -> start another application (LDAP 
> > authentication)
> > 
> 
> Negotiate/Kerberos authentication authenticates the TCP 
> connection. All 
> messages on that connection require the Kerberos tokens to 
> prove it is 
> valid on that connection.
> 
> 
> > So, even using Kerberos and LDAP auth at the same time, I 
> want to skip 
> > the authentication process by clientIPaddress, etc.
> > 
> 
> This is authorization *not* authentication.
> 
> 
> > 2. About authentication data passing in NTLM authentication 
> on website.
> > 
> 
> NTLM, just like Negotiate/Kerberos authenticates the TCP 
> connection and 
> requires all messages to have teh appropriate tokens.
> 
> 
> > SingleSignOn is not working for some sites with NTLM authentication.
> > 
> 
> That is a Browser issue. "single sign-on" is a behaviour of clients, 
> where they choose to send the same credentials to all 
> services. It has 
> nothing to do with the service like Squid.
> 
> 
> > For example, when the authentication pop-up message 
> appears, you can 
> > enter the auth information to access the page, but if you visit a 
> > different URL, you will be prompted to authenticate again.
> > 
> > Can someone give me some advice?
> > 
> 
> The client doing that is broken or confused.
> 
> Maybe the confusion happened because of your mixed up squid config 
> rules. Or maybe not. You have not provided any information about your 
> squid.conf, network topology, or how the clients are using 
> the proxy - 
> so we cannot tell.
> 
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>

More information about the samba mailing list