The squid has been compiled with the kerberos support and samba 3
(latest version) is used as an external authenticator. You can find in
this link a configuration similar to myne (this link if for gentoo, but
I hope that you will not have problem to compile or configure it. If you
got one, just write me directly): http://mkeadle.org/?p=13
For your test you can also use your isa server, but the domain in NTLM
packets must be set.
The faster way that I have identified to resolve this problem is modify
the code of the function ntlm_phase_3 adding a search of "\" in the
username and if exist set the first part of the username to domain and
the second part as the username. In this way you will not have to modify
the proxy data structure and also you will fix the problem under a
authenticator with multiple domains.
For the first problem exposed the faster way if just add a connection
keep alive, the second it's add to the proxy routines to undestand if
the connection has been closed and in this case open a newone.
Thank you for the faster reply.
inode
William Preston wrote:
On Tuesday 28 March 2006 16:49, inode wrote:
I'm doing some test with openvpn, and I saw some problem using NTLM auth
proxy.
I tested the software on a ISA server and all work fine, the problem is
using a squid proxy with NTLM.
I only tested NTLM against Microsoft ISA Server.
- NTLM domain, actualy on openvpn config file the user can't set the
domain of the credentials sent to the proxy. An Microsoft ISA server
will have a "default domain" to try the authentication, but that doesn't
mean that "default domain" will be the right one... Also on squid the
domain is required and a null domain will be refused.
OK, fair enough :-)
can you let me know exactly how you compiled the NTLM support into
Squid so that I can reproduce this. Are you linking against SaMBa - and if
so then which version?
thanks,
William
