Re: [squid-users] winbind interface

[Alex Samad]

# ###
# Negotiate
# ###

# http://wiki.squid-cache.org/Features/Authentication
# http://wiki.squid-cache.org/Features/NegotiateAuthentication
auth_param negotiate program /usr/bin/ntlm_auth
--helper-protocol=gss-spnego --configfile /etc/samba/smb.conf-squid
auth_param negotiate children 10 startup=0 idle=1
auth_param negotiate keep_alive on

# ###
# NTLM AUTH
# ###

# ntlm auth
auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp --configfile /etc/samba/smb.conf-squid
auth_param ntlm children 10
#auth_param ntlm children 10 startup=0 idle=1
#auth_param ntlm keep_alive

# ###
# NTLM over basic
# ###

# warning: basic authentication sends passwords plaintext
# a network sniffer can and will discover passwords
auth_param basic program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic --configfile /etc/samba/smb.conf-squid
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

On 2 September 2015 at 11:15, Amos Jeffries  wrote:
> On 2/09/2015 11:50 a.m., Alex Samad wrote:
>> Hi
>>
>> I have squid setup to use
>> NTLM and then faill back to basic.
>>
>> when it fails back to basic, my user put in
>>
>> firstname.surname@a.b.c which fails.
>>
>> if they put in firstname.surname it works
>>
>> is there some way to get squid to strip off the @<.*>
>
> That depends on which helper you are using to validate the Basic auth
> credentials. The ones which support it do so via a command line
> parameter. So check our helpers documentation to see if one exists to
> strip Kerberos/NTLM/Domain.
>
> Otherwise you can always script a helper for yourself.
>
>>
>> also is there some way to change the info in the dialogue box that pops
up
>
> The only controllable part of the popup dialog is the Realm value. Set
> by the auth_param directives "realm" parameter.
>
> IIRC the realm is usually turned into the title bar, though some
> browsers show it in quotes in the text. The form and display of the
> popup is fixed and not manipulatable by any external server for security
> reasons that should be obvious.
>
> Amos
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] winbind interface

[Alex Samad]

Hi

I have squid setup to use
NTLM and then faill back to basic.

when it fails back to basic, my user put in

firstname.surname@a.b.c  which fails.

if they put in firstname.surname it works

is there some way to get squid to strip off the @<.*>

also is there some way to change the info in the dialogue box that pops up
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] winbind interface

[Amos Jeffries]

On 2/09/2015 11:50 a.m., Alex Samad wrote:
> Hi
> 
> I have squid setup to use
> NTLM and then faill back to basic.
> 
> when it fails back to basic, my user put in
> 
> firstname.surname@a.b.c  which fails.
> 
> if they put in firstname.surname it works
> 
> is there some way to get squid to strip off the @<.*>

That depends on which helper you are using to validate the Basic auth
credentials. The ones which support it do so via a command line
parameter. So check our helpers documentation to see if one exists to
strip Kerberos/NTLM/Domain.

Otherwise you can always script a helper for yourself.

> 
> also is there some way to change the info in the dialogue box that pops up

The only controllable part of the popup dialog is the Realm value. Set
by the auth_param directives "realm" parameter.

IIRC the realm is usually turned into the title bar, though some
browsers show it in quotes in the text. The form and display of the
popup is fixed and not manipulatable by any external server for security
reasons that should be obvious.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users