On Mon, 2003-03-17 at 17:23, Kevin Saenz wrote: > > I'm trialling using smb_auth for access to our squid proxy. > > > > I guess that is good for a small network what happens when the > network grows to a larger size and fixing acls for each user > in squid becomes a pain in the proverbial. But I can see an > up side given that Authentication through smb would be completely > transparent unlike ldap authentication with squid.
smb != NTLM. smb is a 'basic' scheme auth helper for squid. you are referring to 'ntlm' scheme auth helpers, of which the samba winbind one is one. > > I'm using transparent proxying with squid, however I've found that this > > won't allow access to permitted users, and I have to point the browser at > > the proxy manually. > > > Didn't someone previously post how much of a bad idea transparent > proxying is in the real world? (By redirecting port 80 to squid's ports) That would be me. > > > Is there a way to make smb_auth work with squid and transparent proxying? > > > obviously to authenticate with smb you must allow smb protocols > to your squid server. Yep. I'll enlarge on this, the canonical answer: when a client has it's TCP session hijacked, the only http authentication it will do is server-authentication (prompted for by a 401 return code). If the hijacking proxy uses that to force authentication, it will a) need to do it for every different website browsed too, b) break any website that uses authentication. Thus, to get authentication working on your local proxy, you MUST NOT use tcp hijacking. There is an even more substantial answer in the archives a few weeks back. Rob -- GPG key available at: <http://users.bigpond.net.au/robertc/keys.txt>.
signature.asc
Description: This is a digitally signed message part
