Re: Squid, Windows clients, RFC931, oh my.
On Wed, 2002-06-05 at 14:34, Peter Whysall wrote:
> Here's the scenario.
>
> I have a Woody box running the Squid web proxy server, with the
> oh-so-nifty Squidalyser log analyser doohickey and it's working fine,
> serving Windows clients. The Boss is pleased.
>
> However there's a small fly in the ointment. Squid can look up RFC931
> idents from clients. Squid can, with the aid of the smb_auth module
> (which is included in the Debian package) authenticate against a Windows
> PDC.
>
> I really really want to tie these two together. I want Squid to do Samba
> magic to get the username - or at a stretch, the NETBios name of the
> client box - and stuff it in the logs.
>
> I know there is a freeware ident server for Windows, and I know it works.
>
> What I'm trying to avoid is installing something on the thick end of 200
> boxes just to get a username out.
>
> I've Googled. I've read the RFC. I'm all searched out. I can't find
> anything about this - but I have a sneaking suspicion that someone, out
> there, has already met this problem and has dealt with it with more
> fortitude than I.
>
What you want is NTLM authentication. Unfortunately the current stable
version of squid does not have support for it.
I have built a squid 2.5pre5 .deb(binary) package with NTLM support that
has been the proxy for ~150 users in my company for a few months now.
If you want, I can send it to you, or you can compile from source
yourself. there are a few caveats like making sure to set the correct
location for nmbclient in the SMB auth helpers makefile. These are the
config options I use:
--prefix=/usr --datadir=/usr/lib/squid --libexecdir=/usr/lib/squid
--mandir=/usr/share/man --infodir=/usr/share/man --sysconfdir=/etc/squid
'--enable-auth=ntlm basic' '--enable-basic-auth-helpers=SMB PAM MSNT'
'--enable-ntlm-auth-helpers=NTLMSSP fakeauth no_check'
I also have a shell script that pulls down the members of my NT domain
groups once an hour and dumps the user names into a usable-by-squid text
file if you care to look at it.
Hope that helps,
-Mark
--
To UNSUBSCRIBE, email to debian-user-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: