Re: [squid-users] Squid-Samba Question

From: Serassio Guido <guido.serassio@dont-contact.us>
Date: Sun, 11 Dec 2005 20:20:54 +0100

Hi,

At 19.35 11/12/2005, Mike Diggins wrote:
Active Directory. So I guess I should change the security parameter to ads?

>>> password server = as6.ad.McMaster.CA, as7.ad.mcmaster.ca
>>
>>This should never needed: usually Samba find by itself the right DC.
>
>Okay, so I can remove this line completely?

Yes, it SHOULD not be needed.

 From the smb.conf of a my development machine:

         workgroup = ACMECONSULTING
         realm = ACMECONSULTING.LOC
         security = ADS

I don't have any "password server" directive, all operation is done
using DNS and the machine is in a remote site without DC connected to
my main office with a VPN.

ACMECONSULTING is the netbios name of the domain, ACMECONSULTING.LOC
is the Kerberos Realm of the domain (= Active Directory domain name)
For more details see:
http://us4.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-member.html#ads-member

>No, I don't have that line in my squid config. Are you saying I
>should have it?

Using NTLM Negotiate allow a better usage of NTLM protocol.

> What does it do?

 From squid.conf.default:
# "use_ntlm_negotiate" on|off
# Enables support for NTLM NEGOTIATE packet exchanges with the helper.
# The configured ntlm authenticator must be able to handle NTLM
# NEGOTIATE packet. See the authenticator programs documentation if
# unsure. ntlm_auth from Samba-3.0.2 or later supports the use of this
# option.
# The NEGOTIATE packet is required to support NTLMv2 and a
# number of other negotiable NTLMSSP options, and also makes it
# more likely the negotiation is successful. Enabling this parameter
# will also solve problems encountered when NT domain policies
# restrict users to access only certain workstations. When this is off,
# all users must be allowed to log on the proxy servers too, or they'll
# get "invalid workstation" errors - and access denied - when trying to
# use Squid's services.
# Use of ntlm NEGOTIATE is incompatible with challenge reuse, so
# enabling this parameter will OVERRIDE the max_challenge_reuses and
# max_challenge_lifetime parameters and set them to 0.
# auth_param ntlm use_ntlm_negotiate off

For more details see:
http://davenport.sourceforge.net/ntlm.html

Regards

Guido

-
========================================================
Guido Serassio
Acme Consulting S.r.l. - Microsoft Certified Partner
Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY
Tel. : +39.011.9530135 Fax. : +39.011.9781115
Email: guido.serassio@acmeconsulting.it
WWW: http://www.acmeconsulting.it/
Received on Sun Dec 11 2005 - 12:20:57 MST

This archive was generated by hypermail pre-2.1.9 : Sat Dec 31 2005 - 12:00:02 MST