Squid Authentication Via NT Domain Accounts

Posted on 2002-06-18
Last Modified: 2008-02-01
I am relative newcomer to linux. I have an NT 4 based domain with squid server as a proxy to approx 500 users. I want to allow users to authenticate (hopefully) transparently to the NT4 domain so that most importantly the username will be logged to access.log and hence appear in SARG (we currently only monitor ip addresses). I am using Winbind with SAMBA and want to do something similar as i have heard this works with other services and do not want to maintain multiple account databases. Does anyone have any suggestions.
Question by:tobyk
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2

Accepted Solution

Zook earned 200 total points
ID: 7092170
You can configure the authentification plugin "smb_auth" with the squid cache:

Assuming your Squid is running, the configuration is trivial. I doesn't make sense to copy and paste the good docmentation here, so just have a look at it.

They main concept is, you have a file on your NT Server, that can only be accessed by the NTgroup that is allowed to use the Internet. smb_auth tries to access this file via the samba client. If it can you may surf.

This works fine in our network.



Author Comment

ID: 7094227
How secure is smb_auth. I heard this is really good but then when searching for setup i read this link saying it had security holes. What do you think

Expert Comment

ID: 7098491
The weekness here is, that if an attacker got hold of your proxy, smb_auth might help him get your Windows passwords. But then again - if the attacker already got hold of your proxy machine, he might plant any trojan he likes. So until you have a dedicated firewall/proxy and have regular integrity checks the risk might be tolerable => You have to know.

My Opinion, but I am far from being a security expert, if the hacker is already inside my ==> Windows <== Network "Resistance is futile", anyway ;-)


Expert Comment

ID: 9078467
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
Post your closing recommendations!  No comment means you don't care.

Author Comment

ID: 9085128
Zook thanks for your answer. This was the best idea at the time but i ended up using Winbind for this task

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question