Ok, the title says it all, really.
The end goal is to implement proxy-authentication for end users. Users' systems are mostly (95%) windows-based, the proxy is a Debian Lenny running squid 2.7.
I've investigated possible ways to implement it, first using the ntlm_auth helper, that is shipped with squid2.7 in Lenny and it fails, - some users get authenticated just fine, some don't for some reason. I couldn't find a corellation, I've even inspected the actual smb packet flow with wireshark to no avail - it seems completely random. I've tried it on different physical machines / accounts so that's ruled out.
Then, two possible routes are available, it seems. Using winbind (with samba) and using ldap+kerberos.
I am personally against using samba, because, first it requires you to jump through certain hoops like joining the domain and so on, and second (and this is the cruncher) - I don't need all the functionality offered by samba, it is simply undesired to have all that functionality, like windows-like shares and so on, on that machine. If I have to resort to using samba, I would really like to use only a minimal possible subset of the features, - just enough to get samba's ntlm_auth (with winbind) to authenticate the users. Does anyone have any experience with this kind of setup?
I've read this question (not really a question :P) and I really liked what I've seen, - kerberos seems like a possible solution and the footprint is not that huge. The question is, is it possible to run this on a windows-2000-version domain? And how is the browser support?