samba - Dec 2013 - minimum Samba configuration for ntlm_auth SSP with existing Kerberos

I have a network with Kerberos and Squid. My Linux users use Kerberos
to authenticate to the KDC and then use Negotiate to use their Kerberos
tickets with Squid.  LDAP is used for NSS.  PAM is also configured to
authenticate to Kerberos for services that can't use GSSAPI directly.

Enter the Windows 8 user.  I have a new user with Windows 8 that needs
to use Squid also. It seems that because my Squid offers Negotiate as a
valid authentication protocol, the Windows 8 machine wants to use
NTLM[SSP] to authenticate with Squid.

I'm wondering what's the minimum configuration I need in Samba to allow
this to work. I don't really have any need or desire for full domain
services here.  I don't want access to this Windows machine by it's
owner to be controlled/authenticated by my infrastructure (so joining it
to a domain is not appropriate).  I simply want to have this Windows 8
user authenticate using his existing Kerberos account to use Squid while
in my network.

I've been reading a lot of the documentation on Samba and there seems to
be lots of different configurations but most of them seem to be geared
towards joining Samba to existing domains or configurations where more
than simply needing "ntlm_auth --helper-protocol=squid-2.5-ntlmssp"
services are desired (i.e. file sharing, printing, etc.)

I'm happy to be pointed at any documents or write-ups to read and learn
more.  I'm just not sure of what in the multitude of configuration
documentation out there is appropriate for my needs.

Cheers,
b.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part
URL:
<http://lists.samba.org/pipermail/samba/attachments/20131222/3e0a64ca/attachment.pgp>