Re: [SQU] automatic smb_auth

From: Robert Collins <[email protected]>
Date: Wed, 20 Sep 2000 09:43:37 +1100

Thomas,
    please keep replies cc:d to the list. Thanks.

are you looking in "ntlm_auth_modules" or "auth_modules" see 1. key changes
to squid below.

Rob

----- Original Message -----
From: <thomas@tomys.de>
To: "Robert Collins" <robert.collins@itdomain.com.au>
Sent: Wednesday, September 20, 2000 6:04 AM
Subject: Re: [SQU] automatic smb_auth

> Hallo,
>
> sorry,, but i can not find the ntlm-auth source-code. I downloaded the
CVS-tree and some sourcepackages. Thare are only
> auth_modules/multi-domain-NTLM/smb_auth.pl
>
> please tell were i can find the ntlm-source.
>
> cu
> Thomas
>
> > Well its not well documented yet... but here's a quick list of things to
do &
> > notes about ntlm auth.
> > Hey kinkie have I missed anything drastic? I might turn this list into
the
> > start of our HOW-TO ...
> >
> >
> > 0. background
> > -within HTTP there are three common authentication types: BASIC,
> > DIGEST, NTLM. Of these only BASIC and DIGEST are official
> > http authenticaton protocols. Basic authentication is clear text.
digest
> > uses a challenge-response format, as does NTLM.
> > -Challenge-response helpers in squid cannot be tested from the
command-line
> > for two reasons. One: the helper needs the base64 data
> > from the client to correctly interpret and verify the authentication
request.
> > Two: the authentication requests are stateful, so you need to
> > generate the correct response to the 1st result the helper gives you.
> > - NTLM and proxies. NTLM was not designed with stateless (ie HTTP)
> > environments in mind. MS have got it to work, via a massive hack on the
> > protocol. It DOES NOT WORK THROUGH PROXIES. Only the first hop can be
NTLM
> > authenticatied. This includes MS's IIS based proxy products. NTLM will
also
> > not work with transparent proxies (same reason as BASIC authentication
> > doesn't_)so please, don't ask.
> > 1. key changes to squid
> > - the auth_modules directory is largely irrelevant for ntlm based
> > environments. The helpers in auth_modules are BASIC helpers only. This
> > includes the smb_auth,MSNT and multi-domain-NTLM.
> > - there is a new directory ntlm_auth_helpers that contains the NTLM
helper
> > source programs.
> > - the default ./configure will not enable any authentication code in
squid
> > (great for ISP's). New configuration directives allow
> > basic auth, the basic auth modules to build, ntlm-auth, and the ntlm
auth
> > modules to build to be handled separately. Compiling in both
> > basic and ntlm auth will allow you to 'fall back' to basic
authentication if a
> > browser does not support NTLM.
> > 2. howto get NTLM authentication working
> > - download the source
> > - configure with (at a minimum) --enable-ntlm-authentication and
> > --enable-ntlm-auth-modules=NTLMSSP
> > - check the ntlmssp source code for any hardcoded parameters (it's only
just
> > stablised, there may be some 'magic' in the source at the moment). Also
the
> > command-line format is documented in the source.
> > - you can use fakeauth or no_check if you just want to validate the
username,
> > but not check the password/login time limits.
> > -compile and install squid
> > - edit the squid.conf to specify the ntlm_authentication_helper
command-line
> > and at least one proxy_auth acl entry.
> > -cross fingers (:-]) and use internet explorer FROM A DOMAIN USER
ACCOUNT to
> > surf the web.
> >
> > Rob
> >
> >
> > Thomas Goebel wrote:
> >
> > > Hallo,
> > >
> > > sorry, i installed NTLM. But it does not work.
> > > I tried at comandline to authenticate with smp_auth.pl and this also
not
> > > worked.
> > >
> > > Please help. Where can i get Information of NTLM.
> > >
> > > cu
> > >
> > > Thomas
> > >
> > > Robert Collins wrote:
> > > >
> > > > This is exactly what the recently developed NTLM authentication for
squid
> > > > does.
> > > >
> > > > It uses MS challenge handshaking authentication protocol (CHAP) for
the
> > > > browser. You need internet explorer 3 or newer to use it.
> > > >
> > > > Rob
> > > >
> > > > ----- Original Message -----
> > > > From: "Thomas Goebel" <thomas@an-netz.de>
> > > > To: <squid-users@ircache.net>; <linuxml@hekkihek.hacom.nl>
> > > > Sent: Tuesday, September 19, 2000 11:36 PM
> > > > Subject: [SQU] automatic smb_auth
> > > >
> > > > > Hallo,
> > > > >
> > > > > is it possible to perform the authentication against the
> > > > > proxy automatically, invisible to the Windows user.
> > > > > The Microsoft IIS authenticates the user, logged in at the
workstation,
> > > > > automatically.
> > > > >
> > > > > cu
> > > > >
> > > > > Thomas
> > > > >
> > > > > --
> > > > > To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
> > > > >
> > > > >
> >
>
>
> --
>
> ################################################
> # Thomas Goebel <Systemadministrator> #
> # #
> # E-Mail: thomas@an-netz.baynet.de #
> # #
> # Stellvertr. Vorsitzender im #
> # Traegerverein-Buergernetz-Ansbach-Netz e.V. #
> ################################################
> # Server-URL: www.an-netz.baynet.de #
> # #
> # SysAdmin: #
> # Felix Risling <felix@an-netz.baynet.de> #
> # Thomas Goebel <thomas@an-netz.baynet.de> #
> ################################################
>

--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
Received on Tue Sep 19 2000 - 16:49:08 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:55:24 MST