Re: [SQU] automatic smb_auth

From: Thomas Goebel <[email protected]>
Date: Thu, 21 Sep 2000 11:46:11 +0200

Hallo,

ok. i find the right CVS-tree but there is no configure-script. There is
only an configure.in file.

Where can i get the right configure-script.

cu

Thomas

Robert Collins wrote:
>
> Thomas,
> please keep replies cc:d to the list. Thanks.
>
> are you looking in "ntlm_auth_modules" or "auth_modules" see 1. key changes
> to squid below.
>
> Rob
>
> ----- Original Message -----
> From: <thomas@tomys.de>
> To: "Robert Collins" <robert.collins@itdomain.com.au>
> Sent: Wednesday, September 20, 2000 6:04 AM
> Subject: Re: [SQU] automatic smb_auth
>
> > Hallo,
> >
> > sorry,, but i can not find the ntlm-auth source-code. I downloaded the
> CVS-tree and some sourcepackages. Thare are only
> > auth_modules/multi-domain-NTLM/smb_auth.pl
> >
> > please tell were i can find the ntlm-source.
> >
> > cu
> > Thomas
> >
> > > Well its not well documented yet... but here's a quick list of things to
> do &
> > > notes about ntlm auth.
> > > Hey kinkie have I missed anything drastic? I might turn this list into
> the
> > > start of our HOW-TO ...
> > >
> > >
> > > 0. background
> > > -within HTTP there are three common authentication types: BASIC,
> > > DIGEST, NTLM. Of these only BASIC and DIGEST are official
> > > http authenticaton protocols. Basic authentication is clear text.
> digest
> > > uses a challenge-response format, as does NTLM.
> > > -Challenge-response helpers in squid cannot be tested from the
> command-line
> > > for two reasons. One: the helper needs the base64 data
> > > from the client to correctly interpret and verify the authentication
> request.
> > > Two: the authentication requests are stateful, so you need to
> > > generate the correct response to the 1st result the helper gives you.
> > > - NTLM and proxies. NTLM was not designed with stateless (ie HTTP)
> > > environments in mind. MS have got it to work, via a massive hack on the
> > > protocol. It DOES NOT WORK THROUGH PROXIES. Only the first hop can be
> NTLM
> > > authenticatied. This includes MS's IIS based proxy products. NTLM will
> also
> > > not work with transparent proxies (same reason as BASIC authentication
> > > doesn't_)so please, don't ask.
> > > 1. key changes to squid
> > > - the auth_modules directory is largely irrelevant for ntlm based
> > > environments. The helpers in auth_modules are BASIC helpers only. This
> > > includes the smb_auth,MSNT and multi-domain-NTLM.
> > > - there is a new directory ntlm_auth_helpers that contains the NTLM
> helper
> > > source programs.
> > > - the default ./configure will not enable any authentication code in
> squid
> > > (great for ISP's). New configuration directives allow
> > > basic auth, the basic auth modules to build, ntlm-auth, and the ntlm
> auth
> > > modules to build to be handled separately. Compiling in both
> > > basic and ntlm auth will allow you to 'fall back' to basic
> authentication if a
> > > browser does not support NTLM.
> > > 2. howto get NTLM authentication working
> > > - download the source
> > > - configure with (at a minimum) --enable-ntlm-authentication and
> > > --enable-ntlm-auth-modules=NTLMSSP
> > > - check the ntlmssp source code for any hardcoded parameters (it's only
> just
> > > stablised, there may be some 'magic' in the source at the moment). Also
> the
> > > command-line format is documented in the source.
> > > - you can use fakeauth or no_check if you just want to validate the
> username,
> > > but not check the password/login time limits.
> > > -compile and install squid
> > > - edit the squid.conf to specify the ntlm_authentication_helper
> command-line
> > > and at least one proxy_auth acl entry.
> > > -cross fingers (:-]) and use internet explorer FROM A DOMAIN USER
> ACCOUNT to
> > > surf the web.
> > >
> > > Rob
> > >
> > >
> > > Thomas Goebel wrote:
> > >
> > > > Hallo,
> > > >
> > > > sorry, i installed NTLM. But it does not work.
> > > > I tried at comandline to authenticate with smp_auth.pl and this also
> not
> > > > worked.
> > > >
> > > > Please help. Where can i get Information of NTLM.
> > > >
> > > > cu
> > > >
> > > > Thomas
> > > >
> > > > Robert Collins wrote:
> > > > >
> > > > > This is exactly what the recently developed NTLM authentication for
> squid
> > > > > does.
> > > > >
> > > > > It uses MS challenge handshaking authentication protocol (CHAP) for
> the
> > > > > browser. You need internet explorer 3 or newer to use it.
> > > > >
> > > > > Rob
> > > > >
> > > > > ----- Original Message -----
> > > > > From: "Thomas Goebel" <thomas@an-netz.de>
> > > > > To: <squid-users@ircache.net>; <linuxml@hekkihek.hacom.nl>
> > > > > Sent: Tuesday, September 19, 2000 11:36 PM
> > > > > Subject: [SQU] automatic smb_auth
> > > > >
> > > > > > Hallo,
> > > > > >
> > > > > > is it possible to perform the authentication against the
> > > > > > proxy automatically, invisible to the Windows user.
> > > > > > The Microsoft IIS authenticates the user, logged in at the
> workstation,
> > > > > > automatically.
> > > > > >
> > > > > > cu
> > > > > >
> > > > > > Thomas
> > > > > >
> > > > > > --
> > > > > > To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
> > > > > >
> > > > > >
> > >
> >
> >
> > --
> >
> > ################################################
> > # Thomas Goebel <Systemadministrator> #
> > # #
> > # E-Mail: thomas@an-netz.baynet.de #
> > # #
> > # Stellvertr. Vorsitzender im #
> > # Traegerverein-Buergernetz-Ansbach-Netz e.V. #
> > ################################################
> > # Server-URL: www.an-netz.baynet.de #
> > # #
> > # SysAdmin: #
> > # Felix Risling <felix@an-netz.baynet.de> #
> > # Thomas Goebel <thomas@an-netz.baynet.de> #
> > ################################################
> >

--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
Received on Thu Sep 21 2000 - 03:53:36 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:55:26 MST