RE: [SQU] NTLM Error

From: Robert Collins <[email protected]>
Date: Thu, 22 Feb 2001 10:01:46 +1100

> -----Original Message-----
> From: Wood, Jeremy [mailto:WoodJ@metatec.com]
> Sent: Thursday, February 22, 2001 6:47 AM
> To: 'Craig Fels'; 'squid-users@ircache.net'
> Subject: RE: [SQU] NTLM Error
>
>
> Got a new error message here :-/ It lets you through the proxy,
> transparently then half way thru the page load it asks for basic
> authentication. Check it out:

When you say transparently, do you mean as an intercepting proxy or
using NTLM CHAP to authenticate?

When you say basic authentication, do you mean that it asks for
authentication with a three line dialogue box or a two line? And does
the two line have a text box or a combo box for the second line.
 
> authenticateNTLMDirection: called before NTLM Authenticate! .
> Report a bug
> to squid-dev
>
> So if anyone is on squid-dev could you pass this along??

I am! thanks for the report. Can you give the last few lines of your
access.log and cache.log. Is it working at all? What does your
squid.conf look like (through the cache_mgr please - it skips all the
whitespace.

Please also include the version reported when squid starts up.
And the gcc version (gcc -v).

Things to try:
1) disable basic authentication (do this by not setting a helper)
2) disable ntlm, enable basic - confirm that basic is working right.

 
> About the NT groups stuff. The gent who wrote the smb_auth a
> while back did
> have a shell script he wrote to use groups as permissions.
> He placed a file
> in teh netlogon dir of the PDC and the only thing in the file
> was: allow.
> Then you run NT permissions on this file adding the people
> that are allowed
> to use the proxy. The smb_auth module passed the auth info on to this
> script which then tried to read the proxyauth file from the
> netlogon dir of
> the PDC via smbclient. If the file could be read, the shell
> script returned
> an OK. If not, an ERROR. So what I was wanting to do was hack the
> ntlm_auth.c to have it do something similar.
>
> Does this sound doable to anyone??

I've covered this in a previous email this morning..

>
> ----Jer
>
> -----Original Message-----
> From: Craig Fels [mailto:csfels@swbell.net]
> Sent: Wednesday, February 21, 2001 2:37 PM
> To: Wood, Jeremy; squid-users@ircache.net
> Subject: Re: [SQU] NTLM Error
>
>
> > I just downloaded the new code today. Same code you are
> using. I am
> using
> > NTLMSSP as the helper. I have double checked the compile
> options. See I
> > need to have true authentication working because not every
> user on our
> > domain is allowed to have proxy access. Only users in
> certain groups are
> > allowed to have it. So I need to check if they are in the
> correct group
> > before they have proxy access. Right now we are using MS
> Proxy 2.0 and it
> > works with NTLM, group permissions, and it is transparent
> to the user.
> That
> > is what I am trying to get out of squid so I can get rid of
> that NT box.
> I
> > fear I may end up coding something myself which should only
> take me a
> couple
> > years considering my experience ;-) In other words, I
> stink at coding so
> I
> > was hoping to beable to throw some things together to make
> this work.
>
> As far as I know, Squid with NTLM support can NOT validate based on NT
> groups (local or global). The only way, and I've mentioned
> this before, is
> to use NT resource kit utilities like Local and Global on the
> particular
> group (domain\proxyusers) and redirect the output to a text
> file. Have this
> text file picked up by your proxy machine and have a
> proxy_auth acl look at
> this file for its members. Then create the http_access allow
> statement for
> that acl.
>
> Should be pretty easy to implement, but a pain to support if
> you ever leave!
> ;-)
>
> Have fun....
>
> Craig
>
> --
> To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
>
>

--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
Received on Wed Feb 21 2001 - 16:10:37 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:58:07 MST