Re: [SQU] NTLM Error

From: Robert Collins <[email protected]>
Date: Fri, 23 Feb 2001 07:41:35 +1100

Jeremy,
    as long as we are not discussing private data (ie passwords and the
like). I"d appreciate it if we can keep the discussion on the list. It
means that there is instant documentation of how we solve your problem..

----- Original Message -----
From: "Wood, Jeremy" <WoodJ@metatec.com>
To: "'Robert Collins'" <robert.collins@itdomain.com.au>
Sent: Friday, February 23, 2001 1:49 AM
Subject: RE: [SQU] NTLM Error

> Check the answers below please!!
>
> >When you say transparently, do you mean as an intercepting proxy or
> >using NTLM CHAP to authenticate?
> >
> >When you say basic authentication, do you mean that it asks for
> >authentication with a three line dialogue box or a two line? And does
> >the two line have a text box or a combo box for the second line.
>
> When I say transparently I do mean NTLM CHAP. And as a fall back I
also
> compiled in MSNT support for a fallback. And yes when I say basic
> authentication it comes up with a three line text box. Hope I
answered that
> right.

Ok.
    Lets set some terms, so we both mean the same thing.
* For authentication, just refer to NTLM authentication or Basic
authentication. (NTLM is _only_ transparent when the user is in the
right domain with the right credentials using the right browser :], and
good browsers can save and auto present credentials using other schemes
such as digest, so the user doesn't see them either). In MSIE a manual
login via NTLM shows up as a three line dialogue box, User, Password,
Domain. (Which is what you saw ?)
* Transparent proxying is often used to mean intercepting proxy, but
actually means "http proxy that doesn't change the semantics of the
message" whew. We don't need this onw fortunately :]
* Basic authentication refers to the basic authentication scheme. In
MSIE it shows up as a _two_ line dialogue box, with the second line a
text box.

> >I am! thanks for the report. Can you give the last few lines of your
> >access.log and cache.log. Is it working at all? What does your
> >squid.conf look like (through the cache_mgr please - it skips all the
> >whitespace.
> >
> >Please also include the version reported when squid starts up.
> >And the gcc version (gcc -v).

wheres the gcc -v ?
Wnd the squid version report ?

> Yeah it does work but not exactly right ;-) Here's the info ya need.
>
> Last few lines of cache.log
>
> Error receiving response to SessSetupAndX
> 2001/02/22 10:00:28| authenticateNTLMDirection: called before NTLM
> Authenticate!. Report a bug to squid-dev.
> SessSetupAndX response. Action = 0
> SessSetupAndX response. Action = 0
> SessSetupAndX response. Action = 0
> SessSetupAndX response. Action = 0
> SessSetupAndX response. Action = 0
> SessSetupAndX response. Action = 0
> SessSetupAndX response. Action = 0
> Error receiving response to SessSetupAndX
> 2001/02/22 10:01:15| authenticateNTLMDirection: called before NTLM
> Authenticate!. Report a bug to squid-dev.
> SessSetupAndX response. Action = 0
> SessSetupAndX response. Action = 0
> SessSetupAndX response. Action = 0
> Error receiving response to SessSetupAndX
> 2001/02/22 10:01:21| authenticateNTLMDirection: called before NTLM
> Authenticate!. Report a bug to squid-dev.
> SessSetupAndX response. Action = 0
> SessSetupAndX response. Action = 0
> SessSetupAndX response. Action = 0
>

Kinkie - probably cause on this ?

>
> Last few lines of access.log:
>
> 982854966.965 151 10.1.0.0 TCP_MISS/304 290 GET
> http://pics.ebay.com/aw/pics/lst/gp__.gif metatec_hq\brentw
> DIRECT/216.33.157.33 -
> 982854966.989 11 10.1.0.0 TCP_DENIED/407 1468 GET
> http://pics.ebay.com/aw/pics/lst/g___.gif NONE/- text/html
> 982854967.036 119 10.1.0.0 TCP_MISS/304 291 GET
> http://pics.ebay.com/aw/pics/lst/buyItNow_15x54.gif metatec_hq\brentw
> DIRECT/216.33.157.32 -
> 982854967.097 108 10.1.0.0 TCP_MISS/304 290 GET
> http://pics.ebay.com/aw/pics/lst/g___.gif metatec_hq\brentw
> DIRECT/216.33.157.33 -
> 982854970.733 104 10.1.0.0 TCP_MISS/304 290 GET
> http://pics.ebay.com/aw/pics/star-4.gif metatec_hq\brentw
> DIRECT/216.33.157.32 -
> 982854970.748 1040 10.1.0.0 TCP_MISS/200 27587 GET
> http://cgi.ebay.com/aw-cgi/eBayISAPI.dll? metatec_hq\brentw
> DIRECT/216.32.120.180 text/html
> 982854973.453 2783 10.1.0.0 TCP_MISS/200 4362 GET
> http://www.goos.com/img/myEstore.gif metatec_hq\brentw
DIRECT/63.236.211.140
> image/gif
> 982854983.157 20 10.1.0.0 TCP_NEGATIVE_HIT/403 396 GET
> http://pics.ebay.com/aw/pics/ metatec_hq\brentw NONE/- text/html
> 982854983.175 477 10.1.0.0 TCP_MISS/302 1138 GET
> http://ads.web.aol.com/image/93010672/aol metatec_hq\brentw
> DIRECT/152.163.180.24 text/html
> 982854983.177 2 10.1.0.0 TCP_DENIED/407 1460 GET
> http://pics.ebay.com/aw/pics/lst/gp_n.gif NONE/- text/html
> 982854983.307 129 10.1.0.0 TCP_MISS/200 772 GET
> http://pics.ebay.com/aw/pics/lst/gp_n.gif metatec_hq\brentw
> DIRECT/216.33.157.33 image/gif
>

that looks normal.

> And I have attached the squid.conf.

>
> >Things to try:
> >1) disable basic authentication (do this by not setting a helper)
> >2) disable ntlm, enable basic - confirm that basic is working right.
>
> Basic is working and so is ntlm

You've reported a problem occuring halfway down a page. Please perform
the specific tests they will help us figure out exactly what is going
on, and from there we can fix it.

Do the two authentication schemes work PERFECTLY when the other one is
disable?
Basic [Y/N]
NTLM [Y/N]

>
> >I've covered this in a previous email this morning..
>
> I looked at that. Thank you.
>
> Please let me know about the group acl's you were talking about in a
> previous e-mail.

Standard acl's build group lists in squid.
acl group1 proxy_auth domain\john domain\mary
acl group2 proxy_auth domain\tom domain\mary
would make a group group1 with john and mary, and a group group2 with
mary and tom.

The other acl's don't exist yet. Two things are needed: 1) some
extensions to squid to allow them (designed but not coded). 2) support
in the NTLMSSP helper to read the group data of the MS PDC. What I was
pointing out was that if you knew someone who is able to do 2), I'll
throw 1) in to help out :]

Regards,
Rob

--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
Received on Thu Feb 22 2001 - 13:41:35 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:58:09 MST