Re: [squid-users] NTLM questions (sorry)

From: Gavin Hamill <[email protected]>
Date: Fri, 28 Mar 2003 13:16:23 -0000

> You cannot test NTLM authentication helpers from the command line. The
> helpers expects base64 encoded NTLM messages as input,

Ah of course :)

OK, so after establishing that the Debian package did not include ntlm
support compiled-in, I added the following lines to the debian/rules file:

        --enable-auth="ntlm" \
        --enable-ntlm-auth \
        --enable-ntlm-auth-helpers="SMB" \

and recompiled the package. Now when I start squid, it no longer complains
about ntlm being an unknown authentication module, but every time I try to
request a webpage via the proxy, squid crashes:

At this stage, all I want is "only allow access to those who are currently
logged in on the Windows 2000 server."

newwintermute:~/squid/squid-2.5.2# squid -N -d 10
2003/03/28 13:07:30| Starting Squid Cache version 2.5.STABLE2 for
i386-debian-linux-gnu...
2003/03/28 13:07:30| Process ID 17011
2003/03/28 13:07:30| With 1024 file descriptors available
2003/03/28 13:07:30| Performing DNS Tests...
2003/03/28 13:07:30| Successful DNS name lookup tests...
2003/03/28 13:07:30| DNS Socket created at 0.0.0.0, port 36720, FD 4
2003/03/28 13:07:30| Adding nameserver 194.130.12.75 from /etc/resolv.conf
2003/03/28 13:07:30| helperStatefulOpenServers: Starting 5 'ntlm_auth'
processes
2003/03/28 13:07:30| User-Agent logging is disabled.
2003/03/28 13:07:30| Referer logging is disabled.
2003/03/28 13:07:30| Unlinkd pipe opened on FD 14
2003/03/28 13:07:30| Swap maxSize 102400 KB, estimated 7876 objects
2003/03/28 13:07:30| Target number of buckets: 393
2003/03/28 13:07:30| Using 8192 Store buckets
2003/03/28 13:07:30| Max Mem size: 8192 KB
2003/03/28 13:07:30| Max Swap size: 102400 KB
2003/03/28 13:07:30| Local cache digest enabled; rebuild/rewrite every
3600/3600 sec
2003/03/28 13:07:30| Rebuilding storage in /var/spool/squid (CLEAN)
2003/03/28 13:07:30| Using Least Load store dir selection
2003/03/28 13:07:30| Set Current Directory to /var/spool/squid
2003/03/28 13:07:30| Loaded Icons.
2003/03/28 13:07:30| Accepting HTTP connections at 0.0.0.0, port 3128, FD
15.
2003/03/28 13:07:30| Accepting ICP messages at 0.0.0.0, port 3130, FD 16.
2003/03/28 13:07:30| HTCP Disabled.
2003/03/28 13:07:30| WCCP Disabled.
2003/03/28 13:07:30| Ready to serve requests.
2003/03/28 13:07:30| Done scanning /var/spool/squid swaplog (0 entries)
2003/03/28 13:07:30| Finished rebuilding storage from disk.
2003/03/28 13:07:30| 0 Entries scanned
2003/03/28 13:07:30| 0 Invalid entries.
2003/03/28 13:07:30| 0 With invalid flags.
2003/03/28 13:07:30| 0 Objects loaded.
2003/03/28 13:07:30| 0 Objects expired.
2003/03/28 13:07:30| 0 Objects cancelled.
2003/03/28 13:07:30| 0 Duplicate URLs purged.
2003/03/28 13:07:30| 0 Swapfile clashes avoided.
2003/03/28 13:07:30| Took 0.3 seconds ( 0.0 objects/sec).
2003/03/28 13:07:30| Beginning Validation Procedure
2003/03/28 13:07:30| Completed Validation Procedure
2003/03/28 13:07:30| Validated 0 Entries
2003/03/28 13:07:30| store_swap_size = 0k
2003/03/28 13:07:31| storeLateRelease: released 0 objects
2003/03/28 13:07:35| storeDirWriteCleanLogs: Starting...
2003/03/28 13:07:35| WARNING: Closing open FD 15
2003/03/28 13:07:35| Finished. Wrote 0 entries.
2003/03/28 13:07:35| Took 0.0 seconds ( 0.0 entries/sec).

At this point, a Win2000 client which is logged into the PDC and set to use
the proxy server tries to view an external webpage:

FATAL: authenticateNTLMHandleReply: called with no result string

Aborted
newwintermute:~/squid/squid-2.5.2#

The only changes (in context) from the default squid.conf are:

#Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl byteldomain proxy_auth ntlm REQUIRED
acl localhost src 127.0.0.1/255.255.255.255

....

# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

# Exampe rule allowing access from your local networks. Adapt
# to list your (internal) IP networks from where browsing should
# be allowed
#acl our_networks src 192.168.1.0/24 192.168.2.0/24
#http_access allow our_networks
http_access allow localhost
http_access allow byteldomain

As I've been writing this, it has dawned on me that I'm not actually
specifying the Windows domain server anywhere in the conf files. Does
ntlm_auth broadcast on the local network to find a domain controller?

I'm probably doing something very stupid, but google hasn't shown me the
light in this case :(

Yours in hope,
Gavin.
Received on Fri Mar 28 2003 - 06:17:10 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:14:24 MST