Re: [squid-users] squid and AD configuration guidelines

From: Henrik Nordstrom <[email protected]>
Date: Wed, 01 Mar 2006 02:06:13 +0100

mån 2006-02-27 klockan 12:03 +0000 skrev Paul Mattingly:

> squidhp# ./ntlm_auth --helper-protocol=squid-2.5-ntlmssp
> squid\administrator password
> [2006/02/01 10:23:18, 1] utils/ntlm_auth.c:manage_squid_ntlmssp_request(578)
> BH
>
> Above is an example of testing the ntlm_auth program. I never got this
> to work properly by hand, but squid seems happy with it! It's an error
> that doesn't need fixing.

Not an error. You can't test NTLMSSP by hand as it requires proper
NTLMSSP packets as input/output and only computers know how to speak
NTLMSSP...

If you have a NTLMSSP demonstration program capable of acting as a
client then you can copy-paste the NTLMSSP exchanges between this and
the helper to verify the functionality with just a little glue around it
detailed at http://devel.squid-cache.org/ntlm/. I think there is one
such example program in the Windows SDK or at least around MSDN
somewhere.. but it was many years since I did any Windows development..

You can test the basic scheme by hand just fine.
# ./ntlm_auth --helper-protocol=squid-2.5-basic
squid\administrator password
OK|ERR

> auth_param ntlm program /usr/local/samba/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 3
> auth_param ntlm max_challenge_reuses 0
> auth_param ntlm max_challenge_lifetime 2 minutes
> auth_param ntlm use_ntlm_negotiate on

most people also configure support for basic authentication as not all
clients supports ntlm.

It is important you have the ntlm related auth_param directives before
basic however as MSIE is a bit simpleminded and simply uses the first
scheme found, not the strongest as it should..

Regards
Henrik

Received on Tue Feb 28 2006 - 18:06:16 MST

This archive was generated by hypermail pre-2.1.9 : Wed Mar 01 2006 - 12:00:04 MST