Re: ntlm_auth question

On ons, 2007-08-29 at 12:38 +0200, Laurent DOMENECH wrote:

> I have a question regarding a section of the ntlm_auth.c file.
> The problem I have happens using the ntlm_auth utility with the
> squid-2.5-ntlmssp helper. After reading and searching I thought this was
> the best place to get an informed response. If not, please forgive me and
> discard this message.

ntlm_auth is a part of Samba, not Squid...

> I have started looking at the code and the last line of the log suggests
> that the ntlmssp_update() call inside manage_squid_ntlmssp_request() of
> utils/ntlm_auth.c is returning nt_status =
> NT_STATUS_MORE_PROCESSING_REQUIRED. From there, the authentication seems
> to stop.

What should happen here is that the challenge from the helper is
returned to the client on a persistent connection, and the client then
responds with the auth response to continue the process...

> Is it normal for the process to stop when this status is returned?

No.

> Shouldn't there be an additional processing?

Yes.

> Is there a way to alter the helper so that it uses a "simpler" version of
> the ntlm authentication? (I have tried the basic helper with no luck).

The helper speaks just raw NTLM. Can't get any simpler. NTLM is a
challenge/response protocol using two complete exchanges (4 "packets")

Client sends NTLM Negotiate packet. (YR xxx sent to helper)
Server responds with an NTLM Challenge packet. (TT xxx sent from helper)
Client responds with an NTLM Response packet. (KK xxx sent to helper)
Authentication completed on this connection. (AF username sent from
helper)

All must take place on the same connection as it's the connection which
is being authenticated, not the HTTP message. If the connection is
closed the process restarts from the beginning.

REgards
Henrik