Re: [SQU] automatic smb_auth

From: Robert Collins <robert.collins@dont-contact.us>
Date: Wed, 20 Sep 2000 18:32:18 +1100

Thomas,
    you are downloading from the wrong CVS branch. try

cvs -z3 -d :pserver:anonymous@cvs.sourceforge.net:/cvsroot/squid login

cvs -z3 -d :pserver:anonymous@cvs.sourceforge.net:/cvsroot/squid co -r
ntlm -d squid-ntlm squid.

rob

----- Original Message -----
From: "Thomas Goebel" <thomas@an-netz.de>
To: "Robert Collins" <robert.collins@itdomain.com.au>
Cc: <squid-users@ircache.net>
Sent: Wednesday, September 20, 2000 5:29 PM
Subject: Re: [SQU] automatic smb_auth

> I look in squid/ntlm_auth_modules/ . There are no source-files. Only in
> the "Attic" directory.
> And in the squid/configure file is no option to enable ntlm_modules like
> --enable-ntlm-authentication.
>
> cu
>
> Thomas
>
>
> Robert Collins wrote:
> >
> > Thomas,
> > please keep replies cc:d to the list. Thanks.
> >
> > are you looking in "ntlm_auth_modules" or "auth_modules" see 1. key
changes
> > to squid below.
> >
> > Rob
> >
> > ----- Original Message -----
> > From: <thomas@tomys.de>
> > To: "Robert Collins" <robert.collins@itdomain.com.au>
> > Sent: Wednesday, September 20, 2000 6:04 AM
> > Subject: Re: [SQU] automatic smb_auth
> >
> > > Hallo,
> > >
> > > sorry,, but i can not find the ntlm-auth source-code. I downloaded the
> > CVS-tree and some sourcepackages. Thare are only
> > > auth_modules/multi-domain-NTLM/smb_auth.pl
> > >
> > > please tell were i can find the ntlm-source.
> > >
> > > cu
> > > Thomas
> > >
> > > > Well its not well documented yet... but here's a quick list of
things to
> > do &
> > > > notes about ntlm auth.
> > > > Hey kinkie have I missed anything drastic? I might turn this list
into
> > the
> > > > start of our HOW-TO ...
> > > >
> > > >
> > > > 0. background
> > > > -within HTTP there are three common authentication types: BASIC,
> > > > DIGEST, NTLM. Of these only BASIC and DIGEST are official
> > > > http authenticaton protocols. Basic authentication is clear text.
> > digest
> > > > uses a challenge-response format, as does NTLM.
> > > > -Challenge-response helpers in squid cannot be tested from the
> > command-line
> > > > for two reasons. One: the helper needs the base64 data
> > > > from the client to correctly interpret and verify the authentication
> > request.
> > > > Two: the authentication requests are stateful, so you need to
> > > > generate the correct response to the 1st result the helper gives
you.
> > > > - NTLM and proxies. NTLM was not designed with stateless (ie HTTP)
> > > > environments in mind. MS have got it to work, via a massive hack on
the
> > > > protocol. It DOES NOT WORK THROUGH PROXIES. Only the first hop can
be
> > NTLM
> > > > authenticatied. This includes MS's IIS based proxy products. NTLM
will
> > also
> > > > not work with transparent proxies (same reason as BASIC
authentication
> > > > doesn't_)so please, don't ask.
> > > > 1. key changes to squid
> > > > - the auth_modules directory is largely irrelevant for ntlm based
> > > > environments. The helpers in auth_modules are BASIC helpers only.
This
> > > > includes the smb_auth,MSNT and multi-domain-NTLM.
> > > > - there is a new directory ntlm_auth_helpers that contains the NTLM
> > helper
> > > > source programs.
> > > > - the default ./configure will not enable any authentication code in
> > squid
> > > > (great for ISP's). New configuration directives allow
> > > > basic auth, the basic auth modules to build, ntlm-auth, and the ntlm
> > auth
> > > > modules to build to be handled separately. Compiling in both
> > > > basic and ntlm auth will allow you to 'fall back' to basic
> > authentication if a
> > > > browser does not support NTLM.
> > > > 2. howto get NTLM authentication working
> > > > - download the source
> > > > - configure with (at a minimum) --enable-ntlm-authentication and
> > > > --enable-ntlm-auth-modules=NTLMSSP
> > > > - check the ntlmssp source code for any hardcoded parameters (it's
only
> > just
> > > > stablised, there may be some 'magic' in the source at the moment).
Also
> > the
> > > > command-line format is documented in the source.
> > > > - you can use fakeauth or no_check if you just want to validate the
> > username,
> > > > but not check the password/login time limits.
> > > > -compile and install squid
> > > > - edit the squid.conf to specify the ntlm_authentication_helper
> > command-line
> > > > and at least one proxy_auth acl entry.
> > > > -cross fingers (:-]) and use internet explorer FROM A DOMAIN USER
> > ACCOUNT to
> > > > surf the web.
> > > >
> > > > Rob
> > > >
> > > >
> > > > Thomas Goebel wrote:
> > > >
> > > > > Hallo,
> > > > >
> > > > > sorry, i installed NTLM. But it does not work.
> > > > > I tried at comandline to authenticate with smp_auth.pl and this
also
> > not
> > > > > worked.
> > > > >
> > > > > Please help. Where can i get Information of NTLM.
> > > > >
> > > > > cu
> > > > >
> > > > > Thomas
> > > > >
> > > > > Robert Collins wrote:
> > > > > >
> > > > > > This is exactly what the recently developed NTLM authentication
for
> > squid
> > > > > > does.
> > > > > >
> > > > > > It uses MS challenge handshaking authentication protocol (CHAP)
for
> > the
> > > > > > browser. You need internet explorer 3 or newer to use it.
> > > > > >
> > > > > > Rob
> > > > > >
> > > > > > ----- Original Message -----
> > > > > > From: "Thomas Goebel" <thomas@an-netz.de>
> > > > > > To: <squid-users@ircache.net>; <linuxml@hekkihek.hacom.nl>
> > > > > > Sent: Tuesday, September 19, 2000 11:36 PM
> > > > > > Subject: [SQU] automatic smb_auth
> > > > > >
> > > > > > > Hallo,
> > > > > > >
> > > > > > > is it possible to perform the authentication against the
> > > > > > > proxy automatically, invisible to the Windows user.
> > > > > > > The Microsoft IIS authenticates the user, logged in at the
> > workstation,
> > > > > > > automatically.
> > > > > > >
> > > > > > > cu
> > > > > > >
> > > > > > > Thomas
> > > > > > >
> > > > > > > --
> > > > > > > To unsubscribe, see
http://www.squid-cache.org/mailing-lists.html
> > > > > > >
> > > > > > >
> > > >
> > >
> > >
> > > --
> > >
> > > ################################################
> > > # Thomas Goebel <Systemadministrator> #
> > > # #
> > > # E-Mail: thomas@an-netz.baynet.de #
> > > # #
> > > # Stellvertr. Vorsitzender im #
> > > # Traegerverein-Buergernetz-Ansbach-Netz e.V. #
> > > ################################################
> > > # Server-URL: www.an-netz.baynet.de #
> > > # #
> > > # SysAdmin: #
> > > # Felix Risling <felix@an-netz.baynet.de> #
> > > # Thomas Goebel <thomas@an-netz.baynet.de> #
> > > ################################################
> > >
> >
> > --
> > To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
>

--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
Received on Wed Sep 20 2000 - 02:28:30 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:55:25 MST