Re: Squid-ntlm compiling problems #2-1 from Robert Collins on 2000-10-06 (squid-users)

From: Robert Collins <robert.collins@dont-contact.us>
Date: Sat, 7 Oct 2000 09:55:32 +1100

Thomas,
With NTLM authentication, each successful connection should show
TCP_DENIED/407
TCP_DENIED/407
and then the miss/refresh etc.

this is due to the statefule authentication mechanism.

The error you are getting "bad NTM negotiate request" from
aclLookupProxyNTLMAuthDone indicates that the ntlm helper couldn't parse
your browsers ntlm negotiate packet, whilst the
huh? got two authentications in a row indicates that the NTLMSSP helper
recieved two authentication requests in a row - which it shouldn't have.

can you please rebuild the NTLMSSP helper with debug on, and
set squid's debug to
ALL,1 34,4 14,4 28,6 29,6
delete your cache.log
and then retry using it, and send me (out of band) the cache.log file from
squid (probably as tar.bz2 if it's big).

Rob

----- Original Message -----
From: "Thomas Goebel" <thomas@an-netz.de>
To: "Robert Collins" <robert.collins@itdomain.com.au>
Cc: <squid-users@ircache.net>
Sent: Saturday, October 07, 2000 12:39 AM
Subject: Re: Squid-ntlm compiling problems #2-1

> Hallo,
>
> i forgot the entry in cache.log.
>
> her is it.
>
> Huh? Got two authentications in a row
> SMB_SessSetupAndX failed with errorclass = 1, Error Code = 5
> ntlm-auth: ERR authentication failure
> 2000/10/06 15:38:08| aclLookupProxyNTLMAuthDone: bad NTLM negotiate
> request recieved on FD:19.
>
>
>
>
> cu
>
> Thomas
>
> Hallo,
>
> now i try to connect with IE and this happend
>
> 192.6.0.52 HERPA%5cgoebelt - [06/Oct/2000:15:39:34 +0200] "GET
> http://www.msn.de/ HTTP/1.0" 407 1379 TCP_DENIED:NONE
>
> I login to the domain as goebelt.
>
> whats wrong??
>
> here are my squid.conf lines wich i add to my old squid.conf:
>
> -authenticate_program_ntlm
> /squid-ntlm/ntlm_auth_modules/NTLMSSP/ntlm_auth -d herpa -s ntserver1
>
> -authenticate_ntlm_default_domain herpa
>
> cu
>
> Thomas
>
> Robert Collins wrote:
> >
> > Thomas,
> > Sorry I didn't reply to the first email, I was very busy this
> > week.
> >
> > please delete lines 688 and 689 from helper.c. They snuck into CVS.
> > (oops!)
> >
> > I'll commit a fix to CVS tomorrow.
> >
> > Rob
> >
> > > -----Original Message-----
> > > From: Thomas Goebel [mailto:thomas@an-netz.de]
> > > Sent: Friday, 6 October 2000 5:12 PM
> > > To: Robert Collins
> > > Cc: squid-users@ircache.net
> > > Subject: Squid-ntlm compiling problems #2
> > >
> > >
> > > Hallo list and Robert,
> > >
> > > now i have time to install squid-ntlm.
> > >
> > > Here is what i done:
> > >
> > > step 1
> > > fwi:/DOWN/squid-ntlm # autoconf
> > > configure.in:905: warning: AC_TRY_RUN called without default to allow
> > > cross compiling
> > > configure.in:999: warning: AC_TRY_RUN called without default to allow
> > > cross compiling
> > > configure.in:1000: warning: AC_TRY_RUN called without default to allow
> > > cross compiling
> > > configure.in:1001: warning: AC_TRY_RUN called without default to allow
> > > cross compiling
> > > configure.in:1275: warning: AC_TRY_RUN called without default to allow
> > > cross compiling
> > > fwi:/DOWN/squid-ntlm #
> > >
> > >
> > > step2
> > > fwi:/DOWN/squid-ntlm # autoheader
> > > configure.in:905: warning: AC_TRY_RUN called without default to allow
> > > cross compiling
> > > configure.in:1275: warning: AC_TRY_RUN called without default to allow
> > > cross compiling
> > > fwi:/DOWN/squid-ntlm #
> > >
> > > step3
> > > fwi:/DOWN/squid-ntlm # ./configure --enable-ntlm-authentication
> > > --enable-ntlm-auth-modules=NTLMSSP --enable-snmp
> > > --enable-basic-authentication
> > >
> > > works without errors!!!
> > >
> > > step4
> > > fwi:/DOWN/squid-ntlm # make
> > > ....
> > > helper.c: In function `StatefulEnqueue':
> > > helper.c:688: warning: suggest parentheses around assignment used as
> > > truth value
> > > helper.c:689: warning: implicit declaration of function
> > > `helperStatefulSpawnServers'
> > > ....
> > >
> > > gcc -o squid -g access_log.o acl.o asn.o authenticate.o cache_cf.o
> > > CacheDigest.o cache_manager.o carp.o
> > > cbdata.o client_db.o client_side.o comm.o comm_select.o debug.o disk.o
> > > dns_internal.o errorpage.o ETag.o event.o fd.o filemap.o forward.o
> > > fqdncache.o ftp.o globals.o gopher.o helper.o http.o HttpStatusLine.o
> > > HttpHdrCc.o HttpHdrRange.o HttpHdrContRange.o HttpHeader.o
> > > HttpHeaderTools.o HttpBody.o HttpMsg.o HttpReply.o
> > > HttpRequest.o icmp.o
> > > icp_v2.o icp_v3.o ident.o internal.o ipc.o ipcache.o logfile.o main.o
> > > mem.o MemPool.o MemBuf.o mime.o multicast.o neighbors.o net_db.o
> > > Packer.o pconn.o peer_digest.o peer_select.o redirect.o referer.o
> > > refresh.o repl_modules.o send-announce.o snmp_core.o
> > > snmp_agent.o ssl.o
> > > stat.o StatHist.o String.o stmem.o store.o store_io.o store_client.o
> > > store_digest.o store_dir.o store_key_md5.o store_log.o store_modules.o
> > > store_rebuild.o store_swapin.o store_swapmeta.o store_swapout.o
> > > string_arrays.o
> > > tools.o unlinkd.o url.o urn.o useragent.o wais.o wccp.o whois.o
> > > fs/ufs.a repl/lru.a -L../lib -lcrypt -L../snmplib -lsnmp -lmiscutil
> > > -lm -lresolv -lnsl
> > > helper.o: In function `StatefulEnqueue':
> > > /DOWN/squid-ntlm/src/helper.c:689: undefined reference to
> > > `helperStatefulSpawnServers'
> > > collect2: ld returned 1 exit status
> > > make[2]: *** [squid] Error 1
> > > make[2]: Leaving directory `/DOWN/squid-ntlm/src'
> > > make[1]: *** [all] Error 2
> > > make[1]: Leaving directory `/DOWN/squid-ntlm/src'
> > > make: *** [all] Error 1
> > > fwi:/DOWN/squid-ntlm #
> > >
> > > OK. what can i do???
> > >
> > > cu
> > >
> > > Thomas
> > >
> > >
> > > Robert Collins wrote:
> > > >
> > > > Thomas,
> > > > please keep replies cc:d to the list. Thanks.
> > > >
> > > > are you looking in "ntlm_auth_modules" or "auth_modules"
> > > see 1. key changes
> > > > to squid below.
> > > >
> > > > Rob
> > > >
> > > > ----- Original Message -----
> > > > From: <thomas@tomys.de>
> > > > To: "Robert Collins" <robert.collins@itdomain.com.au>
> > > > Sent: Wednesday, September 20, 2000 6:04 AM
> > > > Subject: Re: [SQU] automatic smb_auth
> > > >
> > > > > Hallo,
> > > > >
> > > > > sorry,, but i can not find the ntlm-auth source-code. I
> > > downloaded the
> > > > CVS-tree and some sourcepackages. Thare are only
> > > > > auth_modules/multi-domain-NTLM/smb_auth.pl
> > > > >
> > > > > please tell were i can find the ntlm-source.
> > > > >
> > > > > cu
> > > > > Thomas
> > > > >
> > > > > > Well its not well documented yet... but here's a quick
> > > list of things to
> > > > do &
> > > > > > notes about ntlm auth.
> > > > > > Hey kinkie have I missed anything drastic? I might turn
> > > this list into
> > > > the
> > > > > > start of our HOW-TO ...
> > > > > >
> > > > > >
> > > > > > 0. background
> > > > > > -within HTTP there are three common authentication types: BASIC,
> > > > > > DIGEST, NTLM. Of these only BASIC and DIGEST are official
> > > > > > http authenticaton protocols. Basic authentication is
> > > clear text.
> > > > digest
> > > > > > uses a challenge-response format, as does NTLM.
> > > > > > -Challenge-response helpers in squid cannot be tested from the
> > > > command-line
> > > > > > for two reasons. One: the helper needs the base64 data
> > > > > > from the client to correctly interpret and verify the
> > > authentication
> > > > request.
> > > > > > Two: the authentication requests are stateful, so you need to
> > > > > > generate the correct response to the 1st result the
> > > helper gives you.
> > > > > > - NTLM and proxies. NTLM was not designed with
> > > stateless (ie HTTP)
> > > > > > environments in mind. MS have got it to work, via a
> > > massive hack on the
> > > > > > protocol. It DOES NOT WORK THROUGH PROXIES. Only the
> > > first hop can be
> > > > NTLM
> > > > > > authenticatied. This includes MS's IIS based proxy
> > > products. NTLM will
> > > > also
> > > > > > not work with transparent proxies (same reason as BASIC
> > > authentication
> > > > > > doesn't_)so please, don't ask.
> > > > > > 1. key changes to squid
> > > > > > - the auth_modules directory is largely irrelevant for
> > > ntlm based
> > > > > > environments. The helpers in auth_modules are BASIC
> > > helpers only. This
> > > > > > includes the smb_auth,MSNT and multi-domain-NTLM.
> > > > > > - there is a new directory ntlm_auth_helpers that
> > > contains the NTLM
> > > > helper
> > > > > > source programs.
> > > > > > - the default ./configure will not enable any
> > > authentication code in
> > > > squid
> > > > > > (great for ISP's). New configuration directives allow
> > > > > > basic auth, the basic auth modules to build, ntlm-auth,
> > > and the ntlm
> > > > auth
> > > > > > modules to build to be handled separately. Compiling in both
> > > > > > basic and ntlm auth will allow you to 'fall back' to basic
> > > > authentication if a
> > > > > > browser does not support NTLM.
> > > > > > 2. howto get NTLM authentication working
> > > > > > - download the source
> > > > > > - configure with (at a minimum) --enable-ntlm-authentication and
> > > > > > --enable-ntlm-auth-modules=NTLMSSP
> > > > > > - check the ntlmssp source code for any hardcoded
> > > parameters (it's only
> > > > just
> > > > > > stablised, there may be some 'magic' in the source at
> > > the moment). Also
> > > > the
> > > > > > command-line format is documented in the source.
> > > > > > - you can use fakeauth or no_check if you just want to
> > > validate the
> > > > username,
> > > > > > but not check the password/login time limits.
> > > > > > -compile and install squid
> > > > > > - edit the squid.conf to specify the ntlm_authentication_helper
> > > > command-line
> > > > > > and at least one proxy_auth acl entry.
> > > > > > -cross fingers (:-]) and use internet explorer FROM A
> > > DOMAIN USER
> > > > ACCOUNT to
> > > > > > surf the web.
> > > > > >
> > > > > > Rob
> > > > > >
> > > > > >
> > > > > > Thomas Goebel wrote:
> > > > > >
> > > > > > > Hallo,
> > > > > > >
> > > > > > > sorry, i installed NTLM. But it does not work.
> > > > > > > I tried at comandline to authenticate with
> > > smp_auth.pl and this also
> > > > not
> > > > > > > worked.
> > > > > > >
> > > > > > > Please help. Where can i get Information of NTLM.
> > > > > > >
> > > > > > > cu
> > > > > > >
> > > > > > > Thomas
> > > > > > >
> > > > > > > Robert Collins wrote:
> > > > > > > >
> > > > > > > > This is exactly what the recently developed NTLM
> > > authentication for
> > > > squid
> > > > > > > > does.
> > > > > > > >
> > > > > > > > It uses MS challenge handshaking authentication
> > > protocol (CHAP) for
> > > > the
> > > > > > > > browser. You need internet explorer 3 or newer to use it.
> > > > > > > >
> > > > > > > > Rob
> > > > > > > >
> > > > > > > > ----- Original Message -----
> > > > > > > > From: "Thomas Goebel" <thomas@an-netz.de>
> > > > > > > > To: <squid-users@ircache.net>; <linuxml@hekkihek.hacom.nl>
> > > > > > > > Sent: Tuesday, September 19, 2000 11:36 PM
> > > > > > > > Subject: [SQU] automatic smb_auth
> > > > > > > >
> > > > > > > > > Hallo,
> > > > > > > > >
> > > > > > > > > is it possible to perform the authentication against the
> > > > > > > > > proxy automatically, invisible to the Windows user.
> > > > > > > > > The Microsoft IIS authenticates the user, logged in at the
> > > > workstation,
> > > > > > > > > automatically.
> > > > > > > > >
> > > > > > > > > cu
> > > > > > > > >
> > > > > > > > > Thomas
> > > > > > > > >
> > > > > > > > > --
> > > > > > > > > To unsubscribe, see
> > > http://www.squid-cache.org/mailing-lists.html
> > > > > > > > >
> > > > > > > > >
> > > > > >
> > > > >
> > > > >
> > > > > --
> > > > >
> > > > > ################################################
> > > > > # Thomas Goebel <Systemadministrator> #
> > > > > # #
> > > > > # E-Mail: thomas@an-netz.baynet.de #
> > > > > # #
> > > > > # Stellvertr. Vorsitzender im #
> > > > > # Traegerverein-Buergernetz-Ansbach-Netz e.V. #
> > > > > ################################################
> > > > > # Server-URL: www.an-netz.baynet.de #
> > > > > # #
> > > > > # SysAdmin: #
> > > > > # Felix Risling <felix@an-netz.baynet.de> #
> > > > > # Thomas Goebel <thomas@an-netz.baynet.de> #
> > > > > ################################################
> > > > >
> > > >
> > > > --
> > > > To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
> > >
>
> --
> To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
>
>

--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html

Received on Sat Oct 07 2000 - 18:47:32 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:55:42 MST