Re: from Robert Collins on 2000-10-08 (squid-users)

From: Robert Collins <robert.collins@dont-contact.us>
Date: Mon, 9 Oct 2000 08:00:21 +1100

Hi Thomas,
I don't think there is anything wrong with your config file. The log
entries you had showed a definate failure in the NTLM authentication.

Can you also supply the version and service pack of 98 you are running?
Are you running the AD add-on or NTLMv2 for win98?

You also need to be logged into a domain to use ntlm. If you are not logged
into a domain then the authentication will always fail. You shouldn't
actually see the three line dialog for login in IE once this is working, IE
logs into the cache without prompting.

Any, drop my the logs and I'll see what I can see.

Rob

----- Original Message -----
From: "thomas" <thomas@an-netz.de>
To: "Robert Collins" <robert.collins@itdomain.com.au>
Cc: <tom@tomys.de>
Sent: Monday, October 09, 2000 2:25 AM

> Hallo Robert,
>
> i compile the Programms on Monday(at work).
>
> I forgot to tell you, that when i open IE on the win98-pc they shows me a
> windows with login/pass/domain. I think the same as when i start the win98
> pc and login to our domain.
>
> Is there something wrong with my squid.conf configuration?(i send it)
>
> My acl line lokks like
> acl domainuser proxy_auth "/etc/squid/proxy_user.txt"
>
> When i have new results i will send it.
> I hope that you have time for this problem.
>
> cu
>
> Thomas
>
>
>
>
>
> Robert Collins wrote:
>
> > Thomas,
> > With NTLM authentication, each successful connection should show
> > TCP_DENIED/407
> > TCP_DENIED/407
> > and then the miss/refresh etc.
> >
> > this is due to the statefule authentication mechanism.
> >
> > The error you are getting "bad NTM negotiate request" from
> > aclLookupProxyNTLMAuthDone indicates that the ntlm helper couldn't parse
>
> > your browsers ntlm negotiate packet, whilst the
> > huh? got two authentications in a row indicates that the NTLMSSP helper
> > recieved two authentication requests in a row - which it shouldn't have.
>
> >
> > can you please rebuild the NTLMSSP helper with debug on, and
> > set squid's debug to
> > ALL,1 34,4 14,4 28,6 29,6
> > delete your cache.log
> > and then retry using it, and send me (out of band) the cache.log file
> from
> > squid (probably as tar.bz2 if it's big).
> >
> > Rob
> >
> > ----- Original Message -----
> > From: "Thomas Goebel" <thomas@an-netz.de>
> > To: "Robert Collins" <robert.collins@itdomain.com.au>
> > Cc: <squid-users@ircache.net>
> > Sent: Saturday, October 07, 2000 12:39 AM
> > Subject: Re: Squid-ntlm compiling problems #2-1
> >
> >
> > > Hallo,
> > >
> > > i forgot the entry in cache.log.
> > >
> > > her is it.
> > >
> > > Huh? Got two authentications in a row
> > > SMB_SessSetupAndX failed with errorclass = 1, Error Code = 5
> > > ntlm-auth: ERR authentication failure
> > > 2000/10/06 15:38:08| aclLookupProxyNTLMAuthDone: bad NTLM negotiate
> > > request recieved on FD:19.
> > >
> > >
> > >
> > >
> > > cu
> > >
> > > Thomas
> > >
> > > Hallo,
> > >
> > > now i try to connect with IE and this happend
> > >
> > > 192.6.0.52 HERPA%5cgoebelt - [06/Oct/2000:15:39:34 +0200] "GET
> > > http://www.msn.de/ HTTP/1.0" 407 1379 TCP_DENIED:NONE
> > >
> > > I login to the domain as goebelt.
> > >
> > > whats wrong??
> > >
> > > here are my squid.conf lines wich i add to my old squid.conf:
> > >
> > > -authenticate_program_ntlm
> > > /squid-ntlm/ntlm_auth_modules/NTLMSSP/ntlm_auth -d herpa -s ntserver1
> > >
> > > -authenticate_ntlm_default_domain herpa
> > >
> > > cu
> > >
> > > Thomas
> > >
> > > Robert Collins wrote:
> > > >
> > > > Thomas,
> > > > Sorry I didn't reply to the first email, I was very busy
> this
> > > > week.
> > > >
> > > > please delete lines 688 and 689 from helper.c. They snuck into CVS.
> > > > (oops!)
> > > >
> > > > I'll commit a fix to CVS tomorrow.
> > > >
> > > > Rob
> > > >
> > > > > -----Original Message-----
> > > > > From: Thomas Goebel [mailto:thomas@an-netz.de]
> > > > > Sent: Friday, 6 October 2000 5:12 PM
> > > > > To: Robert Collins
> > > > > Cc: squid-users@ircache.net
> > > > > Subject: Squid-ntlm compiling problems #2
> > > > >
> > > > >
> > > > > Hallo list and Robert,
> > > > >
> > > > > now i have time to install squid-ntlm.
> > > > >
> > > > > Here is what i done:
> > > > >
> > > > > step 1
> > > > > fwi:/DOWN/squid-ntlm # autoconf
> > > > > configure.in:905: warning: AC_TRY_RUN called without default to
> allow
> > > > > cross compiling
> > > > > configure.in:999: warning: AC_TRY_RUN called without default to
> allow
> > > > > cross compiling
> > > > > configure.in:1000: warning: AC_TRY_RUN called without default to
> allow
> > > > > cross compiling
> > > > > configure.in:1001: warning: AC_TRY_RUN called without default to
> allow
> > > > > cross compiling
> > > > > configure.in:1275: warning: AC_TRY_RUN called without default to
> allow
> > > > > cross compiling
> > > > > fwi:/DOWN/squid-ntlm #
> > > > >
> > > > >
> > > > > step2
> > > > > fwi:/DOWN/squid-ntlm # autoheader
> > > > > configure.in:905: warning: AC_TRY_RUN called without default to
> allow
> > > > > cross compiling
> > > > > configure.in:1275: warning: AC_TRY_RUN called without default to
> allow
> > > > > cross compiling
> > > > > fwi:/DOWN/squid-ntlm #
> > > > >
> > > > > step3
> > > > > fwi:/DOWN/squid-ntlm # ./configure --enable-ntlm-authentication
> > > > > --enable-ntlm-auth-modules=NTLMSSP --enable-snmp
> > > > > --enable-basic-authentication
> > > > >
> > > > > works without errors!!!
> > > > >
> > > > > step4
> > > > > fwi:/DOWN/squid-ntlm # make
> > > > > ....
> > > > > helper.c: In function `StatefulEnqueue':
> > > > > helper.c:688: warning: suggest parentheses around assignment used
> as
> > > > > truth value
> > > > > helper.c:689: warning: implicit declaration of function
> > > > > `helperStatefulSpawnServers'
> > > > > ....
> > > > >
> > > > > gcc -o squid -g access_log.o acl.o asn.o authenticate.o cache_cf.o
>
> > > > > CacheDigest.o cache_manager.o carp.o
> > > > > cbdata.o client_db.o client_side.o comm.o comm_select.o debug.o
> disk.o
> > > > > dns_internal.o errorpage.o ETag.o event.o fd.o filemap.o forward.o
>
> > > > > fqdncache.o ftp.o globals.o gopher.o helper.o http.o
> HttpStatusLine.o
> > > > > HttpHdrCc.o HttpHdrRange.o HttpHdrContRange.o HttpHeader.o
> > > > > HttpHeaderTools.o HttpBody.o HttpMsg.o HttpReply.o
> > > > > HttpRequest.o icmp.o
> > > > > icp_v2.o icp_v3.o ident.o internal.o ipc.o ipcache.o logfile.o
> main.o
> > > > > mem.o MemPool.o MemBuf.o mime.o multicast.o neighbors.o net_db.o
> > > > > Packer.o pconn.o peer_digest.o peer_select.o redirect.o referer.o
> > > > > refresh.o repl_modules.o send-announce.o snmp_core.o
> > > > > snmp_agent.o ssl.o
> > > > > stat.o StatHist.o String.o stmem.o store.o store_io.o
> store_client.o
> > > > > store_digest.o store_dir.o store_key_md5.o store_log.o
> store_modules.o
> > > > > store_rebuild.o store_swapin.o store_swapmeta.o store_swapout.o
> > > > > string_arrays.o
> > > > > tools.o unlinkd.o url.o urn.o useragent.o wais.o wccp.o whois.o
> > > > > fs/ufs.a repl/lru.a -L../lib -lcrypt -L../snmplib -lsnmp
> -lmiscutil
> > > > > -lm -lresolv -lnsl
> > > > > helper.o: In function `StatefulEnqueue':
> > > > > /DOWN/squid-ntlm/src/helper.c:689: undefined reference to
> > > > > `helperStatefulSpawnServers'
> > > > > collect2: ld returned 1 exit status
> > > > > make[2]: *** [squid] Error 1
> > > > > make[2]: Leaving directory `/DOWN/squid-ntlm/src'
> > > > > make[1]: *** [all] Error 2
> > > > > make[1]: Leaving directory `/DOWN/squid-ntlm/src'
> > > > > make: *** [all] Error 1
> > > > > fwi:/DOWN/squid-ntlm #
> > > > >
> > > > > OK. what can i do???
> > > > >
> > > > > cu
> > > > >
> > > > > Thomas
> > > > >
> > > > >
> > > > > Robert Collins wrote:
> > > > > >
> > > > > > Thomas,
> > > > > > please keep replies cc:d to the list. Thanks.
> > > > > >
> > > > > > are you looking in "ntlm_auth_modules" or "auth_modules"
> > > > > see 1. key changes
> > > > > > to squid below.
> > > > > >
> > > > > > Rob
> > > > > >
> > > > > > ----- Original Message -----
> > > > > > From: <thomas@tomys.de>
> > > > > > To: "Robert Collins" <robert.collins@itdomain.com.au>
> > > > > > Sent: Wednesday, September 20, 2000 6:04 AM
> > > > > > Subject: Re: [SQU] automatic smb_auth
> > > > > >
> > > > > > > Hallo,
> > > > > > >
> > > > > > > sorry,, but i can not find the ntlm-auth source-code. I
> > > > > downloaded the
> > > > > > CVS-tree and some sourcepackages. Thare are only
> > > > > > > auth_modules/multi-domain-NTLM/smb_auth.pl
> > > > > > >
> > > > > > > please tell were i can find the ntlm-source.
> > > > > > >
> > > > > > > cu
> > > > > > > Thomas
> > > > > > >
> > > > > > > > Well its not well documented yet... but here's a quick
> > > > > list of things to
> > > > > > do &
> > > > > > > > notes about ntlm auth.
> > > > > > > > Hey kinkie have I missed anything drastic? I might turn
> > > > > this list into
> > > > > > the
> > > > > > > > start of our HOW-TO ...
> > > > > > > >
> > > > > > > >
> > > > > > > > 0. background
> > > > > > > > -within HTTP there are three common authentication types:
> BASIC,
> > > > > > > > DIGEST, NTLM. Of these only BASIC and DIGEST are official
> > > > > > > > http authenticaton protocols. Basic authentication is
> > > > > clear text.
> > > > > > digest
> > > > > > > > uses a challenge-response format, as does NTLM.
> > > > > > > > -Challenge-response helpers in squid cannot be tested from
> the
> > > > > > command-line
> > > > > > > > for two reasons. One: the helper needs the base64 data
> > > > > > > > from the client to correctly interpret and verify the
> > > > > authentication
> > > > > > request.
> > > > > > > > Two: the authentication requests are stateful, so you need
> to
> > > > > > > > generate the correct response to the 1st result the
> > > > > helper gives you.
> > > > > > > > - NTLM and proxies. NTLM was not designed with
> > > > > stateless (ie HTTP)
> > > > > > > > environments in mind. MS have got it to work, via a
> > > > > massive hack on the
> > > > > > > > protocol. It DOES NOT WORK THROUGH PROXIES. Only the
> > > > > first hop can be
> > > > > > NTLM
> > > > > > > > authenticatied. This includes MS's IIS based proxy
> > > > > products. NTLM will
> > > > > > also
> > > > > > > > not work with transparent proxies (same reason as BASIC
> > > > > authentication
> > > > > > > > doesn't_)so please, don't ask.
> > > > > > > > 1. key changes to squid
> > > > > > > > - the auth_modules directory is largely irrelevant for
> > > > > ntlm based
> > > > > > > > environments. The helpers in auth_modules are BASIC
> > > > > helpers only. This
> > > > > > > > includes the smb_auth,MSNT and multi-domain-NTLM.
> > > > > > > > - there is a new directory ntlm_auth_helpers that
> > > > > contains the NTLM
> > > > > > helper
> > > > > > > > source programs.
> > > > > > > > - the default ./configure will not enable any
> > > > > authentication code in
> > > > > > squid
> > > > > > > > (great for ISP's). New configuration directives allow
> > > > > > > > basic auth, the basic auth modules to build, ntlm-auth,
> > > > > and the ntlm
> > > > > > auth
> > > > > > > > modules to build to be handled separately. Compiling in both
>
> > > > > > > > basic and ntlm auth will allow you to 'fall back' to basic
> > > > > > authentication if a
> > > > > > > > browser does not support NTLM.
> > > > > > > > 2. howto get NTLM authentication working
> > > > > > > > - download the source
> > > > > > > > - configure with (at a minimum) --enable-ntlm-authentication
> and
> > > > > > > > --enable-ntlm-auth-modules=NTLMSSP
> > > > > > > > - check the ntlmssp source code for any hardcoded
> > > > > parameters (it's only
> > > > > > just
> > > > > > > > stablised, there may be some 'magic' in the source at
> > > > > the moment). Also
> > > > > > the
> > > > > > > > command-line format is documented in the source.
> > > > > > > > - you can use fakeauth or no_check if you just want to
> > > > > validate the
> > > > > > username,
> > > > > > > > but not check the password/login time limits.
> > > > > > > > -compile and install squid
> > > > > > > > - edit the squid.conf to specify the
> ntlm_authentication_helper
> > > > > > command-line
> > > > > > > > and at least one proxy_auth acl entry.
> > > > > > > > -cross fingers (:-]) and use internet explorer FROM A
> > > > > DOMAIN USER
> > > > > > ACCOUNT to
> > > > > > > > surf the web.
> > > > > > > >
> > > > > > > > Rob
> > > > > > > >
> > > > > > > >
> > > > > > > > Thomas Goebel wrote:
> > > > > > > >
> > > > > > > > > Hallo,
> > > > > > > > >
> > > > > > > > > sorry, i installed NTLM. But it does not work.
> > > > > > > > > I tried at comandline to authenticate with
> > > > > smp_auth.pl and this also
> > > > > > not
> > > > > > > > > worked.
> > > > > > > > >
> > > > > > > > > Please help. Where can i get Information of NTLM.
> > > > > > > > >
> > > > > > > > > cu
> > > > > > > > >
> > > > > > > > > Thomas
> > > > > > > > >
> > > > > > > > > Robert Collins wrote:
> > > > > > > > > >
> > > > > > > > > > This is exactly what the recently developed NTLM
> > > > > authentication for
> > > > > > squid
> > > > > > > > > > does.
> > > > > > > > > >
> > > > > > > > > > It uses MS challenge handshaking authentication
> > > > > protocol (CHAP) for
> > > > > > the
> > > > > > > > > > browser. You need internet explorer 3 or newer to use
> it.
> > > > > > > > > >
> > > > > > > > > > Rob
> > > > > > > > > >
> > > > > > > > > > ----- Original Message -----
> > > > > > > > > > From: "Thomas Goebel" <thomas@an-netz.de>
> > > > > > > > > > To: <squid-users@ircache.net>;
> <linuxml@hekkihek.hacom.nl>
> > > > > > > > > > Sent: Tuesday, September 19, 2000 11:36 PM
> > > > > > > > > > Subject: [SQU] automatic smb_auth
> > > > > > > > > >
> > > > > > > > > > > Hallo,
> > > > > > > > > > >
> > > > > > > > > > > is it possible to perform the authentication against
> the
> > > > > > > > > > > proxy automatically, invisible to the Windows user.
> > > > > > > > > > > The Microsoft IIS authenticates the user, logged in at
> the
> > > > > > workstation,
> > > > > > > > > > > automatically.
> > > > > > > > > > >
> > > > > > > > > > > cu
> > > > > > > > > > >
> > > > > > > > > > > Thomas
> > > > > > > > > > >
> > > > > > > > > > > --
> > > > > > > > > > > To unsubscribe, see
> > > > > http://www.squid-cache.org/mailing-lists.html
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > --
> > > > > > >
> > > > > > > ################################################
> > > > > > > # Thomas Goebel <Systemadministrator> #
> > > > > > > # #
> > > > > > > # E-Mail: thomas@an-netz.baynet.de #
> > > > > > > # #
> > > > > > > # Stellvertr. Vorsitzender im #
> > > > > > > # Traegerverein-Buergernetz-Ansbach-Netz e.V. #
> > > > > > > ################################################
> > > > > > > # Server-URL: www.an-netz.baynet.de #
> > > > > > > # #
> > > > > > > # SysAdmin: #
> > > > > > > # Felix Risling <felix@an-netz.baynet.de> #
> > > > > > > # Thomas Goebel <thomas@an-netz.baynet.de> #
> > > > > > > ################################################
> > > > > > >
> > > > > >
> > > > > > --
> > > > > > To unsubscribe, see
> http://www.squid-cache.org/mailing-lists.html
> > > > >
> > >
> > > --
> > > To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
> > >
> > >
> >
> > --
> > To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
> >
>
> --
>
>
>

--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html

Received on Sun Oct 08 2000 - 15:01:29 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:55:43 MST