Thomas,
can you please cc your replies on this discussion to the list: I
am not the only squid-ntlm developer.
Hacing looked into case-sensitivity for usernames, I don't know if
ldap/unix systems will allow test and Test to be different usercodes,
but in case they do I am not going to make the username check
case-insensitive for that reason. What I will do is make sure that the
username returned from NTLM is always uppercase.
The usernames are of the format domain\user because that is the couple
used by MS who wrote the spec. (It's not a feature it's what the decode
process returns). A similar issue exists with domain names where you
have www.foo.net or www. Just using www can result in confusion. So just
using GOEBELT could be a problem. I.E. what if you have two user
domains, and a repeated username across them?
What we could do is get the helper to return just the username component
(turned on or off with a command switch) - kinkie what do you think? The
helper should do it as it is where caching and optimisations are being
placed at this point.
More later when I've done my investigating...
Thanks
Rob
> -----Original Message-----
> From: Thomas Goebel [mailto:thomas@an-netz.de]
> Sent: Tuesday, 10 October 2000 5:23 PM
> To: Robert Collins
> Subject: Re: I know the Problem with ntlm
>
>
> Hallo,
>
> Robert Collins wrote:
> >
> > Hi Thomas.
> >
> > yes your usernames need to be uppercase for NTLM. I'll checkin a fix
> > allowing case-insensitive usernames for this in the next day or two
> > (when I get time to touch the code again).
> >
> > There is something strange happening in two places:
> > The returned username that squid found the first time was
> > "HERPA\GOEBELT"
> > then squid got HERPA\GOEBEL� which wouldn't be found - this
> will need
> > further investigation. (but the log should provide enough
> information).
>
> Yes, i see it. For this case i add the Lines HERPA\GOEBEL and
> HERPA\GOEBELT in my user-file.
> But why ntlm looks for DOMAIN\USER and not only for USER in user-file,
> like the basic-authentication.
>
> OK with this feature i can control the login domain for an specified
> Domain. We have only one Domain and dont need this feature. Is it
> possible to verify if an "default-domain" is given like "-d herpa" to
> disable DOMAIN/USER checking and only verify the USER in the
> user-file.
>
> BTW: The basic-authentication are also casesesitive.
>
> > Do you mind if I forward the log to kinkie (who has done the NTLMSSP
> > helper) to see why the HERPA\GOEBEL� response was created?
>
> No problemo.
>
> > The second strange thing is that auth requests from IE are being
> > received with no negotiate step!
> > I'm going to dig into that and some funny stuff happening with the
> > request passing tonight (GMT+10), and I'll mail out when I have a
> > solution, or if I need some more debugging from you.
>
> This test was made with the WIN98+IE 5(disc. in prev. mail).
> The same happens with the winNT-workstation
>
>
> cu
>
> Thomas
>
>
>
> >
> > > -----Original Message-----
> > > From: Thomas Goebel [mailto:thomas@an-netz.de]
> > > Sent: Monday, 9 October 2000 11:53 PM
> > > To: Robert Collins
> > > Subject: I know the Problem with ntlm
> > >
> > >
> > > Hallo,
> > >
> > > the problem is in the authentication mechanism to find an
> entry in my
> > > user_allow-file
> > >
> > > acl domainusers proxy_auth "/etc/squid/proxy_user_allow.txt"
> > >
> > > Only when i add these lines
> > > GoebelT # for Basic authentication
> > > HERPA\GOEBEL
> > > HERPA\GOEBELT
> > > herpa\goebelt
> > > herpa\goebel
> > > goebelt # for Basic authentication
> > >
> > > to the proxy_user_allow.txt file. I can download some
> > > html/img from the
> > > browser-startingpage BUT not the whole page. After they
> had download
> > > some images and text they ask me again for a login/passwd.
> > >
> > > If i enter the user an password i must be carefull with upper and
> > > lowercase.
> > >
> > > But i dont know why the loading of the first page stops?!?
> > >
> > > I the cache.log file i send. i have mark the point where the
> > > authentication windows comes on the screen.
> > >
> > > I hope you can patch these, that i need only one entry in the
> > > user-allow
> > > file. :-))
> > >
> > > cu
> > >
> > > Thomas
> > >
>
--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
Received on Tue Oct 10 2000 - 01:07:42 MDT