Re: [SQU] Disable authentication Realm, No Authprompts with MS-Proxy Explorer , : Now where is the NTLM module?

Hi Michael,
Before we get onto some instructions, the ntlm code is *not a module*.
SMB_Auth etc. are external programs - it makes no difference to squid what
one you use. The NTLM code changes some internal aspects of squid (the
internal path requests go through, when authentication occurs) of squid and
also requires a new form of external helper that understands the NTLM
protocol (these new style helpers are the ntlm modules). If you'd like some
more background on how this all works I suggest a quick look through RFC
2617 which covers Basic and Digest authentication. NTLM's closest cousin in
the standards world at the moment is Digest authentication.

Anyway onto the code.

To get the code and compile it you need cvs, autoconf, autoheader and perl
already on your machine.

I'll assume you want the source files in ~/src/squid-ntlm; the build to take
place in ~/src/build-ntlm; the installed squid to be in /usr/local/squid.
squid-ntlm support all the current squid-dev options (and has a few more).
It isn't always 100% up to date with the HEAD squid version, but that should
matter much.

now run the following commands (1 per line)
cd ~/src
cvs -d :pserver:anonymous@cvs.sourceforge.net:/cvsroot/squid login
(press enter for the password)
cvs -z3 -d :pserver:anonymous@cvs.sourceforge.net:/cvsroot/squid co -r
ntlm -d squid-ntlm squid
cd squid-ntlm
autoconf
autoheader
cd ../build-ntlm
../squid-ntlm/configure --enable-ntlm-authentication --enable-ntlm-auth-modu
les=NTLMSSP
make -j 6
make install

now cd to /usr/local/squid/etc and edit your squid.conf as per normal.

to get squid-ntlm to authenticate users is configured the same way as for
normal squid - setup a proxy_auth acl and configure the name of the NTLM
helper. (Oh, you do need a MS domain controller or a samba box running as a
DC for squid-ntlm to do real authentication. The faker and no_check modules
are for instances when you just want to log the username without access
control.)

notes:
* you can run ntlm and basic in parallel - you need to configure
with --enable-basic-authentication as well though.
* in IE make sure you turn off "use HTTP 1.1 through proxies". Squid is not
quite HTTP/1.1 and IE breaks if you do that.
* Just like with basic authentication, you cannot run squid-ntlm with
authentication as a transparent proxy. This is a protocol limitation, not a
software one.

If you have any trouble please just hop back onto the list.

Rob

----- Original Message -----
From: "Dr. Michael Weller" <eowmob@exp-math.uni-essen.de>
To: <squid-users@ircache.net>
Sent: Monday, October 16, 2000 3:34 AM
Subject: [SQU] Disable authentication Realm, No Authprompts with MS-Proxy
Explorer , : Now where is the NTLM module?

> On Sun, 15 Oct 2000, Dr. Michael Weller wrote:
>
> > Sorry for the noise, I got a pointer to the NTLM module already.
> > If I have problems I'll get back top the list, thx already.
>
> Well, I didn't expect having to call you that early, but I can't get hold
> of Robert Collins NTLM module.
>
> Note that I'm not interested in the NT based authentication, I've a
> (third party) smb_auth module well working. It is the feature that makes
> the MS-Explorer authenticate itself, probably triggered by the specific
> Proxy Authentication lines, which I need.
>
> Now, i cannot find any of the directories, commands, config options
> mentioned in the related posts in any of the (development) versions
> I downloaded as tarball.
>
> Even cvs reports that there is not ntlm (lower or uppercase) although it
> was said so in the mails. Robert Collins mails, however, are old.
>
> I desperately want to give these patches (though alpha) a try. But where
> can I find them?
>
> Michael.
>
> --
>
> Michael Weller: eowmob@exp-math.uni-essen.de,
eowmob@ms.exp-math.uni-essen.de,
> or even mat42b@spi.power.uni-essen.de. If you encounter an eowmob account
on
> any machine in the net, it's very likely it's me.
>
> --
> To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
>
>

--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html