Ok, thanx, some more followups/comments from my side:
On Wed, 18 Oct 2000, Robert Collins wrote:
> > c) default squid.conf uses authenticate_program rather than
> > authenticate_program_ntlm for the ntlm helper. I'm also
> > under the impression that a keyword proxy_auth_ntlm is accepted
> > in acl commands but has no function, btw.
>
> no it doesn't - when you build squid-ntlm the squid.conf.default has two
> parameters - authenticate_program and authenticate_program_ntlm - they can
> be used in parallel.
Sorry, misunderstanding!: I meant the squid.conf.default suggests
authenticate_program <name of html helper>
(and later in the file suggest the same command for the basic
authentication agent) whereas it really should be
authenticate_program_ntlm. Nothing serious, rather a typo in the comments
of squid.conf.default.
> proxy_auth_ntlm is/was an experiment looking at different proxy_auth lines
> for different proxy authentication types - which we no longer need. I'll do
> something about that.
Thats what I guessed.
And sorry there were some other tweaks in the building process I forgot to
mention yesterday:
Building as you described does not work right away because the icons are
packed in a shar archive. I assume this is to aid CVS revisioning, but
maybe the Makefile should unpack the shar archive then?
make install does not install the ntlm-helper applications (only checked
NTLMSSP)
ntlm-helper applications are not correctly rebuild when certain header
files are touched. I assume broken/missing dependencies.
> > And now to a real bug and then my problem:
> >
> > e) It seems I need to specify the DC by netbios name and ensure it can be
...
> Just use the ip of the PDC. Netbios name resolution is not performed - see
> above.
This does not work for me. Not only does it send the IP as string for
caller to the DC when connecting (which might be ok) but ntlm-auth tries
to resolve it as a name first which somehow does not just fail but makes
it use the ip of the name server. Yes, you are reading right. In my
example I specify DOMAIN\10.1.1.15 and it does connect to 10.1.1.14
which is the name server, who obviously is not interesting in the
connection to the DC.
I assume not correctly checked error return values and/or misuse of the
static buffers libc uses for name resolution. It might be
libc-implementation dependent, hence linux specific.
> > f) This is now a real problem for me: It seems that I can have only
> > one proxy_auth acl active at own time. What do I mean by that, well if
[..]
> The \ I will look into. The symbolic link issue - does it happen with other
> files in similar circumstances? (We don't touch file io in the modifications
> needed to run squid-ntlm)
No, only with proxy_auth. Honestly I can't believe it myself. For now it
might well be I just confused some things here because I tried so many
things here. I can only definitely tell that more than one proxy_auth
checked does not work. It might be that if I do more than one
proxy_auth REQUIRED it works (but I think my acls would have aborted after
the first then), but if there is at least one unmatched proxy_auth
<username> the second one will be disconnected.
> Yes . Please search the archives for messages from Thomas regarding ntlm - I
> asked him to rebuild the helper with debug on, and set some squid debug
> levels. If you could do that (no need for the header grabber at this point)
> and send me the log that'd be great.
Ok, I already played with the RCNF_DEBUG (sp?) variable. I'll do that this
afternoon, I hope you'll get the results in due time cause of the time
shift.
Michael.
-- Michael Weller: eowmob@exp-math.uni-essen.de, eowmob@ms.exp-math.uni-essen.de, or even mat42b@spi.power.uni-essen.de. If you encounter an eowmob account on any machine in the net, it's very likely it's me. -- To unsubscribe, see http://www.squid-cache.org/mailing-lists.htmlReceived on Wed Oct 18 2000 - 11:04:55 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:55:47 MST