Re: [SQU] Disable authentication Realm, No Authprompts with MS-Proxy Explorer , : Now where is the NTLM module?

----- Original Message -----
From: "Dr. Michael Weller" <eowmob@exp-math.uni-essen.de>
To: "Robert Collins" <robert.collins@itdomain.com.au>
Cc: <squid-users@ircache.net>
Sent: Wednesday, October 18, 2000 7:51 PM
Subject: Re: [SQU] Disable authentication Realm, No Authprompts with
MS-Proxy Explorer , : Now where is the NTLM module?

> Ok, thanx, some more followups/comments from my side:
>
> On Wed, 18 Oct 2000, Robert Collins wrote:
>
> > > c) default squid.conf uses authenticate_program rather than
> > > authenticate_program_ntlm for the ntlm helper. I'm also
> > > under the impression that a keyword proxy_auth_ntlm is accepted
> > > in acl commands but has no function, btw.
> >
> > no it doesn't - when you build squid-ntlm the squid.conf.default has two
> > parameters - authenticate_program and authenticate_program_ntlm - they
can
> > be used in parallel.
>
> Sorry, misunderstanding!: I meant the squid.conf.default suggests
>
> authenticate_program <name of html helper>
>
> (and later in the file suggest the same command for the basic
> authentication agent) whereas it really should be
> authenticate_program_ntlm. Nothing serious, rather a typo in the comments
> of squid.conf.default.

Thanks, I'll get to that shortly.

> > proxy_auth_ntlm is/was an experiment looking at different proxy_auth
lines
> > for different proxy authentication types - which we no longer need. I'll
do
> > something about that.
> Thats what I guessed.
>
> And sorry there were some other tweaks in the building process I forgot to
> mention yesterday:
>
> Building as you described does not work right away because the icons are
> packed in a shar archive. I assume this is to aid CVS revisioning, but
> maybe the Makefile should unpack the shar archive then?

This is standard for cvs. I'll note it in my emails next time I mention
downloading cvs :-] Perhaps a patch to the Makefile? (I think this is a low
priority issue as the distributions put up on squid-cache.org have the icons
compiled.

> make install does not install the ntlm-helper applications (only checked
> NTLMSSP)

It should. Please provide details (ie make log )

> ntlm-helper applications are not correctly rebuild when certain header
> files are touched. I assume broken/missing dependencies.

please provide details. I cannot reproduce to try and fix otherwise.

> > > And now to a real bug and then my problem:
> > >
> > > e) It seems I need to specify the DC by netbios name and ensure it can
be
> ...
> > Just use the ip of the PDC. Netbios name resolution is not performed -
see
> > above.
>
> This does not work for me. Not only does it send the IP as string for
> caller to the DC when connecting (which might be ok) but ntlm-auth tries
> to resolve it as a name first which somehow does not just fail but makes
> it use the ip of the name server. Yes, you are reading right. In my
> example I specify DOMAIN\10.1.1.15 and it does connect to 10.1.1.14
> which is the name server, who obviously is not interesting in the
> connection to the DC.
>
> I assume not correctly checked error return values and/or misuse of the
> static buffers libc uses for name resolution. It might be
> libc-implementation dependent, hence linux specific.

as before: I'll try and get to this potential coding error shortly - Kinkie
has corrected my assumption about ip address's - thanks Kinkie!
so what you need is the Netbios name for the DC resolvable by the local
gethostbyname call. (I just checked the code).

> > > f) This is now a real problem for me: It seems that I can have only
> > > one proxy_auth acl active at own time. What do I mean by that, well
if
> [..]
> > The \ I will look into. The symbolic link issue - does it happen with
other
> > files in similar circumstances? (We don't touch file io in the
modifications
> > needed to run squid-ntlm)
>
> No, only with proxy_auth. Honestly I can't believe it myself. For now it
> might well be I just confused some things here because I tried so many
> things here. I can only definitely tell that more than one proxy_auth
> checked does not work. It might be that if I do more than one
> proxy_auth REQUIRED it works (but I think my acls would have aborted after
> the first then), but if there is at least one unmatched proxy_auth
> <username> the second one will be disconnected.

there is a potential race condition in the proxy_auth code that I'm going to
look at. For that I need the log as mentioned to verify my idea.

> > Yes . Please search the archives for messages from Thomas regarding
ntlm - I
> > asked him to rebuild the helper with debug on, and set some squid debug
> > levels. If you could do that (no need for the header grabber at this
point)
> > and send me the log that'd be great.
>
> Ok, I already played with the RCNF_DEBUG (sp?) variable. I'll do that this
> afternoon, I hope you'll get the results in due time cause of the time
> shift.

You don't need that debug variable. in NTLMSSP/ntlm_auth.h there is a single
DEBUG #define

===from previous thread===
can you please rebuild the NTLMSSP helper with debug on, and
set squid's debug (in squid.conf) to
ALL,1 34,4 14,4 28,6 29,6
delete your cache.log
and then retry using it, and send me (out of band) the cache.log file from
squid (probably as tar.bz2 if it's big).

Rob

--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html