RE: [SQU] NTLM Error

Got a new error message here :-/ It lets you through the proxy,
transparently then half way thru the page load it asks for basic
authentication. Check it out:

authenticateNTLMDirection: called before NTLM Authenticate! . Report a bug
to squid-dev

So if anyone is on squid-dev could you pass this along??

About the NT groups stuff. The gent who wrote the smb_auth a while back did
have a shell script he wrote to use groups as permissions. He placed a file
in teh netlogon dir of the PDC and the only thing in the file was: allow.
Then you run NT permissions on this file adding the people that are allowed
to use the proxy. The smb_auth module passed the auth info on to this
script which then tried to read the proxyauth file from the netlogon dir of
the PDC via smbclient. If the file could be read, the shell script returned
an OK. If not, an ERROR. So what I was wanting to do was hack the
ntlm_auth.c to have it do something similar.

Does this sound doable to anyone??

----Jer

-----Original Message-----
From: Craig Fels [mailto:csfels@swbell.net]
Sent: Wednesday, February 21, 2001 2:37 PM
To: Wood, Jeremy; squid-users@ircache.net
Subject: Re: [SQU] NTLM Error

> I just downloaded the new code today. Same code you are using. I am
using
> NTLMSSP as the helper. I have double checked the compile options. See I
> need to have true authentication working because not every user on our
> domain is allowed to have proxy access. Only users in certain groups are
> allowed to have it. So I need to check if they are in the correct group
> before they have proxy access. Right now we are using MS Proxy 2.0 and it
> works with NTLM, group permissions, and it is transparent to the user.
That
> is what I am trying to get out of squid so I can get rid of that NT box.
I
> fear I may end up coding something myself which should only take me a
couple
> years considering my experience ;-) In other words, I stink at coding so
I
> was hoping to beable to throw some things together to make this work.

As far as I know, Squid with NTLM support can NOT validate based on NT
groups (local or global). The only way, and I've mentioned this before, is
to use NT resource kit utilities like Local and Global on the particular
group (domain\proxyusers) and redirect the output to a text file. Have this
text file picked up by your proxy machine and have a proxy_auth acl look at
this file for its members. Then create the http_access allow statement for
that acl.

Should be pretty easy to implement, but a pain to support if you ever leave!
;-)

Have fun....

Craig

--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html