Re: [SQU] NTLM authentification / replacing microsoft proxy from Robert Collins on 2001-03-07 (squid-users)

From: Robert Collins <robert.collins@dont-contact.us>
Date: Wed, 7 Mar 2001 23:13:56 +1100

----- Original Message -----
From: "Roidl Hr." <Roidl@Landkreis-Schwandorf.de>
To: <squid-users@ircache.net>
Sent: Wednesday, March 07, 2001 10:30 PM
Subject: [SQU] NTLM authentification / replacing microsoft proxy

> Hello,
>
> does someone have experience with squid-2.5 and the NTLM auth module??
>
> We use at the moment an microsoft proxy server and we hope to replace
it
> with squid.
> The remaining problem is the authentification agains an NT Domain
> Controller.
> No password dialog should appear, a user should have internet access
if he
> is in an NT Group.
> I tried it with smbclient, but an dialog appered, so we throw this
solution
> away.
>
> Yesterday I configured squid-2.5 and tried the NTLM auth module.
> My Config:
>
> acl lraauth proxy_auth REQUIRED
> http_access allow lraauth
>
> auth_param ntlm program
> /usr/local/packages/squid-2.5.200103060000/bin/ntlm_auth
> LRA-DOM/192.100.1.243

You can't use an IP address here. You must use the NETBIOS name of the
machine. As long as that resolves on your squid machine to the correct
IP (and it can resolve via hosts/dns/nmb) that should be ok.

> auth_param ntlm children 5
> auth_param ntlm max_challenge_reuses 0
> auth_param ntlm max_challenge_lifetime 2 minutes
>
> BUT it didn't work. Access is allways denied.
>
> How can I test the authentification without squid?

You can't :[ MS's authentication protocol isn't exactly human readable.
What you can do is check the squid cache.log for clues, and consider
turning debug from ALL,1 to ALL,1 29,6

>
> Are there other possibilities to allow a user in a certain group
(managed
> under NT)
> internet access. (net group internetuser /domain // smbclient //
identd)???

Not without a password prompt. The NTLM code implements the protocols
users by "net group", smbclient would need a password, and identd on
windows doesn't reliably return the _real_ username.

>
> Bye
> Engelbert
>
> ----------------------------------------------------------------------
------
> -------------------------------------
> mailto:Roidl@Landkreis-Schwandorf.de
>
>
> --
> To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
>
>

Rob

--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html

Received on Wed Mar 07 2001 - 05:13:18 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:58:33 MST