RE: [squid-users] My SMB is just plain screwy, another error

From: Chemolli Francesco (USI) <>
Date: Wed, 21 Mar 2001 17:38:34 +0100

> Reply = Thanks, squid still prompts for the password/username, but I
> attribute that the connection reset by peer problem, as my networks
> funkiness,

That is correct.
What you're seeing are NetBios error 3, which means TCP connection to
the DC broken. Under your configuration, Squid treats such failures as
authentication failures. There is a configure option (--helper-fail-open
or something like that),
which together with a command-line switch to the NTLMSSP helper
will turn those requests into "last-ditches". A last-ditch is basically
"there was an error with the Domain Controller. Trust the user for this
one authentication, then refresh the helper challenge".
It's meant to cope with Domain Controller failures without the user
noticing. It can be seen as a potential source for abuses (I don't think
so, but Robert is a bit more cautious than me on this one).

> A question, are you familiar with the smb_auth helper? It
> checks the group
> permissions of a user but only by prompting for a username
> and password,
> before I commit a developer here to trying to output the
> NTLMSSP user/pass
> to smb_auth to check against groups, is this feasible?

smb_auth is a basic authorization helper. It will always ask
for the password.
However, if you have more than one domain, you might want to
investigate into the multi-domain-NTLM helper.

It's not currently possible to check against groups, except maybe
by dirty tricks.

Received on Wed Mar 21 2001 - 11:21:29 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:58:46 MST