Re: [squid-users] testing ntlm auth

From: Robert Collins <robert.collins@dont-contact.us>
Date: 02 Aug 2001 09:36:58 +1000

On 01 Aug 2001 15:35:55 -0300, Mads Rasmussen wrote:
>
> we use msntauth in 2.4st1 and thought about testing the new 2.5 dev version
> (squid-head).
>
> I compiled suport for ntlm using
>
> ./configure --enable-auth=ntlm --enable-ntlm-auth-helpers=NTLMSSP
>
> (could I enable digest here to work with ntlm?)
Yes, you can have all 3 supported schemes running in parallel.

> This gave me a ntlm binary in /usr/local/squid/libexec/squid/
>
> For msntauth the syntax was:
>
> echo "login password" | msntauth
>
> I tried the same syntax with ntlm and got a coredump:
The squid<->NTLM helper protocol is not human readable. For starters
it's a challenge handshake protocol, so you'd need to be able to
calculatde MD4 hash's on the fly to test it.

To see if it is able to create challenges, (done by the domain
controller for NTLMSSP v1), you can try
$ ntlm_auth
YR

You should get something like
TT TlRMTVNTUAABAAAABoI............
back.

More documentation about the conceptual side of NTLM auth is available
at squid.sourceforge.net/ntlm

> echo "mads password" | /usr/local/squid/libexec/squid/ntlm_auth CIT/pdcserver
>
> BH Helper detected protocol error
> fgets() failed! dying..... errno=0 (Success)
> Aborted (core dumped)
>
> What am I doing wrong? Since it says "protocol error" I was led to think it
> maybe has to do with the configure options, I used the helper=NTLMSSP, the
> others felt wrong.
I'm not sure what feeling has to do with selecting a helper for your
site!. The NTLMSSP helper uses a NT Domain controller (can be samba) to
verify the users, the other two helpers, pretend to use a domain
controller, but really just snoop the username and donain.

Rob

> Regards,
>
> Mads
>
Received on Wed Aug 01 2001 - 17:34:33 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:01:26 MST