RE: [squid-users] testing ntlm auth

Hi, I am trying this authentication scheme. Squid starts up fine and these
are the processes runing

21806 ? S 0:00 ./squid
21808 ? S 0:00 (squid)
21814 ? S 0:00 (unlinkd)
21827 ? S 0:00 (ntlm_auth) inetbridge/rbk-bdc2
21828 ? S 0:00 (ntlm_auth) inetbridge/rbk-bdc2
21829 ? S 0:00 (ntlm_auth) inetbridge/rbk-bdc2
21830 ? S 0:00 (ntlm_auth) inetbridge/rbk-bdc2
21831 ? S 0:00 (ntlm_auth) inetbridge/rbk-bdc2

I am however not being authenticated.

When I run this manually /usr/local/squid/libexec/squid/ntlm_auth
inetbridge/rbk-bdc2 and type YR I get no response from the domain
controller. I also tried using the domain controllers IP instead of the
name.

Do I need to do something on the domain controller to get this to work?

Thanks
Derick Jansen

-----Original Message-----
From: Robert Collins [mailto:robert.collins@itdomain.com.au]
Sent: 02 August 2001 02:02
To: Mads Rasmussen
Cc: squid-users@squid-cache.org
Subject: Re: [squid-users] testing ntlm auth

On 01 Aug 2001 15:35:55 -0300, Mads Rasmussen wrote:
>
> we use msntauth in 2.4st1 and thought about testing the new 2.5 dev
version
> (squid-head).
>
> I compiled suport for ntlm using
>
> ./configure --enable-auth=ntlm --enable-ntlm-auth-helpers=NTLMSSP
>
> (could I enable digest here to work with ntlm?)
Yes, you can have all 3 supported schemes running in parallel.

> This gave me a ntlm binary in /usr/local/squid/libexec/squid/
>
> For msntauth the syntax was:
>
> echo "login password" | msntauth
>
> I tried the same syntax with ntlm and got a coredump:
The squid<->NTLM helper protocol is not human readable. For starters
it's a challenge handshake protocol, so you'd need to be able to
calculatde MD4 hash's on the fly to test it.

To see if it is able to create challenges, (done by the domain
controller for NTLMSSP v1), you can try
$ ntlm_auth
YR

You should get something like
TT TlRMTVNTUAABAAAABoI............
back.

More documentation about the conceptual side of NTLM auth is available
at squid.sourceforge.net/ntlm

> echo "mads password" | /usr/local/squid/libexec/squid/ntlm_auth
CIT/pdcserver
>
> BH Helper detected protocol error
> fgets() failed! dying..... errno=0 (Success)
> Aborted (core dumped)
>
> What am I doing wrong? Since it says "protocol error" I was led to think
it
> maybe has to do with the configure options, I used the helper=NTLMSSP, the

> others felt wrong.
I'm not sure what feeling has to do with selecting a helper for your
site!. The NTLMSSP helper uses a NT Domain controller (can be samba) to
verify the users, the other two helpers, pretend to use a domain
controller, but really just snoop the username and donain.

Rob

> Regards,
>
> Mads
>
Received on Thu Aug 02 2001 - 04:10:42 MDT