RE: [squid-users] testing ntlm auth

From: Robert Collins <robert.collins@dont-contact.us>
Date: 20 Aug 2001 23:18:23 +1000

On 20 Aug 2001 14:33:38 +0200, Derick Jansen wrote:
> Hi,
>
> I finally got this to work. I had to put the PDC name and IP into the host
> file (The DNS admin removed the dns entry for the PDC).
>
> Now that I have it working, I find IE asking for the
> username/password/domain every third or fourth request. I know there is a
> bug with NTLM where it loses connection to the PDC. Is this causing the
> problem?

It's a bug with MS DC's thank you very much :]. We don't ever *drop* the
connection, the MS server often stops responding, so we have to open a
new connection - which means we can't use the previously obtained
challenge.

Do you see
"authenticateNTLMDirection: called before NTLM Authenticate!. Report a
bug to squid-dev" in your cache.log?

Rob
 
> Thanks in advance.
>
> Derick.
>
> -----Original Message-----
> From: Robert Collins [mailto:robert.collins@itdomain.com.au]
> Sent: 06 August 2001 04:57
> To: Derick Jansen
> Cc: Mads Rasmussen; squid-users@squid-cache.org
> Subject: RE: [squid-users] testing ntlm auth
>
>
> On 02 Aug 2001 12:11:46 +0200, Derick Jansen wrote:
> > Hi, I am trying this authentication scheme. Squid starts up fine and these
> > are the processes runing
> >
> > 21806 ? S 0:00 ./squid
> > 21808 ? S 0:00 (squid)
> > 21814 ? S 0:00 (unlinkd)
> > 21827 ? S 0:00 (ntlm_auth) inetbridge/rbk-bdc2
> > 21828 ? S 0:00 (ntlm_auth) inetbridge/rbk-bdc2
> > 21829 ? S 0:00 (ntlm_auth) inetbridge/rbk-bdc2
> > 21830 ? S 0:00 (ntlm_auth) inetbridge/rbk-bdc2
> > 21831 ? S 0:00 (ntlm_auth) inetbridge/rbk-bdc2
> >
> > I am however not being authenticated.
> >
> > When I run this manually /usr/local/squid/libexec/squid/ntlm_auth
> > inetbridge/rbk-bdc2 and type YR I get no response from the domain
> > controller. I also tried using the domain controllers IP instead of the
> > name.
>
> There have been some messages on this in the list already - do a search
> on ntlm_auth. You need to use the machine name, not the ip address.
>
> > Do I need to do something on the domain controller to get this to work?
>
> No. Or rather, you can't be using "high security" - we are using an
> _old_ Samba library for this. Kinkie is working on an updated helper
> that uses a much newer library.
>
> Also, a large amount of work has gone into stability recently, and
> tonights daily snapshot from www.squid-cache.org should be much more
> reliable. (It doesn't affect the ntlm_auth helper problem that you have
> unfortunately). You should grab that tarball and use it.
>
> It's NOT available on sourceforge outside of the NTLM branch as yet, as
> soon as it is I'll be posting a detailed email here listing the changes
> and asking early adopters to upgrade.
>
> Rob
Received on Mon Aug 20 2001 - 07:18:12 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:01:51 MST