Re: [squid-users] Squid 2.5 & NTLM

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Tue, 4 Jun 2002 18:11:53 +0200

The "SMB" ntlm helper (ntlm_auth) currently only supports the use LANMAN
logins.. Maybe your domain enforces the use of NTLM or NTLMv2?

What is seen in the event log on the login server (AS7)?

Regards
Henrik

Mike Diggins wrote:
> Hello,
>
> It's my first time attempting the NTLM authentication in Squid 2.5 and am
> running into trouble making it work.
>
> I think this means the authenticator itself is okay?
>
> diggins@percy<~squid/libexec># ./ntlm_auth -d AP1/AS7
> ntlm-auth[10660](ntlm_auth.c:180): Adding domain-controller AP1/AS7
> ntlm-auth[10660](ntlm_auth.c:453): options processed OK
> YR
> ntlm-auth[10660](ntlm_auth.c:277): managing request
> ntlm-auth[10660](ntlm_auth.c:283): ntlm authenticator. Got 'YR' from Squid
> ntlm-auth[10660](ntlm_auth.c:232): obtain_challenge: selecting AP1\AS7
> (attempt #1)
> ntlm-auth[10660](ntlm_auth.c:244): attempting challenge retrieval
> ntlm-auth[10660](libntlmssp.c:119): Connecting to server AS7 domain AP1
> ntlm-auth[10660](ntlm_auth.c:246): make_challenge retuned 366a0
> ntlm-auth[10660](ntlm_auth.c:248): Got it
> ntlm-auth[10660](ntlm_auth.c:430): sending 'TT
> TlRMTVNTUAACAAAAAAMAAwAAACiCgkEA/IV6xiZuVzkAAAAAAAAAAEFQMQ==' to squid
> TT TlRMTVNTUAACAAAAAAMAAwAAACiCgkEA/IV6xiZuVzkAAAAAAAAAAEFQMQ==
>
> My cache.log shows the following information regarding helper apps when I
> first start up (no apparent errors).
>
> 2002/06/04 10:40:29| helperStatefulOpenServers: Starting 5 'ntlm_auth'
> processes
> 2002/06/04 10:40:29| helperOpenServers: Starting 5 'msnt_auth' processes
>
> When I use Netscape the basic helper (MSNT) works correctly. However, when
> I run IE 6.0 while logged into the same domain I get "Page can not be
> displayed" and the following in access.log
>
> 1023203071.457 3 130.113.220.121 TCP_DENIED/407 1401 GET
> http://www.cnn.com/ - NONE/- text/html
> 1023203071.476 12 130.113.220.121 TCP_DENIED/407 1401 GET
> http://www.cnn.com/ - NONE/- text/html
>
> My squid.conf configuration
>
> auth_param ntlm program /usr/local/squid/libexec/ntlm_auth AP1/AS7
> auth_param ntlm children 5
> auth_param ntlm max_challenge_reuses 0
> auth_param ntlm max_challenge_lifetime 2 minutes
> auth_param basic program /usr/local/squid/libexec/msnt_auth
> auth_param basic children 5
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 2 hours
>
> acl domainusers proxy_auth REQUIRED
> http_access allow domainusers
>
> Any help would be appreciated.
>
> -Mike
Received on Tue Jun 04 2002 - 10:12:11 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:08:26 MST