On Tue, 4 Jun 2002, Henrik Nordstrom wrote:
> The "SMB" ntlm helper (ntlm_auth) currently only supports the use LANMAN
> logins.. Maybe your domain enforces the use of NTLM or NTLMv2?
>
> What is seen in the event log on the login server (AS7)?
We do support LANMAN logins as we have win9x clients as well. The event
log doesn't seem to show anything on the NT side as far a failed login
attempts. (actually win2k domain controllers in compatible mode).
I've noticed that IE doesn't work at all unless I remove the NTLM
authenticator, then it works with the basic authenticator. If I logon to a
machine not in the domain of where I authenticate, should IE not prompt
for login? Not all my IE clients will be able to take advantage of NTLM
since they don't all login to a windows domain. Will that be a problem?
-Mike
> Mike Diggins wrote:
> > Hello,
> >
> > It's my first time attempting the NTLM authentication in Squid 2.5 and am
> > running into trouble making it work.
> >
> > I think this means the authenticator itself is okay?
> >
> > diggins@percy<~squid/libexec># ./ntlm_auth -d AP1/AS7
> > ntlm-auth[10660](ntlm_auth.c:180): Adding domain-controller AP1/AS7
> > ntlm-auth[10660](ntlm_auth.c:453): options processed OK
> > YR
> > ntlm-auth[10660](ntlm_auth.c:277): managing request
> > ntlm-auth[10660](ntlm_auth.c:283): ntlm authenticator. Got 'YR' from Squid
> > ntlm-auth[10660](ntlm_auth.c:232): obtain_challenge: selecting AP1\AS7
> > (attempt #1)
> > ntlm-auth[10660](ntlm_auth.c:244): attempting challenge retrieval
> > ntlm-auth[10660](libntlmssp.c:119): Connecting to server AS7 domain AP1
> > ntlm-auth[10660](ntlm_auth.c:246): make_challenge retuned 366a0
> > ntlm-auth[10660](ntlm_auth.c:248): Got it
> > ntlm-auth[10660](ntlm_auth.c:430): sending 'TT
> > TlRMTVNTUAACAAAAAAMAAwAAACiCgkEA/IV6xiZuVzkAAAAAAAAAAEFQMQ==' to squid
> > TT TlRMTVNTUAACAAAAAAMAAwAAACiCgkEA/IV6xiZuVzkAAAAAAAAAAEFQMQ==
> >
> > My cache.log shows the following information regarding helper apps when I
> > first start up (no apparent errors).
> >
> > 2002/06/04 10:40:29| helperStatefulOpenServers: Starting 5 'ntlm_auth'
> > processes
> > 2002/06/04 10:40:29| helperOpenServers: Starting 5 'msnt_auth' processes
> >
> > When I use Netscape the basic helper (MSNT) works correctly. However, when
> > I run IE 6.0 while logged into the same domain I get "Page can not be
> > displayed" and the following in access.log
> >
> > 1023203071.457 3 130.113.220.121 TCP_DENIED/407 1401 GET
> > http://www.cnn.com/ - NONE/- text/html
> > 1023203071.476 12 130.113.220.121 TCP_DENIED/407 1401 GET
> > http://www.cnn.com/ - NONE/- text/html
> >
> > My squid.conf configuration
> >
> > auth_param ntlm program /usr/local/squid/libexec/ntlm_auth AP1/AS7
> > auth_param ntlm children 5
> > auth_param ntlm max_challenge_reuses 0
> > auth_param ntlm max_challenge_lifetime 2 minutes
> > auth_param basic program /usr/local/squid/libexec/msnt_auth
> > auth_param basic children 5
> > auth_param basic realm Squid proxy-caching web server
> > auth_param basic credentialsttl 2 hours
> >
> > acl domainusers proxy_auth REQUIRED
> > http_access allow domainusers
> >
> > Any help would be appreciated.
> >
> > -Mike
>
>
Received on Tue Jun 04 2002 - 20:15:41 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:08:27 MST