Re: [squid-users] ntlm authentication with older cliënts? (w95/w98)

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Fri, 7 Nov 2003 00:48:24 +0100 (CET)

On Thu, 6 Nov 2003, Henk-Jan (squid) wrote:

> Because Squid 2.5 uses an internal Samba interface to communicate with the
> winbindd daemon, it is difficult for me to ask the right question, How do I
> debug this?

You basically need to use a NTLMSSP implementation to inspect the NTLMSSP
packets exchanged between the browser and helper to debug NTLMSSP
interactions.

> The clients logon to the PDC perfectly without running the directory
> service. This means the are using LM hashes...

???

> The only differebce is I am running Samba 3... Perhaps a downgrade must do
> it...

Unlinkely, unless your problem is caused by the fact that the Samba-3
helper is a much more correct NTLMSSP implementation and probably tries to
negotiate a NTLMv1 session, while the Squid provided helper is var from as
good and only gets the LM part correct.

The most common situations casuing NTLM authentication to not work at all
are in order

a) The client does not allow the level of authentication requested by the
helper. This swings both ways depending on which NTLMSSP scheme is
requested by the helper. Normally NTLMSSP is supposed to negotiate the
level between the client and the server, but due to issues in Squid the
level is currently set by the server alone (the ntlm helper), completely
ignoring the wishes/capabilities of the client.

b) The client is not logged on to the domain.

Regards
Henrik
Received on Thu Nov 06 2003 - 16:48:28 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:21:10 MST