On 23/04/2013 8:12 p.m., nicola gentile wrote:
> Good morning,
> I would ask you an information and help.
> Actually I use squid 3.1.21 on debian 6.0.7 with ntlm and kerberos
> authentication and all works fine.
> Now I must recompile squid and I would test 3.3.3 version.
FYI squid-3.3 packages just hit Debian unstable repositories yesterday.
> The options that I have used for the compile are:
>
> ./configure --prefix=/usr/local/squid \
> --with-default-user=proxy \
> --enable-async-io \
> --enable-storeio="ufs,aufs,diskd" \
> --enable-auth \
> --disable-auth-basic \
> --enable-auth-ntml=smb_lm \
> --enable-auth-negotiate=kerberos,wrapper \
> --disable-auth-digest \
> --with-large-files \
> --with-filedescriptors=65535 \
> --enable-ltdl-convenience \
> --enable-ssl \
> --disable-ipv6
>
> The daemon seems to work but when I try to authenticate through ntlm
> not work while kerberos work correctly
Probably because what you are using is the old SMB LanManager helper
which only supports NTLMv1 and older LM protocols.
Try the Samba ntlm_auth helper instead which is bundled on Debian in the
winbind or winbind4 package.
This KK siganture:
> ntlm_smb_lm_auth.cc(488): pid=11663 :ntlm authenticator. Got 'KK
> TlRMTVNTUAADAAAAGAAYAGwAAAAYABgAhAAAAAYABgBYAAAABwAHAF4AAAAHAAcAZQAAAAAAAACcAAAABoIAAgYBsR0AAAAPIp8Zk9ICN8Hw1rL0qdbrHlBPTElUT0QwMDMwMzJQQ0xEMDUwIRuK8hsvU3s5klqASx0ijB7dbIt+CIw+IRuK8hsvU3s5klqASx0ijB7dbIt+CIw+'
> from Squid
> ntlmssp: bad ascii: 001b
> No auth at all. Returning no-auth
> ntlm_smb_lm_auth.cc(531): pid=11663 :sending 'NA Logon Failure' to squid
... contains flags indicating a security signature in use. So it looks
like NTLMv2 with security extensions to me.
If I'm right and it is NTLMv2 in use you require the Samba helper.
Amos
Received on Tue Apr 23 2013 - 11:26:21 MDT
This archive was generated by hypermail 2.2.0 : Tue Apr 23 2013 - 12:00:05 MDT