RE: [squid-users] NTLM without username/password prompt

From: David Gameau <David.Gameau@dont-contact.us>
Date: Thu, 22 Sep 2005 15:25:46 +0930

NTLMSSP doesn't really use username/password like
basic authentication, so you can't really confirm
it from the command line.

The best you can do is:
# /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
KK

and that should give you back a 'TT Tl...AA' type response.

What versions of Squid and Samba are you running?
Is the winbind authenticator running?
Is it logging any useful messages (normally in daemonlog)?

David.
__

David Gameau
ISTS - Systems Infrastructure Group
University of South Australia

email: David.Gameau@UniSA.edu.au
phone: +61 8 302 3533
fax: +61 8 302 5800

Disclaimer: "His brain sometimes stops working." - Chiyo, Azumanga Daioh

> -----Original Message-----
> From: Paul Matthews [mailto:paul.matthews@cathedral.qld.edu.au]
> Sent: Thursday, 22 September 2005 3:12 PM
> To: David Gameau
> Subject: RE: [squid-users] NTLM without username/password prompt
>
> I've stop, started, applied, restart squid about 300 times
> over the past 3
> days, I've been working on this none stop and I can't seam to
> get anything.
>
> But here is something that I don't think looks right, if I do
> the basic
> authentication via command line it works.
>
> [root@mail /]# ./usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
> username password
> OK
>
> [root@mail /]# ./usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
> Username password
> [2005/09/22 15:39:43, 1]
> utils/ntlm_auth.c:manage_squid_ntlmssp_request(576)
> BH
>
>
> -----Original Message-----
> From: David Gameau [mailto:David.Gameau@unisa.edu.au]
> Sent: Thursday, 22 September 2005 3:32
> To: paul.matthews@cathedral.qld.edu.au
> Subject: RE: [squid-users] NTLM without username/password prompt
>
> Paul,
>
> Did you restart, or stop and start Squid?
> I've noticed with the authenticators that a restart
> doesn't seem to reset everything correctly.
>
> David.
> __
>
> David Gameau
> ISTS - Systems Infrastructure Group
> University of South Australia
>
> email: David.Gameau@UniSA.edu.au
> phone: +61 8 302 3533
> fax: +61 8 302 5800
>
> Disclaimer: "His brain sometimes stops working." - Chiyo,
> Azumanga Daioh
>
>
> > -----Original Message-----
> > From: Paul Matthews [mailto:paul.matthews@cathedral.qld.edu.au]
> > Sent: Thursday, 22 September 2005 2:41 PM
> > To: David Gameau
> > Subject: RE: [squid-users] NTLM without username/password prompt
> >
> > I tried to put the ntlm authentication on top of the basic
> > and restart the
> > squid service, but the same result.
> >
> > auth_param ntlm program /usr/bin/ntlm_auth
> > --helper-protocol=squid-2.5-ntlmssp
> > auth_param ntlm children 30
> > auth_param ntlm max_challenge_reuses 0
> > auth_param ntlm max_challenge_lifetime 2 minutes
> >
> > auth_param basic program /usr/bin/ntlm_auth
> > --helper-protocol=squid-2.5-basic
> > auth_param basic children 5
> > auth_param basic realm Squid proxy-caching web server
> > auth_param basic credentialsttl 2 hours
> >
> > -----Original Message-----
> > From: David Gameau [mailto:David.Gameau@unisa.edu.au]
> > Sent: Thursday, 22 September 2005 2:53
> > To: Paul Matthews; squid-users@squid-cache.org
> > Subject: RE: [squid-users] NTLM without username/password prompt
> >
> > > From: Paul Matthews [mailto:paul.matthews@cathedral.qld.edu.au]
> > > Subject: [squid-users] NTLM without username/password prompt
> > >
> > > I've setup NTLM authentication on my fedora box a few times
> > before and
> > > it all went off without a problem, seamless authentication, it was
> > > great. But now I'm trying to get it done on a RHEL 4 box
> > and it's not
> > > going so well, I've got samba authenticating against my
> > > Active directory
> > >
> > > [root@rhel4 /]# wbinfo -t
> > > checking the trust secret via RPC calls succeeded
> > >
> > > but when I use my MSIE browser when I'm logged into the
> > domain I get a
> > > username/password prompt. I want it to be able to do it on the
> > > background, any suggestions?
> > >
> > > I've read just about everything there is to read on the net.
> > >
> > > Here is my what I have added to my squid.conf
> > >
> > > auth_param basic children 5
> > > auth_param basic realm Squid proxy-caching web server
> > > auth_param basic credentialsttl 2 hour
> > > auth_param basic casesensitive off
> > > auth_param basic program /usr/bin/ntlm_auth
> > --helper-protocol=squid-2.5-basic
> > > auth_param ntlm program /usr/bin/ntlm_auth
> > --helper-protocol=squid-2.5-ntlmssp
> > > auth_param ntlm children 30
> > > auth_param ntlm max_challenge_reuses 0
> > > auth_param ntlm max_challenge_lifetime 2 hour
> > >
> > >
> > > acl ntlm proxy_auth REQUIRED
> > >
> > > http_access allow ntlm
> > >
> > > I don't have one http_access rule and that's to allow the
> ntlm users
> > > through.
> > > Any suggestions?
> > >
> > Paul,
> >
> > Try reversing the order your auth_param basic and
> > ntlm declarations. While browsers are supposed to
> > pick the strongest authentication method, most seem
> > to latch onto the first one supplied.
> >
> > Regards,
> > David.
> > __
> >
> > David Gameau
> > ISTS - Systems Infrastructure Group
> > University of South Australia
> >
> > email: David.Gameau@UniSA.edu.au
> > phone: +61 8 302 3533
> > fax: +61 8 302 5800
> >
> > Disclaimer: "His brain sometimes stops working." - Chiyo,
> > Azumanga Daioh
> >
> >
> >
> >
> >
>
>
>
>
Received on Wed Sep 21 2005 - 23:55:52 MDT

This archive was generated by hypermail pre-2.1.9 : Sat Oct 01 2005 - 12:00:03 MDT