Re: Squid-ntlm compiling problems #2-1

From: Thomas Goebel <thomas@dont-contact.us>
Date: Fri, 06 Oct 2000 15:39:53 +0200

Hallo,

i forgot the entry in cache.log.

her is it.

Huh? Got two authentications in a row
SMB_SessSetupAndX failed with errorclass = 1, Error Code = 5
ntlm-auth: ERR authentication failure
2000/10/06 15:38:08| aclLookupProxyNTLMAuthDone: bad NTLM negotiate
request recieved on FD:19.

cu

Thomas

Hallo,

now i try to connect with IE and this happend

192.6.0.52 HERPA%5cgoebelt - [06/Oct/2000:15:39:34 +0200] "GET
http://www.msn.de/ HTTP/1.0" 407 1379 TCP_DENIED:NONE

I login to the domain as goebelt.

whats wrong??

here are my squid.conf lines wich i add to my old squid.conf:

-authenticate_program_ntlm
/squid-ntlm/ntlm_auth_modules/NTLMSSP/ntlm_auth -d herpa -s ntserver1

-authenticate_ntlm_default_domain herpa

cu

Thomas

Robert Collins wrote:
>
> Thomas,
> Sorry I didn't reply to the first email, I was very busy this
> week.
>
> please delete lines 688 and 689 from helper.c. They snuck into CVS.
> (oops!)
>
> I'll commit a fix to CVS tomorrow.
>
> Rob
>
> > -----Original Message-----
> > From: Thomas Goebel [mailto:thomas@an-netz.de]
> > Sent: Friday, 6 October 2000 5:12 PM
> > To: Robert Collins
> > Cc: squid-users@ircache.net
> > Subject: Squid-ntlm compiling problems #2
> >
> >
> > Hallo list and Robert,
> >
> > now i have time to install squid-ntlm.
> >
> > Here is what i done:
> >
> > step 1
> > fwi:/DOWN/squid-ntlm # autoconf
> > configure.in:905: warning: AC_TRY_RUN called without default to allow
> > cross compiling
> > configure.in:999: warning: AC_TRY_RUN called without default to allow
> > cross compiling
> > configure.in:1000: warning: AC_TRY_RUN called without default to allow
> > cross compiling
> > configure.in:1001: warning: AC_TRY_RUN called without default to allow
> > cross compiling
> > configure.in:1275: warning: AC_TRY_RUN called without default to allow
> > cross compiling
> > fwi:/DOWN/squid-ntlm #
> >
> >
> > step2
> > fwi:/DOWN/squid-ntlm # autoheader
> > configure.in:905: warning: AC_TRY_RUN called without default to allow
> > cross compiling
> > configure.in:1275: warning: AC_TRY_RUN called without default to allow
> > cross compiling
> > fwi:/DOWN/squid-ntlm #
> >
> > step3
> > fwi:/DOWN/squid-ntlm # ./configure --enable-ntlm-authentication
> > --enable-ntlm-auth-modules=NTLMSSP --enable-snmp
> > --enable-basic-authentication
> >
> > works without errors!!!
> >
> > step4
> > fwi:/DOWN/squid-ntlm # make
> > ....
> > helper.c: In function `StatefulEnqueue':
> > helper.c:688: warning: suggest parentheses around assignment used as
> > truth value
> > helper.c:689: warning: implicit declaration of function
> > `helperStatefulSpawnServers'
> > ....
> >
> > gcc -o squid -g access_log.o acl.o asn.o authenticate.o cache_cf.o
> > CacheDigest.o cache_manager.o carp.o
> > cbdata.o client_db.o client_side.o comm.o comm_select.o debug.o disk.o
> > dns_internal.o errorpage.o ETag.o event.o fd.o filemap.o forward.o
> > fqdncache.o ftp.o globals.o gopher.o helper.o http.o HttpStatusLine.o
> > HttpHdrCc.o HttpHdrRange.o HttpHdrContRange.o HttpHeader.o
> > HttpHeaderTools.o HttpBody.o HttpMsg.o HttpReply.o
> > HttpRequest.o icmp.o
> > icp_v2.o icp_v3.o ident.o internal.o ipc.o ipcache.o logfile.o main.o
> > mem.o MemPool.o MemBuf.o mime.o multicast.o neighbors.o net_db.o
> > Packer.o pconn.o peer_digest.o peer_select.o redirect.o referer.o
> > refresh.o repl_modules.o send-announce.o snmp_core.o
> > snmp_agent.o ssl.o
> > stat.o StatHist.o String.o stmem.o store.o store_io.o store_client.o
> > store_digest.o store_dir.o store_key_md5.o store_log.o store_modules.o
> > store_rebuild.o store_swapin.o store_swapmeta.o store_swapout.o
> > string_arrays.o
> > tools.o unlinkd.o url.o urn.o useragent.o wais.o wccp.o whois.o
> > fs/ufs.a repl/lru.a -L../lib -lcrypt -L../snmplib -lsnmp -lmiscutil
> > -lm -lresolv -lnsl
> > helper.o: In function `StatefulEnqueue':
> > /DOWN/squid-ntlm/src/helper.c:689: undefined reference to
> > `helperStatefulSpawnServers'
> > collect2: ld returned 1 exit status
> > make[2]: *** [squid] Error 1
> > make[2]: Leaving directory `/DOWN/squid-ntlm/src'
> > make[1]: *** [all] Error 2
> > make[1]: Leaving directory `/DOWN/squid-ntlm/src'
> > make: *** [all] Error 1
> > fwi:/DOWN/squid-ntlm #
> >
> > OK. what can i do???
> >
> > cu
> >
> > Thomas
> >
> >
> > Robert Collins wrote:
> > >
> > > Thomas,
> > > please keep replies cc:d to the list. Thanks.
> > >
> > > are you looking in "ntlm_auth_modules" or "auth_modules"
> > see 1. key changes
> > > to squid below.
> > >
> > > Rob
> > >
> > > ----- Original Message -----
> > > From: <thomas@tomys.de>
> > > To: "Robert Collins" <robert.collins@itdomain.com.au>
> > > Sent: Wednesday, September 20, 2000 6:04 AM
> > > Subject: Re: [SQU] automatic smb_auth
> > >
> > > > Hallo,
> > > >
> > > > sorry,, but i can not find the ntlm-auth source-code. I
> > downloaded the
> > > CVS-tree and some sourcepackages. Thare are only
> > > > auth_modules/multi-domain-NTLM/smb_auth.pl
> > > >
> > > > please tell were i can find the ntlm-source.
> > > >
> > > > cu
> > > > Thomas
> > > >
> > > > > Well its not well documented yet... but here's a quick
> > list of things to
> > > do &
> > > > > notes about ntlm auth.
> > > > > Hey kinkie have I missed anything drastic? I might turn
> > this list into
> > > the
> > > > > start of our HOW-TO ...
> > > > >
> > > > >
> > > > > 0. background
> > > > > -within HTTP there are three common authentication types: BASIC,
> > > > > DIGEST, NTLM. Of these only BASIC and DIGEST are official
> > > > > http authenticaton protocols. Basic authentication is
> > clear text.
> > > digest
> > > > > uses a challenge-response format, as does NTLM.
> > > > > -Challenge-response helpers in squid cannot be tested from the
> > > command-line
> > > > > for two reasons. One: the helper needs the base64 data
> > > > > from the client to correctly interpret and verify the
> > authentication
> > > request.
> > > > > Two: the authentication requests are stateful, so you need to
> > > > > generate the correct response to the 1st result the
> > helper gives you.
> > > > > - NTLM and proxies. NTLM was not designed with
> > stateless (ie HTTP)
> > > > > environments in mind. MS have got it to work, via a
> > massive hack on the
> > > > > protocol. It DOES NOT WORK THROUGH PROXIES. Only the
> > first hop can be
> > > NTLM
> > > > > authenticatied. This includes MS's IIS based proxy
> > products. NTLM will
> > > also
> > > > > not work with transparent proxies (same reason as BASIC
> > authentication
> > > > > doesn't_)so please, don't ask.
> > > > > 1. key changes to squid
> > > > > - the auth_modules directory is largely irrelevant for
> > ntlm based
> > > > > environments. The helpers in auth_modules are BASIC
> > helpers only. This
> > > > > includes the smb_auth,MSNT and multi-domain-NTLM.
> > > > > - there is a new directory ntlm_auth_helpers that
> > contains the NTLM
> > > helper
> > > > > source programs.
> > > > > - the default ./configure will not enable any
> > authentication code in
> > > squid
> > > > > (great for ISP's). New configuration directives allow
> > > > > basic auth, the basic auth modules to build, ntlm-auth,
> > and the ntlm
> > > auth
> > > > > modules to build to be handled separately. Compiling in both
> > > > > basic and ntlm auth will allow you to 'fall back' to basic
> > > authentication if a
> > > > > browser does not support NTLM.
> > > > > 2. howto get NTLM authentication working
> > > > > - download the source
> > > > > - configure with (at a minimum) --enable-ntlm-authentication and
> > > > > --enable-ntlm-auth-modules=NTLMSSP
> > > > > - check the ntlmssp source code for any hardcoded
> > parameters (it's only
> > > just
> > > > > stablised, there may be some 'magic' in the source at
> > the moment). Also
> > > the
> > > > > command-line format is documented in the source.
> > > > > - you can use fakeauth or no_check if you just want to
> > validate the
> > > username,
> > > > > but not check the password/login time limits.
> > > > > -compile and install squid
> > > > > - edit the squid.conf to specify the ntlm_authentication_helper
> > > command-line
> > > > > and at least one proxy_auth acl entry.
> > > > > -cross fingers (:-]) and use internet explorer FROM A
> > DOMAIN USER
> > > ACCOUNT to
> > > > > surf the web.
> > > > >
> > > > > Rob
> > > > >
> > > > >
> > > > > Thomas Goebel wrote:
> > > > >
> > > > > > Hallo,
> > > > > >
> > > > > > sorry, i installed NTLM. But it does not work.
> > > > > > I tried at comandline to authenticate with
> > smp_auth.pl and this also
> > > not
> > > > > > worked.
> > > > > >
> > > > > > Please help. Where can i get Information of NTLM.
> > > > > >
> > > > > > cu
> > > > > >
> > > > > > Thomas
> > > > > >
> > > > > > Robert Collins wrote:
> > > > > > >
> > > > > > > This is exactly what the recently developed NTLM
> > authentication for
> > > squid
> > > > > > > does.
> > > > > > >
> > > > > > > It uses MS challenge handshaking authentication
> > protocol (CHAP) for
> > > the
> > > > > > > browser. You need internet explorer 3 or newer to use it.
> > > > > > >
> > > > > > > Rob
> > > > > > >
> > > > > > > ----- Original Message -----
> > > > > > > From: "Thomas Goebel" <thomas@an-netz.de>
> > > > > > > To: <squid-users@ircache.net>; <linuxml@hekkihek.hacom.nl>
> > > > > > > Sent: Tuesday, September 19, 2000 11:36 PM
> > > > > > > Subject: [SQU] automatic smb_auth
> > > > > > >
> > > > > > > > Hallo,
> > > > > > > >
> > > > > > > > is it possible to perform the authentication against the
> > > > > > > > proxy automatically, invisible to the Windows user.
> > > > > > > > The Microsoft IIS authenticates the user, logged in at the
> > > workstation,
> > > > > > > > automatically.
> > > > > > > >
> > > > > > > > cu
> > > > > > > >
> > > > > > > > Thomas
> > > > > > > >
> > > > > > > > --
> > > > > > > > To unsubscribe, see
> > http://www.squid-cache.org/mailing-lists.html
> > > > > > > >
> > > > > > > >
> > > > >
> > > >
> > > >
> > > > --
> > > >
> > > > ################################################
> > > > # Thomas Goebel <Systemadministrator> #
> > > > # #
> > > > # E-Mail: thomas@an-netz.baynet.de #
> > > > # #
> > > > # Stellvertr. Vorsitzender im #
> > > > # Traegerverein-Buergernetz-Ansbach-Netz e.V. #
> > > > ################################################
> > > > # Server-URL: www.an-netz.baynet.de #
> > > > # #
> > > > # SysAdmin: #
> > > > # Felix Risling <felix@an-netz.baynet.de> #
> > > > # Thomas Goebel <thomas@an-netz.baynet.de> #
> > > > ################################################
> > > >
> > >
> > > --
> > > To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
> >

--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
Received on Fri Oct 06 2000 - 07:46:59 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:55:42 MST