) Some readme describing the NTLM process in general
>
> Very needed !
My bad. I'm a bit caught up with some problems at the moment,
will write one ASAP. I admit that I've been saying that for
3 weeks now...
> > b) squid.conf should (shortly) list the arguments of the nltm_auth
> > helper. Or at least the helper prog should give a usage
> message with
> > no or unparsable arguments. The info in the source alone
> is too much
> > hidden.
>
> there is room for more than one helper, but yes the helper
> should print its own arguments.
I have planned to add statistics to the helpers. It should
be something like klill -HUP the helpers and see the stats
on cache.log. Unless we extend the helper protocol and extend
the cache_object interface...
> > d) It should be made more clear if the DC argument to
> nltm_auth must be
> > the netbios name or might be an ip address or other
> name. Similarly
> > it should be made more clear if user names in proxy_auth
> acl's must
> > be <domain>\<user> or not. It seems that the default
> domain for ntlm
> > config option has no effect THERE.
>
> It should take an ip or dns name. WINS name lookup is not
> supported at this
> time.
> yes usernames are domain\user in lowercase - doco will solve this...
No, it MUST be the NetBIOS name. The NetBIOS server will refuse the
connection unless called by name. It's a problem with NetBios, and
we can do nothing about it.
> the default domain affects what is requested not what is
> returned by the
> helper.
Actually the default domain is only used when connecting now.
The user is currently REQUIRED to supply a domain. Maybe we can
try doing without it, and use the DC's domain as default if
the user doesn't supply any domain, but I'll have to look
into that. Don't expect anything though...
> > And now to a real bug and then my problem:
> >
> > e) It seems I need to specify the DC by netbios name and
> ensure it can be
> > translated to ip address with the normal resolver. If
> the name cannot
> > be resolved, ntlm_auth gives no error and does not
> abort. Instead it
> > connects to a bogus ip address. Unfortunately it is not
> a real bogus
> > address, but the ip of the name server. In my case this
> was really
> > bad because it is almost the address of the PDC and it
> is also an NT
> > system so I got odd SMB errors because the name server
> really wondered
> > why I ask it for a connection to the PDC and I had a
> hard time finding
> > that out by system call traces and stuff.
>
> Just use the ip of the PDC. Netbios name resolution is not
> performed - see
> above.
Have you tried this? When I have, the DC refused the connection.
-- /kinkie -- To unsubscribe, see http://www.squid-cache.org/mailing-lists.htmlReceived on Wed Oct 18 2000 - 11:07:17 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:55:47 MST