Patch file generated Mon Apr 30 20:21:11 2001 from CVS branch cygwin CVS repository: rbcollins@cvs.squid.sourceforge.net:/cvsroot/squid CVS module: squid/src/auth/basic/helpers Index: squid/src/auth/basic/helpers/win32_locallogon/Makefile.in diff -u /dev/null squid/src/auth/basic/helpers/win32_locallogon/Makefile.in:1.1.2.2 --- /dev/null Thu Jan 1 01:00:00 1970 +++ squid/src/auth/basic/helpers/win32_locallogon/Makefile.in Mon Apr 30 03:07:06 2001 @@ -0,0 +1,96 @@ +# +# Makefile for the Squid Object Cache server +# +# $Id$ +# +# Uncomment and customize the following to suit your needs: +# + +prefix = @prefix@ +exec_prefix = @exec_prefix@ +exec_suffix = @exec_suffix@ +cgi_suffix = @cgi_suffix@ +top_srcdir = @top_srcdir@ +bindir = @bindir@ +libexecdir = @libexecdir@ +sysconfdir = @sysconfdir@ +localstatedir = @localstatedir@ +srcdir = @srcdir@ +VPATH = @srcdir@ + +# Gotta love the DOS legacy +# +AUTH_EXE = NT_auth$(exec_suffix) + +CC = @CC@ +MAKEDEPEND = @MAKEDEPEND@ +INSTALL = @INSTALL@ +INSTALL_BIN = @INSTALL_PROGRAM@ +INSTALL_FILE = @INSTALL_DATA@ +INSTALL_SUID = @INSTALL_PROGRAM@ -o root -m 4755 +RANLIB = @RANLIB@ +LN_S = @LN_S@ +PERL = @PERL@ +CRYPTLIB = @CRYPTLIB@ +REGEXLIB = @REGEXLIB@ +PTHREADLIB = @PTHREADLIB@ +SNMPLIB = @SNMPLIB@ +MALLOCLIB = @LIB_MALLOC@ +AC_CFLAGS = @CFLAGS@ +LDFLAGS = @LDFLAGS@ +XTRA_LIBS = @XTRA_LIBS@ +XTRA_OBJS = @XTRA_OBJS@ +MV = @MV@ +RM = @RM@ +SHELL = /bin/sh +DEFINES = + +INCLUDE = -I. -I../../../../../include -I$(top_srcdir)/include -I$(top_srcdir)/src +CFLAGS = $(AC_CFLAGS) $(INCLUDE) $(DEFINES) +AUTH_LIBS = $(XTRA_LIBS) -lnetapi32 + +LIBPROGS = $(AUTH_EXE) +OBJS = NT_auth.o valid.o + +all: $(AUTH_EXE) + +$(AUTH_EXE): $(OBJS) + $(CC) $(LDFLAGS) $(OBJS) -o $@ $(AUTH_LIBS) + +install-mkdirs: + -@if test ! -d $(prefix); then \ + echo "mkdir $(prefix)"; \ + mkdir $(prefix); \ + fi + -@if test ! -d $(libexecdir); then \ + echo "mkdir $(libexecdir)"; \ + mkdir $(libexecdir); \ + fi + +# Michael Lupp wants to know about additions +# to the install target. +install: all install-mkdirs + @for f in $(LIBPROGS); do \ + if test -f $(libexecdir)/$$f; then \ + echo $(MV) $(libexecdir)/$$f $(libexecdir)/-$$f; \ + $(MV) $(libexecdir)/$$f $(libexecdir)/-$$f; \ + fi; \ + echo $(INSTALL_BIN) $$f $(libexecdir); \ + $(INSTALL_BIN) $$f $(libexecdir); \ + if test -f $(libexecdir)/-$$f; then \ + echo $(RM) -f $(libexecdir)/-$$f; \ + $(RM) -f $(libexecdir)/-$$f; \ + fi; \ + done + +clean: + -rm -rf *.o *pure_* core $(PROGS) + +distclean: clean + -rm -f Makefile + +tags: + ctags *.[ch] + +depend: + $(MAKEDEPEND) -fMakefile *.c Index: squid/src/auth/basic/helpers/win32_locallogon/NT_auth.c diff -u /dev/null squid/src/auth/basic/helpers/win32_locallogon/NT_auth.c:1.1.2.2 --- /dev/null Thu Jan 1 01:00:00 1970 +++ squid/src/auth/basic/helpers/win32_locallogon/NT_auth.c Mon Apr 30 03:20:19 2001 @@ -0,0 +1,154 @@ +/* + NT_auth - Version 1.1 + + Modified to act as a Squid authenticator module. + Can run as dll on NT native port. + Removed all Pike stuff. + Returns OK for a successful authentication, or ERR upon error. + + Guido Serassio, Torino - Italy + Sun Dec 10 22:24:26 CST 2000 + + Uses code from - + Antonino Iannella 2000 + Andrew Tridgell 1997 + Richard Sharpe 1996 + Bill Welliver 1999 + + Released under GNU Public License + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "squid.h" +#include "valid.h" + +/* Main program for simple authentication. + Scans and checks for Squid input, and attempts to validate the user. +*/ + +#if defined (_SQUID_CYGWIN_) +static char NTGroup[256]; + +int +main(int argc, char **argv) +#elif defined (_SQUID_MSWIN_) +typedef struct +{ + void *data; + acl_proxy_auth_user *auth_user; + RH *handler; +} +authenticateStateData; + +static char *NTGroup = NULL; +BOOL APIENTRY DllMain(HINSTANCE hInst, DWORD reason, + LPVOID reserved /* Not used. */ ); + +__declspec(dllexport) + int Authenticate(char *username, char *password, + authenticateStateData * data, HLPCB callback) +#else +#error NON WINDOWS PLATFORM +#endif +{ +#if defined(_SQUID_CYGWIN_) + char wstr[256]; + char username[256]; + char password[256]; + char *p; + + if (argc != 2) { + fprintf(stderr, "Usage: NT_auth \n"); + exit(1); + } + strcpy(NTGroup, argv[1]); + while (1) { + /* Read whole line from standard input. Terminate on break. */ + if (fgets(wstr, 255, stdin) == NULL) + break; + if ((p = strchr(wstr, '\n')) != NULL) + *p = '\0'; /* strip \n */ + if ((p = strchr(wstr, '\r')) != NULL) + *p = '\0'; /* strip \r */ + /* Clear any current settings */ + username[0] = '\0'; + password[0] = '\0'; + sscanf(wstr, "%s %s", username, password); /* Extract parameters */ +#endif + /* Check for invalid or blank entries */ + if ((username[0] == '\0') || (password[0] == '\0')) { +#if defined(_SQUID_CYGWIN_) + puts("ERR"); + fflush(stdout); + continue; +#else + (callback) (data, "ERR"); + return 0; +#endif + } + if (Valid_User(username, password, NTGroup) == NTV_NO_ERROR) +#if defined(_SQUID_CYGWIN_) + puts("OK"); +#else + (callback) (data, "OK"); +#endif + else +#if defined(_SQUID_CYGWIN_) + puts("ERR"); + fflush(stdout); +#else + (callback) (data, "ERR"); +#endif + } + return 0; +} + +/* Valid_User return codes - + + 0 - User authenticated successfully. + 1 - Server error. + 2 - Protocol error. + 3 - Logon error; Incorrect password or username given. +*/ + +#ifndef _SQUID_CYGWIN_ + +__declspec(dllexport) + int Init(char *Group) +{ + if (NTGroup) + xfree(NTGroup); + NTGroup = xstrdup(Group); + return 0; +} +BOOL APIENTRY +DllMain(HINSTANCE hInst /* Library instance handle. */ , + DWORD reason /* Reason this function is being called. */ , + LPVOID reserved /* Not used. */ ) +{ + switch (reason) { + case DLL_PROCESS_ATTACH: + break; + case DLL_PROCESS_DETACH: + break; + case DLL_THREAD_ATTACH: + break; + case DLL_THREAD_DETACH: + break; + } + return TRUE; +} +#endif Index: squid/src/auth/basic/helpers/win32_locallogon/README.txt diff -u /dev/null squid/src/auth/basic/helpers/win32_locallogon/README.txt:1.1.2.1 --- /dev/null Thu Jan 1 01:00:00 1970 +++ squid/src/auth/basic/helpers/win32_locallogon/README.txt Mon Apr 30 02:47:14 2001 @@ -0,0 +1,77 @@ +This is a simple authentication module for the Squid proxy server running on Windows NT +compiled with CygWin to authenticate users on an NT domain in native WIN32 mode. + +Usage is simple. It accepts a username and password on standard input +and will return OK if the username/password is valid for the domain/machine, +or ERR if there was some problem. +It's possible to authenticate against NT trusted domains specifyng the username +in the domain\username Microsoft notation. + +This is released under the GNU General Public License and +is available from http://serassio.interfree.it. + +Allowing Users - + +Users that are allowed to access the web proxy must have the Windows NT +User Rights "logon from the network" and must be included in the NT LOCAL User Group +specified in the Authenticator's command line. +This can be accomplished creating a local user group on the NT machine, grant the privilege, +and adding users to it. + +The squid process must have the NT User Rights "Act as part of the operating system", +this is true if squid runs as a service with LocalSystem Account. + +Installation - + +Type 'make', then 'make install', then 'make clean'. + +The default is to install 'nt_auth' into /usr/local/squid/bin. + +Refer to Squid documentation for the required changes to squid.conf. +You will need to set the following line to enable the authenticator: + +authenticate_program /usr/local/squid/bin/NT_auth + +You will need to set the following lines to enable authentication for +your access list - + + acl proxy_auth REQUIRED + http_access allow + +You will need to specify the absolute path to NT_auth in the +authenticate_program directive, and check the authenticate_children +and authenticate_ttl. + +Compilation issues - + +The Makefile assumes that GCC is in the current PATH. +NT_auth compile ONLY on CygWin Environment or MS VC++. + +Note: Under MS VC++ this package compile as a dll, an work only with my release +of native NT Squid 2.3 Stable4 port. + +Testing - + +I strongly urge that NT_auth is tested prior to being used in a +production environment. It may behave differently on different platforms. +To test it, run it from the command line. Enter username and password +pairs separated by a space. Press ENTER to get an OK or ERR message. +Make sure pressing behaves the same as a carriage return. +Make sure pressing aborts the program. + +NOTE: the NT user running the NT_auth module, must have the NT User Rights +"Act as part of the operating system". + +Test that entering no details does not result in an OK or ERR message. +Test that entering an invalid username and password results in an ERR message. +Note that if NT guest user access is allowed on the PDC, an OK message +may be returned instead of ERR. +Test that entering an valid username and password results in an OK message. +Test that entering a guest username and password returns the correct +response for the site's access policy. + +Contact details - + +To contact the maintainer of this package, email Guido Serassio +on serassio@interfree.it. +The latest version may be found on http://serassio.interfree.it/SquidNT.htm. Index: squid/src/auth/basic/helpers/win32_locallogon/valid.c diff -u /dev/null squid/src/auth/basic/helpers/win32_locallogon/valid.c:1.1.2.1 --- /dev/null Thu Jan 1 01:00:00 1970 +++ squid/src/auth/basic/helpers/win32_locallogon/valid.c Mon Apr 30 02:47:14 2001 @@ -0,0 +1,99 @@ +#include "squid.h" +#include +#if defined(_SQUID_CYGWIN_) +#include +#endif +#include +#include +#include "valid.h" + +int +Valid_User(char *UserName, char *Password, char *Group) +{ + HANDLE hToken; + int result = NTV_LOGON_ERROR; + int error; + char NTDomain[256]; + char *domain_qualify; + char DomainUser[256]; + WCHAR wszUserName[256]; // Unicode user name + WCHAR wszGroup[256]; // Unicode Group + + LPLOCALGROUP_USERS_INFO_0 pBuf = NULL; + LPLOCALGROUP_USERS_INFO_0 pTmpBuf; + DWORD dwLevel = 0; + DWORD dwFlags = LG_INCLUDE_INDIRECT; + DWORD dwPrefMaxLen = -1; + DWORD dwEntriesRead = 0; + DWORD dwTotalEntries = 0; + NET_API_STATUS nStatus; + DWORD i; + DWORD dwTotalCount = 0; + +/* Convert ANSI User Name and Group to Unicode */ + + MultiByteToWideChar(CP_ACP, 0, UserName, + strlen(UserName) + 1, wszUserName, + sizeof(wszUserName) / sizeof(wszUserName[0])); + MultiByteToWideChar(CP_ACP, 0, Group, + strlen(Group) + 1, wszGroup, sizeof(wszGroup) / sizeof(wszGroup[0])); + if ((domain_qualify = strchr(UserName, '\\')) == NULL) { + strcpy(DomainUser, UserName); + strcpy(NTDomain, "."); + } else { + strcpy(DomainUser, domain_qualify + 1); + domain_qualify[0] = '\0'; + strcpy(NTDomain, UserName); + } + /* Log the client on to the local computer. */ + if (!LogonUser(DomainUser, + NTDomain, + Password, + LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, &hToken)) { + result = NTV_LOGON_ERROR; + error = GetLastError(); + } else { + /* + * Call the NetUserGetLocalGroups function + * specifying information level 0. + * + * The LG_INCLUDE_INDIRECT flag specifies that the + * function should also return the names of the local + * groups in which the user is indirectly a member. + */ + nStatus = NetUserGetLocalGroups(NULL, + wszUserName, + dwLevel, + dwFlags, + (LPBYTE *) & pBuf, dwPrefMaxLen, &dwEntriesRead, &dwTotalEntries); + /* + * If the call succeeds, + */ + if (nStatus == NERR_Success) { + if ((pTmpBuf = pBuf) != NULL) { + for (i = 0; i < dwEntriesRead; i++) { + assert(pTmpBuf != NULL); + if (pTmpBuf == NULL) { + result = NTV_SERVER_ERROR; + break; + } + if (wcscmp(pTmpBuf->lgrui0_name, wszGroup) == 0) { + result = NTV_NO_ERROR; + break; + } + pTmpBuf++; + dwTotalCount++; + } + } + } else + result = NTV_SERVER_ERROR; + /* + * Free the allocated memory. + */ + if (pBuf != NULL) + NetApiBufferFree(pBuf); + } + if (hToken != INVALID_HANDLE_VALUE) + CloseHandle(hToken); + return result; +} Index: squid/src/auth/basic/helpers/win32_locallogon/valid.h diff -u /dev/null squid/src/auth/basic/helpers/win32_locallogon/valid.h:1.1.2.2 --- /dev/null Thu Jan 1 01:00:00 1970 +++ squid/src/auth/basic/helpers/win32_locallogon/valid.h Mon Apr 30 03:22:08 2001 @@ -0,0 +1,16 @@ +#ifndef _VALID_H_ +#define _VALID_H_ +/* SMB User verification function */ + +#define NTV_NO_ERROR 0 +#define NTV_SERVER_ERROR 1 +#define NTV_PROTOCOL_ERROR 2 +#define NTV_LOGON_ERROR 3 + +#ifndef LOGON32_LOGON_NETWORK +#define LOGON32_LOGON_NETWORK 3 +#endif + +int Valid_User(char *, char *, char *); + +#endif