Re: squid3 PRE1 ?

From: <michele.de-martin@dont-contact.us>
Date: Wed, 23 Apr 2003 10:44:44 +0200

Here is what I've done (and I would like to be included in squid
distribution, if it is ok for you).

1. A perl script that can do basic authentication against multiple not
trusted domain. It uses "rpcclient" command from samba to authenticate user
credential aginst PDCs.
The users credentials passed by squid are in the form "DOMAIN\USER
password" and so it's easy to authenticate against the right PDC.

2. A perl script that can check if a given user belongs to a given NT group
on a given PDC. It uses "rpcclient" command from samba.
The user passed by squid is in the form "DOMAIN\USER" and again it's easy
to select the right PDC.

3. A C program (ugly modified from "helpers/SMB/ntlm_auth.c") that do all
the YR->TT->KK->AF job. It relies on first NEGOTIATE packet sent with "YR"
to select the right domain/PDC.

All three programs use a line-based configuration file like this one:
--------------------
domain1 dc1,dc2 group1 user1%password1
domain2 dc3 group2 user2%password2
--------------------

The last columns "user%password" are used only by the second program to
check user belonging to group or not.

The "kit" is now in a production enviroment but I went into that strange
behaviour of random pop-windows asking for username/password (see
squid-users for details).

On the right domain selection.
In my knowledge, a user can login a NT workstation/server only if his
domain is the same as the workstation one, or there is a trust relationship
between them. Given this situation, using the workstation domain to select
the PDC to authenticate against or using the user domain is quite the same.
I think this is how the NT workstation works to authenticate a user from a
trusted domain (I am not sure about this).
This is also how original NTLM squid authenticator works, I think.

Anyway, if my assumptions are wrong, it is worth to introduce multi domain
authentication with the limitation that it works only if "user domain"
== "workstation domain". We can warn about it in documentation/README etc.

Sorry for this long writing.

PS. How can I add my work to squid?

Thank you.
Michele

|---------+--------------------------------------------------------------------->
| | Robert Collins <robertc@squid-cache.org> |
| | Sent by: |
| | squid-dev-return-8683-michele.de-martin=electrolux.it@squi|
| | d-cache.org |
| | |
| | |
| | 04/22/2003 11:17 PM |
| | |
|---------+--------------------------------------------------------------------->
>----------------------------------------------------------------------------------------|
  | |
  | To: Michele De Martin/Electrolux IT Solutions/Italy/Electrolux |
  | Group@Electrolux |
  | cc: squid-dev@squid-cache.org |
  | Subject: Re: squid3 PRE1 ? |
>----------------------------------------------------------------------------------------|

On Tue, 2003-04-22 at 20:28, michele.de-martin@electrolux.it wrote:
> Hi everybody.
>
> Can I ask if it is possible to apply the following path to
> "src/auth/ntlm/auth_ntlm.c"?
> It is useful for doing multi not trusted domain authentication I am
working
> on.

Well, it's surely not sufficient, because you'll have a different
challenge in squid for each domain, and there is no logic to handle
this. Also, as the challenge is sent before you know the users domain,
there is no way to pick and choose in advance.

I'll apply this as part of a series of patches - once the way you have
solved the above challenges becomes clear. For now, it's not obvious
that this is the right way, and there are plenty of reasons to think
it's not.

So, no, I won't apply this for squid-3.0. I am interested in seeing what
you come up with however.

Cheers,
Rob

--
GPG key available at: <http://users.bigpond.net.au/robertc/keys.txt>.
(See attached file: signature.asc)

Received on Wed Apr 23 2003 - 02:45:47 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:19:42 MST