[squid-users] Problems using NTLM

From: <Sascha.Hemmerling@dont-contact.us>
Date: Fri, 25 May 2001 14:46:40 +0200

Hi !

I'm trying to get ntlm to work, but there seems to be some problems.
Maybe someone can help me solving the problem.

I'm using Solaris 7, squid-head-200105222300, ntlm-patch applied.

The PDC runs on NT4, SP4.
I'm using IE4, NT4 and IE5, W2000 as clients. (I encountered different
problems using different clients...)

I did the configure using the following arguments:

        ./configure --prefix=/opt/IOIsquid-2.5-20010522 --with-pthreads
                --enable-auth=basic,ntlm
--enable-basic-auth-helpers=LDAP,PAM,YP,MSNT
                --enable-ntlm-auth-helpers=NTLMSSP --enable-ntlm-fail-open

                --enable-underscores

After adding the following lines to
src/auth/basic/helpers/MSNT/confload.c:

        #ifndef LOG_AUTHPRIV
        #define LOG_AUTHPRIV LOG_AUTH
        #endif

the compilation also worked for Solaris.
Seems that these lines got lost somehow cause they had been in the squid
2.4 branch.

Installation worked fine. Then I made changes to the squid.conf as
described in the ntlm-faq.
Here comes the squid.conf (only the defferences between squid.conf and
squid.conf.default)

        http_port 8080
        cache_dir ufs /var/squid/cache 100 16 256
        cache_access_log /var/log/squid/access.log
        cache_log /var/log/squid/cache.log
        cache_store_log /var/log/squid/store.log
        pid_filename /tmp/squid.pid
        auth_param ntlm program
/opt/IOIsquid-2.5-20010522/libexec/squid/ntlm_auth -l PROXY\PROXYAUTH
        auth_param ntlm children 5
        auth_param ntlm max_challenge_reuses 0
        auth_param ntlm max_challenge_lifetime 2 minutes
        acl password proxy_auth REQUIRED
        http_access allow password
        coredump_dir /var/log/squid/cache

Because I also compiled MSNT in, I tried first to connect to the PDC using

MSNT on command line to see if connection could be established somehow:

         /opt/IOIsquid-2.5-20010522/libexec/squid/msnt_auth
        hauke secret
        OK
        foo bar
        ERR

That looks like it's working.

Then I started squid and got the follwing start-up messages:

# /opt/IOIsquid-2.5-20010522/bin/squid -Nd3

        2001/05/25 13:23:31| Starting Squid Cache version 2.5.DEVEL for
sparc-sun-solaris2.7...
        2001/05/25 13:23:31| Process ID 17731
        2001/05/25 13:23:31| With 1024 file descriptors available
        2001/05/25 13:23:31| Performing DNS Tests...
        2001/05/25 13:23:31| Successful DNS name lookup tests...
        2001/05/25 13:23:31| DNS Socket created on FD 6
        2001/05/25 13:23:31| Adding nameserver 172.30.8.186 from
/etc/resolv.conf
        2001/05/25 13:23:31| helperStatefulOpenServers: Starting 5
'ntlm_auth' processes
        2001/05/25 13:23:32| Unlinkd pipe opened on FD 16
        2001/05/25 13:23:32| Swap maxSize 102400 KB, estimated 7876
objects
        2001/05/25 13:23:32| Target number of buckets: 393
        2001/05/25 13:23:32| Using 8192 Store buckets
        2001/05/25 13:23:32| Max Mem size: 8192 KB
        2001/05/25 13:23:32| Max Swap size: 102400 KB
        2001/05/25 13:23:32| Rebuilding storage in /var/squid/cache
(CLEAN)
        2001/05/25 13:23:32| Using Least Load store dir selection
        2001/05/25 13:23:32| Set Current Directory to /var/log/squid/cache
        2001/05/25 13:23:32| Loaded Icons.
        2001/05/25 13:23:32| Accepting HTTP connections at 0.0.0.0, port
8080, FD 17.
        2001/05/25 13:23:32| Accepting ICP messages at 0.0.0.0, port 3130,
FD 18.
        2001/05/25 13:23:32| WCCP Disabled.
        2001/05/25 13:23:32| Ready to serve requests.
        2001/05/25 13:23:36| Done scanning /var/squid/cache swaplog (0
entries)
        2001/05/25 13:23:36| Finished rebuilding storage from disk.
        2001/05/25 13:23:36| 0 Entries scanned
        2001/05/25 13:23:36| 0 Invalid entries.
        2001/05/25 13:23:36| 0 With invalid flags.
        2001/05/25 13:23:36| 0 Objects loaded.
        2001/05/25 13:23:36| 0 Objects expired.
        2001/05/25 13:23:36| 0 Objects cancelled.
        2001/05/25 13:23:36| 0 Duplicate URLs purged.
        2001/05/25 13:23:36| 0 Swapfile clashes avoided.
        2001/05/25 13:23:36| Took 4.3 seconds ( 0.0 objects/sec).
        2001/05/25 13:23:36| Beginning Validation Procedure
        2001/05/25 13:23:36| Completed Validation Procedure
        2001/05/25 13:23:36| Validated 0 Entries
        2001/05/25 13:23:36| store_swap_size = 21k
        2001/05/25 13:23:37| storeLateRelease: released 0 objects

After that I tried to connect using ntlm, logged on as user hauke,
password secret and the domain PROXY on NT4, and startet IE4.
I've got the following results:

        ntlm-auth[13106](ntlm_auth.c:264): managing request
        ntlm-auth[13106](ntlm_auth.c:270): ntlm authenticator. Got 'YR'
from Squid
        ntlm-auth[13106](ntlm_auth.c:219): obtain_challenge: getting new
challenge
        ntlm-auth[13106](ntlm_auth.c:223): getting challenge from
PROXY\PROXYAUTH (attempt no. 1)
        ntlm-auth[13106](libntlmssp.c:114): Connecting to server PROXYAUTH
domain PROXY
        ntlm-auth[13106](ntlm_auth.c:225): make_challenge retuned 358f8
        ntlm-auth[13106](ntlm_auth.c:227): Got it
        ntlm-auth[13106](ntlm_auth.c:404): sending 'TT
 TlRMTVNTUAACAAAAAAUABQAAACiCgkEADwowlnIzvkkAAAAAAAAAAFBST1hZ' to squid
        ntlm-auth[13106](ntlm_auth.c:264): managing request
        ntlm-auth[13106](ntlm_auth.c:270): ntlm authenticator. Got 'KK
TlRMTVNTUAADAAAAGAAYAFMAAAAYABgAawAAAAUABQBAAAAABQAFAEUAAAAJAAkASgAAAAAAAACDAAAAgoIAAFBST1hZSEFVS0VQUk9YWUFVVEiU1qS+Dh3ZeQM7ZUA2HnHZ31NUA/OSY9d9nBKxVXI512Itbb3C8mWjV5lYV4qF6dw='
from Squid
        ntlm-auth[13106](ntlm_auth.c:388): sending 'BH unknown
authentication packet type' to squid
        2001/05/25 09:15:08| authenticateNTLMDirection: called before NTLM
Authenticate!. Report a bug to quid-dev.

Then I've got a pop-up Window asking for username and password.
I've typed in "hauke" and "secret" and got the same result.

I also tried using IE5 on W2k there I've got nearly the same messages, but
it
seems to stop earlier somehow:

        ntlm-auth[13106](ntlm_auth.c:264): managing request
        ntlm-auth[13106](ntlm_auth.c:270): ntlm authenticator. Got 'YR'
from Squid
        ntlm-auth[13106](ntlm_auth.c:219): obtain_challenge: getting new
challenge
        ntlm-auth[13106](ntlm_auth.c:223): getting challenge from
PROXY\PROXYAUTH (attempt no. 1)
        ntlm-auth[13106](libntlmssp.c:114): Connecting to server PROXYAUTH
domain PROXY
        ntlm-auth[13106](ntlm_auth.c:225): make_challenge retuned 358f8
        ntlm-auth[13106](ntlm_auth.c:227): Got it
        ntlm-auth[13106](ntlm_auth.c:404): sending 'TT
 TlRMTVNTUAACAAAAAAUABQAAACiCgkEADwowlnIzvkkAAAAAAAAAAFBST1hZ' to squid

Does anyone have suggestions ?
I've searched the whole mailing-list archive without finding a solution.

Any help is appreciated.

Sascha 

--
Received on Fri May 25 2001 - 06:49:38 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:00:17 MST