Hi,
Thanks for your reply. Also, where can I find your code. I tried to
browse the CVS but failed to find the
winbind based auth helper!
Thanks,
Sonit Jain
----- Original Message -----
From: Chemolli Francesco (USI)
To: 'Sonit Jain' ; Squid Users
Sent: Monday, November 26, 2001 4:33 PM
Subject: RE: [squid-users] NTLM issues
No.
Sometimes the DC will shut the door on us, with no explanation.
If you enable last-ditch (--enable-helper-fail-open and -l command-line
option) such
errors will be considered temporary and be let through. Careful though,
since as
of now I have reports that such errors include:
- user entering a blank password
- user entering an old password
- user having been renamed
If you disable helper-fail-open (just remove the -l switch to the ntlm_auth
helper)
such errors will cause an auth-failure. Unfortunately those errors ALSO
happen
when the user has entered the correct username and password, so
sometimes(often) somebody will get an unwarranted auth-failure.
There is some code in the CVS ntlm branch that tries to explicitly catch
the blank-password case.
I am currently working on a winbind-based auth-helper which uses entirely
different
API to perform the authentication, however there are problems (currently
being
addressed with the Samba team). If you're daring, please test it. You'll
require
samba-HEAD from CVS.
P.S. Sorry for the outlook-style answer (yuck). Unfortunately proper quoting
is
impossible when replying to an HTML-formatted post. Please use plain text
in the future when posting to mailing-lists.
-- /kinkie -----Original Message----- From: Sonit Jain [mailto:sonit@gajshield.com] Sent: Friday, November 23, 2001 11:15 AM To: Squid Users Subject: [squid-users] NTLM issues I have installed squid-develop version 5 with NTLM authentication. My configuration file looks like this auth_param ntlm program /usr/squid/libexec/squid/ntlm_auth -l -b DOM/PDC DOM/BDC1 DOM/BDC2 auth_param ntlm children 7 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes I get the following errors ntlm-auth[10159](libntlmssp.c:231): Login attempt had result -1 ntlm-auth[10159](ntlm_auth.c:321): No creds. SMBlib error 1, SMB error class 1, SMB error code 5, NB error 4 ntlm-auth[10159](ntlm_auth.c:108): sending 'LD dom\user' to squid NetBios error code 4 (RFCNBE_BadWrite: Write system call returned an error. Chec k errno.) If I decrease the number of childrens to 3, it works fine, but since I have about 100+ users, most of the time their request will be queued or denied. Is there any solution to the above problem. Do I need to change some settings on the domain controllers ? Thanks, Sonit JainReceived on Mon Nov 26 2001 - 06:51:22 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:04:31 MST