Re: [squid-users] NTLM issues

From: Sonit Jain <sonit@dont-contact.us>
Date: Mon, 26 Nov 2001 19:29:55 +0530

Hi,
    Thanks for your reply. Also, where can I find your code. I tried to
browse the CVS but failed to find the
    winbind based auth helper!

Thanks,
Sonit Jain

----- Original Message -----
From: Chemolli Francesco (USI)
To: 'Sonit Jain' ; Squid Users
Sent: Monday, November 26, 2001 4:33 PM
Subject: RE: [squid-users] NTLM issues

No.
Sometimes the DC will shut the door on us, with no explanation.
If you enable last-ditch (--enable-helper-fail-open and -l command-line
option) such
errors will be considered temporary and be let through. Careful though,
since as
of now I have reports that such errors include:
- user entering a blank password
- user entering an old password
- user having been renamed

If you disable helper-fail-open (just remove the -l switch to the ntlm_auth
helper)
such errors will cause an auth-failure. Unfortunately those errors ALSO
happen
when the user has entered the correct username and password, so
sometimes(often) somebody will get an unwarranted auth-failure.

There is some code in the CVS ntlm branch that tries to explicitly catch
the blank-password case.

I am currently working on a winbind-based auth-helper which uses entirely
different
API to perform the authentication, however there are problems (currently
being
addressed with the Samba team). If you're daring, please test it. You'll
require
samba-HEAD from CVS.

P.S. Sorry for the outlook-style answer (yuck). Unfortunately proper quoting
is
impossible when replying to an HTML-formatted post. Please use plain text
in the future when posting to mailing-lists.

--
        /kinkie
-----Original Message-----
From: Sonit Jain [mailto:sonit@gajshield.com]
Sent: Friday, November 23, 2001 11:15 AM
To: Squid Users
Subject: [squid-users] NTLM issues
I have installed squid-develop version 5 with NTLM authentication. My
configuration file looks like this
auth_param ntlm program /usr/squid/libexec/squid/ntlm_auth -l -b DOM/PDC
DOM/BDC1 DOM/BDC2
auth_param ntlm children 7
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
I get the following errors
ntlm-auth[10159](libntlmssp.c:231): Login attempt had result -1
ntlm-auth[10159](ntlm_auth.c:321): No creds. SMBlib error 1, SMB error class
1,
SMB error code 5, NB error 4
ntlm-auth[10159](ntlm_auth.c:108): sending 'LD dom\user' to squid
NetBios error code 4 (RFCNBE_BadWrite: Write system call returned an error.
Chec
k errno.)
If I decrease the number of childrens to 3, it works fine, but since I have
about 100+ users, most of the time
their request will be queued or denied.
Is there any solution to the above problem. Do I need to change some
settings on the domain controllers ?
Thanks,
Sonit Jain
Received on Mon Nov 26 2001 - 06:51:22 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:04:31 MST