Pleanty of users use ntlm.
A guess is that your client does not trust the proxy server with
automatic NTLM authentication. If I am not mistaken the best results is
seen when it's configured with a shortname to the proxy (servername
without domain).
On sön, 2008-06-22 at 18:42 +0100, Markus Moeller wrote:
> Does nobody use ntlm_auth ?
>
> Markus
>
> "Markus Moeller" <huaraz_at_moeller.plus.com> wrote in message
> news:g317rp$9v7$1_at_ger.gmane.org...
> >I am trying to authenticate users with ntlm_auth but fail and don't find
> >the reason. I see the initial NTLM challenge, but then the Browser doesn't
> >continue the next NTLM step ( at least that is what I think happens)
> >
> > Any idea what I did wrong ?
> >
> > Thank you
> > Markus
> >
> > uname -a
> > Linux Opensuse 2.6.22.17-0.1-default #1 SMP 2008/02/10 20:01:04 UTC i686
> > i686 i386 GNU/Linux
> > Opensuse:~ # cat /etc/SuSE-release
> > openSUSE 10.3 (i586)
> > VERSION = 10.3
> >
> > squid -v
> > Squid Cache: Version 2.6.STABLE14
> > configure options: '--prefix=/usr' '--sysconfdir=/etc/squid'
> > '--bindir=/usr/sbin' '--sbindir=/usr/sbin' '--localstatedir=/var'
> > '--libexecdir=/usr/sbin' '--datadir=/usr/share/squid'
> > '--mandir=/usr/share/man' '--with-dl' '--with-maxfd=4096'
> > '--with-valgrind-debug' '--enable-snmp' '--enable-carp'
> > '--enable-auth=basic digest negotiate ntlm'
> > '--enable-basic-auth-helpers=LDAP MSNT NCSA PAM SMB YP getpwnam
> > multi-domain-NTLM' '--enable-ntlm-auth-helpers=SMB fakeauth no_check'
> > '--enable-digest-auth-helpers=ldap password'
> > '--enable-external-acl-helpers=ip_user ldap_group session unix_group
> > wbinfo_group' '--enable-ntlm-fail-open' '--enable-arp-acl' '--enable-htcp'
> > '--enable-underscores' '--enable-stacktraces' '--enable-delay-pools'
> > '--enable-useragent-log' '--enable-referer-log' '--enable-forward-log'
> > '--enable-multicast-miss' '--enable-ssl' '--enable-cache-digests'
> > '--enable-auth-on-acceleration'
> > '--enable-storeio=aufs,coss,diskd,null,ufs' '--enable-linux-netfilter'
> > '--enable-removal-policies=heap,lru' '--enable-icmp'
> > '--with-samba-sources=/usr/include/samba' '--enable-large-cache-files'
> > '--enable-x-accelerator-vary' '--enable-follow-x-forwarded-for'
> > 'CFLAGS=-O2 -march=i586 -mtune=i686 -fmessage-length=0 -Wall -D_FORTIFY_SOURCE=2
> > -fstack-protector -g -fPIE -DLDAP_DEPRECATED -fno-strict-aliasing'
> > 'LDFLAGS=-pie'
> >
> >
> > squid.conf:
> >
> > http_port 3128
> > hierarchy_stoplist cgi-bin ?
> > acl QUERY urlpath_regex cgi-bin \?
> > cache deny QUERY
> > acl apache rep_header Server ^Apache
> > broken_vary_encoding allow apache
> > access_log /var/log/squid/access.log squid
> > auth_param ntlm program /usr/sbin/ntlm_auth -d WIN2003R2\\w2k3r2
> > auth_param ntlm children 5
> > auth_param ntlm keep_alive on
> > refresh_pattern ^ftp: 1440 20% 10080
> > refresh_pattern ^gopher: 1440 0% 1440
> > refresh_pattern . 0 20% 4320
> > acl all src 0.0.0.0/0.0.0.0
> > acl manager proto cache_object
> > acl localhost src 127.0.0.1/255.255.255.255
> > acl to_localhost dst 127.0.0.0/8
> > acl SSL_ports port 443 8333
> > acl Safe_ports port 80 # http
> > acl Safe_ports port 21 # ftp
> > acl Safe_ports port 443 # https
> > acl Safe_ports port 70 # gopher
> > acl Safe_ports port 210 # wais
> > acl Safe_ports port 1025-65535 # unregistered ports
> > acl Safe_ports port 280 # http-mgmt
> > acl Safe_ports port 488 # gss-http
> > acl Safe_ports port 591 # filemaker
> > acl Safe_ports port 777 # multiling http
> > acl CONNECT method CONNECT
> > acl authenticated proxy_auth REQUIRED
> > http_access allow manager localhost
> > http_access deny manager
> > http_access deny !Safe_ports
> > http_access deny CONNECT !SSL_ports
> > http_access allow localhost
> > http_access allow authenticated
> > http_access deny all
> > icp_access allow all
> > coredump_dir /var/cache/squid
> >
> > cache.log
> >
> > ntlm_auth[8452](ntlm_auth.c:284): managing request
> > ntlm_auth[8452](ntlm_auth.c:290): ntlm authenticator. Got 'YR
> > TlRMTVNTUAABAAAAB7IIogkACQAtAAAABQAFACgAAAAFASgKAAAAD1dJTlhQV0lOMjAwM1Iy'
> > from Squid
> > ntlm_auth[8452](ntlm_auth.c:239): obtain_challenge: selecting
> > WIN2003R2\W2K3R2 (attempt #1)
> > ntlm_auth[8452](ntlm_auth.c:251): attempting challenge retrieval
> > ntlm_auth[8452](libntlmssp.c:119): Connecting to server W2K3R2 domain
> > WIN2003R2
> > ntlm_auth[8452](ntlm_auth.c:253): make_challenge retuned 0x8000ef60
> > ntlm_auth[8452](ntlm_auth.c:255): Got it
> > ntlm_auth[8452](ntlm_auth.c:437): sending 'TT
> > TlRMTVNTUAACAAAACQAJACgAAACCgkEAyigxBxKJUqQAAAAAAAAAAFdJTjIwMDNSMg==' to
> > squid
> >
> >
> > Wireshark capture:
> >
> > GET http://www.bbc.co.uk/ HTTP/1.1
> > Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
> > application/x-shockwave-flash, */*
> > Accept-Language: en-us
> > UA-CPU: x86
> > Accept-Encoding: gzip, deflate
> > User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR
> > 2.0.50727)
> > Proxy-Authorization: NTLM
> > TlRMTVNTUAABAAAAB7IIogkACQAtAAAABQAFACgAAAAFASgKAAAAD1dJTlhQV0lOMjAwM1Iy
> > Proxy-Connection: Keep-Alive
> > Host: www.bbc.co.uk
> >
> > HTTP/1.0 407 Proxy Authentication Required
> > Server: squid/2.6.STABLE14
> > Date: Sat, 14 Jun 2008 18:55:14 GMT
> > Content-Type: text/html
> > Content-Length: 1310
> > Expires: Sat, 14 Jun 2008 18:55:14 GMT
> > X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
> > Proxy-Authenticate: NTLM
> > TlRMTVNTUAACAAAACQAJACgAAACCgkEAiqcyv4MUME0AAAAAAAAAAFdJTjIwMDNSMg==
> > X-Cache: MISS from opensuse.suse.home
> > X-Cache-Lookup: NONE from opensuse.suse.home:3128
> > Via: 1.0 opensuse.suse.home:3128 (squid/2.6.STABLE14)
> > Proxy-Connection: keep-alive
> >
> > <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
> > "http://www.w3.org/TR/html4/loose.dtd">
> > <HTML><HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html;
> > charset=iso-8859-1">
> > <TITLE>ERROR: Cache Access Denied</TITLE>
> > <STYLE
> > type="text/css"><!--BODY{background-color:#ffffff;font-family:verdana,sans-serif}PRE{font-family:sans-serif}--></STYLE>
> > </HEAD>
> > <BODY>
> > <H1>ERROR</H1>
> > <H2>Cache Access Denied</H2>
> > <HR noshade size="1px">
> > <P>
> > While trying to retrieve the URL:
> > http://www.bbc.co.uk/
> > <P>
> > The following error was encountered:
> > <UL>
> > <LI>
> > <STRONG>
> > Cache Access Denied.
> > </STRONG>
> > </UL>
> > </P>
> >
> > <P>Sorry, you are not currently allowed to request:
> > <PRE> http://www.bbc.co.uk/</PRE>
> > from this cache until you have authenticated yourself.
> > </P>
> >
> > <P>
> > You need to use Netscape version 2.0 or greater, or Microsoft Internet
> > Explorer 3.0, or an HTTP/1.1 compliant browser for this to work. Please
> > contact the <A HREF="mailto:webmaster">cache administrator</a> if you have
> > difficulties authenticating yourself or
> > change your
> > default password.
> > </P>
> >
> > <BR clear="all">
> > <HR noshade size="1px">
> > <ADDRESS>
> > Generated Sat, 14 Jun 2008 18:55:14 GMT by opensuse.suse.home
> > (squid/2.6.STABLE14)
> > </ADDRESS>
> >
> > squid server is part of domain (e.g. wbinfo -g works fine)
> >
> > wbinfo -g
> > WIN2003R2\iis_wpg
> > WIN2003R2\session directory computers
> > WIN2003R2\domain computers
> > WIN2003R2\domain controllers
> > WIN2003R2\schema admins
> > WIN2003R2\enterprise admins
> > WIN2003R2\cert publishers
> > WIN2003R2\domain admins
> > WIN2003R2\domain users
> > WIN2003R2\domain guests
> > WIN2003R2\group policy creator owners
> > WIN2003R2\ras and ias servers
> > WIN2003R2\dnsadmins
> > WIN2003R2\dnsupdateproxy
> > WIN2003R2\certsvc_dcom_access
> > WIN2003R2\win2003r2users
> > WIN2003R2\sqlserver2005sqlbrowseruser$w2k3r2
> > WIN2003R2\sqlserver2005mssqlserveradhelperuser$w2k3r2
> > WIN2003R2\sqlserver2005mssqluser$w2k3r2$sqlexpress
> > WIN2003R2\solarisgroup
> > WIN2003R2\susegroup
> > WIN2003R2\squid_allow
> >
> >
> >
> >
>
Received on Sun Jun 22 2008 - 19:07:56 MDT
This archive was generated by hypermail 2.2.0 : Mon Jun 23 2008 - 12:00:05 MDT