RE: [SQU] NTLM Error from Robert Collins on 2001-02-21 (squid-users)

From: Robert Collins <robert.collins@dont-contact.us>
Date: Thu, 22 Feb 2001 09:50:55 +1100

> -----Original Message-----
> From: Wood, Jeremy [mailto:WoodJ@metatec.com]
> Sent: Thursday, February 22, 2001 6:01 AM
> To: 'Craig Fels'; 'squid-users@ircache.net'
> Subject: RE: [SQU] NTLM Error
>
>
> I just downloaded the new code today. Same code you are
> using. I am using
> NTLMSSP as the helper. I have double checked the compile
> options. See I
> need to have true authentication working because not every user on our
> domain is allowed to have proxy access. Only users in
> certain groups are
> allowed to have it. So I need to check if they are in the
> correct group
> before they have proxy access. Right now we are using MS
> Proxy 2.0 and it
> works with NTLM, group permissions, and it is transparent to
> the user. That
> is what I am trying to get out of squid so I can get rid of
> that NT box. I
> fear I may end up coding something myself which should only
> take me a couple
> years considering my experience ;-) In other words, I stink
> at coding so I
> was hoping to beable to throw some things together to make this work.
>
> ----Jer
>

You have two choices:
1) define your groups in squid
acl group1 proxy_auth domain\user1 domain\user2 domain\user3
Note that these can be in a separate file, and a cron job can update
that file. You can also reconfigure just a single acl with a patch from
Henrik (see squid.sourceforge.net).

2) extend the NTLMSSP helper to retrieve group information, and then
check the group membership in the NTLMSSP helper. You can't do this in
squid just yet (but if you can get the group list for a user, I'll
happily look at adding dynamic group support. To the authentication
framework
(something like)
auth_param group_support ntlm
acl username proxy_auth REQUIRED
acl group1 user_group domain_admins
acl group2 user_group restricted_users

You _cannot_ use the hack job done with the smb_auth basic helper
because the NTLMSSP helper never knows the users password. (and thus
cannot log onto an arbitrary share). It _might_ be possible to use the
established connection to do this, but no guesses :]

Rob

--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html

Received on Wed Feb 21 2001 - 15:59:56 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:58:07 MST