RE: [squid-users] NTLM issues from Chemolli Francesco (USI) on 2001-11-26 (squid-users)

From: Chemolli Francesco (USI) <ChemolliF@dont-contact.us>
Date: Mon, 26 Nov 2001 12:03:09 +0100

No.
Sometimes the DC will shut the door on us, with no explanation.
If you enable last-ditch (--enable-helper-fail-open and -l command-line
option) such
errors will be considered temporary and be let through. Careful though,
since as
of now I have reports that such errors include:
- user entering a blank password
- user entering an old password
- user having been renamed

If you disable helper-fail-open (just remove the -l switch to the ntlm_auth
helper)
such errors will cause an auth-failure. Unfortunately those errors ALSO
happen
when the user has entered the correct username and password, so
sometimes(often) somebody will get an unwarranted auth-failure.

There is some code in the CVS ntlm branch that tries to explicitly catch
the blank-password case.

I am currently working on a winbind-based auth-helper which uses entirely
different
API to perform the authentication, however there are problems (currently
being
addressed with the Samba team). If you're daring, please test it. You'll
require
samba-HEAD from CVS.

P.S. Sorry for the outlook-style answer (yuck). Unfortunately proper quoting
is
impossible when replying to an HTML-formatted post. Please use plain text
in the future when posting to mailing-lists.

--
        /kinkie 
-----Original Message-----
From: Sonit Jain [mailto:sonit@gajshield.com]
Sent: Friday, November 23, 2001 11:15 AM
To: Squid Users
Subject: [squid-users] NTLM issues
I have installed squid-develop version 5 with NTLM authentication. My
configuration file looks like this

auth_param ntlm program /usr/squid/libexec/squid/ntlm_auth -l -b DOM/PDC
DOM/BDC1 DOM/BDC2
auth_param ntlm children 7
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes

I get the following errors

ntlm-auth[10159](libntlmssp.c:231): Login attempt had result -1
ntlm-auth[10159](ntlm_auth.c:321): No creds. SMBlib error 1, SMB error class
1,
SMB error code 5, NB error 4
ntlm-auth[10159](ntlm_auth.c:108): sending 'LD dom\user' to squid
NetBios error code 4 (RFCNBE_BadWrite: Write system call returned an error.
Chec
k errno.)

If I decrease the number of childrens to 3, it works fine, but since I have
about 100+ users, most of the time
their request will be queued or denied.

Is there any solution to the above problem. Do I need to change some
settings on the domain controllers ?

Thanks,
Sonit Jain

Received on Mon Nov 26 2001 - 03:52:00 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:04:31 MST