--------------------- PatchSet 6046 Date: 2003/11/20 22:16:18 Author: serassio Branch: nt-2_5 Tag: (none) Log: Added configurable support for ntlm NEGOTIATE packet Members: src/cf.data.pre:1.49.2.5.4.40->1.49.2.5.4.41 src/auth/ntlm/auth_ntlm.c:1.18.2.1.4.5->1.18.2.1.4.6 src/auth/ntlm/auth_ntlm.h:1.8->1.8.10.1 Index: squid/src/cf.data.pre =================================================================== RCS file: /cvsroot/squid-sf//squid/src/cf.data.pre,v retrieving revision 1.49.2.5.4.40 retrieving revision 1.49.2.5.4.41 diff -u -r1.49.2.5.4.40 -r1.49.2.5.4.41 --- squid/src/cf.data.pre 8 Nov 2003 13:38:35 -0000 1.49.2.5.4.40 +++ squid/src/cf.data.pre 20 Nov 2003 22:16:18 -0000 1.49.2.5.4.41 @@ -1,6 +1,6 @@ # -# $Id: cf.data.pre,v 1.49.2.5.4.40 2003/11/08 13:38:35 serassio Exp $ +# $Id: cf.data.pre,v 1.49.2.5.4.41 2003/11/20 22:16:18 serassio Exp $ # # # SQUID Web Proxy Cache http://www.squid-cache.org/ @@ -1421,6 +1421,21 @@ AND the number of reused challenges. auth_param ntlm max_challenge_lifetime 2 minutes + "use_ntlm_negotiate" on|off + * Windows port specific * + Enables support for NTLM NEGOTIATE packet. + Needed by ntlm_auth.exe Windows native ntlm authenticator. + This allow too the use of NTLMv2 protocol. + Enabling this parameter will also solve problems encountered when + NT domain policies restrict users to access only certain + workstations. When this is off, all users must be allowed to log + on the proxy servers too, or they'll get "invalid workstation" + errors - and access denied - when trying to use Squid's services. + Use of ntlm NEGOTIATE is incompatible with challenge reuse, so + enabling this parameter will OVERRIDE the max_challenge_reuses and + max_challenge_lifetime parameters and set them to 0. + auth_param ntlm use_ntlm_negotiate on + NOCOMMENT_START #Recommended minimum configuration: #auth_param digest program @@ -1433,6 +1448,7 @@ #auth_param ntlm children 5 #auth_param ntlm max_challenge_reuses 0 #auth_param ntlm max_challenge_lifetime 2 minutes +#auth_param ntlm use_ntlm_negotiate on #auth_param basic program auth_param basic children 5 auth_param basic realm Squid proxy-caching web server Index: squid/src/auth/ntlm/auth_ntlm.c =================================================================== RCS file: /cvsroot/squid-sf//squid/src/auth/ntlm/auth_ntlm.c,v retrieving revision 1.18.2.1.4.5 retrieving revision 1.18.2.1.4.6 diff -u -r1.18.2.1.4.5 -r1.18.2.1.4.6 --- squid/src/auth/ntlm/auth_ntlm.c 14 Sep 2003 17:12:35 -0000 1.18.2.1.4.5 +++ squid/src/auth/ntlm/auth_ntlm.c 20 Nov 2003 22:16:19 -0000 1.18.2.1.4.6 @@ -148,10 +148,11 @@ storeAppendPrintf(entry, " %s", list->key); list = list->next; } - storeAppendPrintf(entry, "\n%s %s children %d\n%s %s max_challenge_reuses %d\n%s %s max_challenge_lifetime %d seconds\n", + storeAppendPrintf(entry, "\n%s %s children %d\n%s %s max_challenge_reuses %d\n%s %s max_challenge_lifetime %d seconds\n%s %s use_ntlm_negotiate %s\n", name, "ntlm", config->authenticateChildren, name, "ntlm", config->challengeuses, - name, "ntlm", (int) config->challengelifetime); + name, "ntlm", (int) config->challengelifetime, + name, "ntlm", config->use_ntlm_negotiate ? "on" : "off"); } @@ -167,6 +168,7 @@ ntlmConfig->authenticateChildren = 5; ntlmConfig->challengeuses = 0; ntlmConfig->challengelifetime = 60; + ntlmConfig->use_ntlm_negotiate = 1; } ntlmConfig = scheme->scheme_data; if (strcasecmp(param_str, "program") == 0) { @@ -180,6 +182,8 @@ parse_int(&ntlmConfig->challengeuses); } else if (strcasecmp(param_str, "max_challenge_lifetime") == 0) { parse_time_t(&ntlmConfig->challengelifetime); + } else if (strcasecmp(param_str, "use_ntlm_negotiate") == 0) { + parse_onoff(&ntlmConfig->use_ntlm_negotiate); } else { debug(28, 0) ("unrecognised ntlm auth scheme parameter '%s'\n", param_str); } @@ -191,8 +195,12 @@ * state will be preserved. Caveats: this should be a post-parse * test, but that can wait for the modular parser to be integrated. */ - if (ntlmConfig->authenticate) + if (ntlmConfig->authenticate && Config.onoff.pipeline_prefetch != 0) Config.onoff.pipeline_prefetch = 0; + + if (ntlmConfig->use_ntlm_negotiate && ntlmConfig->challengeuses > 0) + ntlmConfig->challengeuses = 0; + } @@ -647,11 +655,7 @@ debug(29, 5) ("authenticateNTLMChangeChallenge_p: first use\n"); return 0; } -#if defined(_SQUID_MSWIN_) || defined(_SQUID_CYGWIN_) - { -#else - if (helperstate->challengeuses > ntlmConfig->challengeuses) { -#endif + if ((helperstate->challengeuses > ntlmConfig->challengeuses) || ntlmConfig->use_ntlm_negotiate) { debug(29, 4) ("authenticateNTLMChangeChallenge_p: Challenge uses (%d) exceeded max uses (%d)\n", helperstate->challengeuses, ntlmConfig->challengeuses); return 1; } @@ -750,11 +754,13 @@ helperStatefulSubmit(ntlmauthenticators, NULL, authenticateNTLMHandleplaceholder, r, NULL); } else { /* Server with invalid challenge */ -#if NTLM_TRUE_NEGOTIATE - snprintf(buf, 8192, "YR %s\n", sent_string); -#else - snprintf(buf, 8192, "YR\n"); -#endif + + if (ntlmConfig->use_ntlm_negotiate) { + snprintf(buf, 8192, "YR %s\n", sent_string); + } else { + snprintf(buf, 8192, "YR\n"); + } + helperStatefulSubmit(ntlmauthenticators, buf, authenticateNTLMHandleReply, r, ntlm_request->authserver); } } else { Index: squid/src/auth/ntlm/auth_ntlm.h =================================================================== RCS file: /cvsroot/squid-sf//squid/src/auth/ntlm/auth_ntlm.h,v retrieving revision 1.8 retrieving revision 1.8.10.1 diff -u -r1.8 -r1.8.10.1 --- squid/src/auth/ntlm/auth_ntlm.h 28 Nov 2001 23:29:52 -0000 1.8 +++ squid/src/auth/ntlm/auth_ntlm.h 20 Nov 2003 22:16:20 -0000 1.8.10.1 @@ -60,6 +60,7 @@ wordlist *authenticate; int challengeuses; time_t challengelifetime; + int use_ntlm_negotiate; }; typedef struct _ntlm_user ntlm_user_t;