--------------------- PatchSet 6049 Date: 2003/11/21 22:19:18 Author: serassio Branch: nt-2_5 Tag: (none) Log: Updated win32 native ntlm helper: now NTLM NEGOTIATE packet support is configurable Members: helpers/external_acl/win32_group/readme.txt:1.1.8.6->1.1.8.7 helpers/ntlm_auth/NTLMSSP-WIN32/ntlm_auth.c:1.1.4.11->1.1.4.12 helpers/ntlm_auth/NTLMSSP-WIN32/readme.txt:1.1.4.5->1.1.4.6 Index: squid/helpers/external_acl/win32_group/readme.txt =================================================================== RCS file: /cvsroot/squid-sf//squid/helpers/external_acl/win32_group/Attic/readme.txt,v retrieving revision 1.1.8.6 retrieving revision 1.1.8.7 diff -u -r1.1.8.6 -r1.1.8.7 --- squid/helpers/external_acl/win32_group/readme.txt 16 Aug 2003 12:09:37 -0000 1.1.8.6 +++ squid/helpers/external_acl/win32_group/readme.txt 21 Nov 2003 22:19:18 -0000 1.1.8.7 @@ -57,7 +57,7 @@ It's possible to enable not case sensitive group name comparation (-c), but on on some non - English locales, the results can be unexpected. - Native WIN32 NTLM and Basic Helpers must be used without the - -a & -d switches. + -A & -D switches. Refer to Squid documentation for the more details on squid.conf. Index: squid/helpers/ntlm_auth/NTLMSSP-WIN32/ntlm_auth.c =================================================================== RCS file: /cvsroot/squid-sf//squid/helpers/ntlm_auth/NTLMSSP-WIN32/Attic/ntlm_auth.c,v retrieving revision 1.1.4.11 retrieving revision 1.1.4.12 diff -u -r1.1.4.11 -r1.1.4.12 --- squid/helpers/ntlm_auth/NTLMSSP-WIN32/ntlm_auth.c 14 Sep 2003 10:27:56 -0000 1.1.4.11 +++ squid/helpers/ntlm_auth/NTLMSSP-WIN32/ntlm_auth.c 21 Nov 2003 22:19:18 -0000 1.1.4.12 @@ -61,6 +61,10 @@ char * NTDisAllowedGroup; int UseDisallowedGroup = 0; int UseAllowedGroup = 0; +int UseNtlmNegotiate = 0; + +char YR_String[4] = "YR"; +int YR_Length = 2; /* makes a null-terminated string upper-case. Changes CONTENTS! */ void @@ -113,13 +117,13 @@ /* - * options: - * -d enable debugging. - * -v enable verbose NTLM packet debugging. - * -l if specified, changes behavior on failures to last-ditch. - * -A can specify a Windows Local Group name allowed to authenticate. - * -D can specify a Windows Local Group name not allowed to authenticate. - * domain\controller ... + options: + -d enable debugging. + -v enable verbose NTLM packet debugging. + -l if specified, changes behavior on failures to last-ditch. + -A can specify a Windows Local Group name allowed to authenticate. + -D can specify a Windows Local Group name not allowed to authenticate. + -N enable use of NTLM NEGOTIATE packet */ char *my_program_name = NULL; @@ -128,9 +132,9 @@ { fprintf(stderr, #ifdef NTLM_FAIL_OPEN - "Usage: %s [-d] [-v] [-A|D LocalUserGroup] [-l] [-h]\n" + "Usage: %s [-d] [-v] [-N] [-A|D LocalUserGroup] [-l] [-h]\n" #else - "Usage: %s [-d] [-v] [-A|D LocalUserGroup] [-h]\n" + "Usage: %s [-d] [-v] [-N] [-A|D LocalUserGroup] [-h]\n" #endif " -d enable debugging.\n" " -v enable verbose NTLM packet debugging.\n" @@ -139,6 +143,7 @@ #endif " -A specify a Windows Local Group name allowed to authenticate\n" " -D specify a Windows Local Group name not allowed to authenticate\n" + " -N enable use of NTLM NEGOTIATE packet\n" " -h this message\n\n", my_program_name); } @@ -151,9 +156,9 @@ opterr =0; #ifdef NTLM_FAIL_OPEN - while (-1 != (opt = getopt(argc, argv, "hdvlA:D:"))) { + while (-1 != (opt = getopt(argc, argv, "hdvlA:D:N"))) { #else - while (-1 != (opt = getopt(argc, argv, "hdvA:D:"))) { + while (-1 != (opt = getopt(argc, argv, "hdvA:D:N"))) { #endif switch (opt) { case 'A': @@ -166,6 +171,11 @@ NTDisAllowedGroup=xstrdup(optarg); UseDisallowedGroup = 1; break; + case 'N': + UseNtlmNegotiate = 1; + strcpy(YR_String, "YR "); + YR_Length = 3; + break; #ifdef NTLM_FAIL_OPEN case 'l': last_ditch_enabled = 1; @@ -245,17 +255,15 @@ hex_dump(decoded, ((strlen(buf) - 3) * 3) / 4); } else debug("Got '%s' from Squid\n", buf); -#if NTLM_TRUE_NEGOTIATE - if (memcmp(buf, "YR ", 3) == 0) { /* refresh-request */ + if (memcmp(buf, YR_String, YR_Length) == 0) { /* refresh-request */ /* figure out what we got */ - decoded = base64_decode(buf + 3); + if (UseNtlmNegotiate) + decoded = base64_decode(buf + 3); + else + decoded = base64_decode(ntlm_make_negotiate()); /* Note: we don't need to manage memory at this point, since * base64_decode returns a pointer to static storage. */ -#else - if (memcmp(buf, "YR", 2) == 0) { /* refresh-request */ - decoded = base64_decode(ntlm_make_negotiate()); -#endif if (!decoded) { /* decoding failure, return error */ SEND("NA Packet format error, couldn't base64-decode"); return 1; @@ -271,11 +279,10 @@ switch (fast_header->type) { case NTLM_NEGOTIATE: /* Obtain challenge against SSPI */ -#if NTLM_TRUE_NEGOTIATE - plen = (strlen(buf) - 3) * 3 / 4; /* we only need it here. Optimization */ -#else - plen = NEGOTIATE_LENGTH; -#endif + if (UseNtlmNegotiate) + plen = (strlen(buf) - 3) * 3 / 4; /* we only need it here. Optimization */ + else + plen = NEGOTIATE_LENGTH; if ((c = (char *) obtain_challenge((ntlm_negotiate *) decoded, plen)) != NULL ) { if (NTLM_packet_debug_enabled) { Index: squid/helpers/ntlm_auth/NTLMSSP-WIN32/readme.txt =================================================================== RCS file: /cvsroot/squid-sf//squid/helpers/ntlm_auth/NTLMSSP-WIN32/Attic/readme.txt,v retrieving revision 1.1.4.5 retrieving revision 1.1.4.6 diff -u -r1.1.4.5 -r1.1.4.6 --- squid/helpers/ntlm_auth/NTLMSSP-WIN32/readme.txt 8 Sep 2003 20:31:33 -0000 1.1.4.5 +++ squid/helpers/ntlm_auth/NTLMSSP-WIN32/readme.txt 21 Nov 2003 22:19:18 -0000 1.1.4.6 @@ -1,18 +1,19 @@ ntlm_auth.exe -Native Windows NTLM authenticator for Squid 2.5 +Native Windows NTLM/NTLMv2 authenticator for Squid 2.5. ===== Usage ===== -ntlm_auth [-d] [-v] [-A|D LocalUserGroup] [-l] [-h] +ntlm_auth [-d] [-v] [-N] [-A|D LocalUserGroup] [-l] [-h] -d enables debugging. -v enables verbose NTLM packet debugging. -l if specified, changes behavior on failures to last-ditch. -A specify a Windows Local Group name allowed to authenticate. -D specify a Windows Local Group name not allowed to authenticate. +-N enable use of NTLM NEGOTIATE packet. -h print program usage This is released under the GNU General Public License @@ -22,13 +23,37 @@ ============== Users that are allowed to access the web proxy must have the Windows NT -User Rights "logon from the network" and must be included in the NT LOCAL User Groups -specified in the Authenticator's command line. -This can be accomplished creating a local user group on the NT machine, grant the privilege, -and adding users to it. - -Refer to Squid documentation for the required changes to squid.conf. +User Rights "logon from the network". +Optionally the authenticator can verify the NT LOCAL group membership of +the user against the User Group specified in the Authenticator's command +line. +This can be accomplished creating a local user group on the NT machine, +grant the privilege, and adding users to it, it works only with MACHINE +Local Groups, not Domain Local Groups. +Better group checking is available with External Acl, see win32_check_group +documentation. + +The use of NTLM NEGOTIATE packet allow full NTLM/NTLMv2 support, but +Squid too must be configured to use NTLM NEGOTIATE, see squid.conf. + +Squid.conf typical minimal required changes: + +auth_param ntlm program c:/squid/libexec/ntlm_auth.exe -N +auth_param ntlm children 5 +auth_param ntlm max_challenge_reuses 0 +auth_param ntlm max_challenge_lifetime 2 minutes +auth_param ntlm use_ntlm_negotiate on <== needs (or needed by) -N option + +acl password proxy_auth REQUIRED + +http_access allow password +http_access deny all + +When using -N option, "use_ntlm_negotiate on" is MANDATORY and +max_challenge_reuses and max_challenge_lifetime parameters must be specified +but they are are ignored. +Refer to Squid documentation for more details. =============== Contact details