-->
<H1>
-MSNT Auth v2.0.3-squid.1<BR>
+MSNT Auth v3.0.0<BR>
Squid web proxy NT authentication module<BR>
Modified by the Squid HTTP Proxy team<BR>
-Wed Jun 26 21:16:32 CEST 2002<BR>
Original release by Antonino Iannella, Stellar-X Pty Ltd<BR>
</H1>
<UL>
<LI> <A HREF="#introduction">Introduction</A>
<LI> <A HREF="#installation">Installation</A>
-<LI> <A HREF="#compiling">Issues when compiling</A>
-<LI> <A HREF="#configuration">Configuration file</A>
-<LI> <A HREF="#denying">Denying users</A>
-<LI> <A HREF="#allowing">Allowing users</A>
+<LI> <A HREF="#configuration">Configuration</A>
<LI> <A HREF="#squid">Squid.conf changes</A>
<LI> <A HREF="#testing">Testing</A>
-<LI> <A HREF="#contact">Contact details</A>
-<LI> <A HREF="#unknown">Unknown username issue</A>
-<LI> <A HREF="#changes">Revision history</A>
+<LI> <A HREF="#contact">Support details</A>
</UL>
<A NAME="introduction"><H2>Introduction</H2>
Msntauth is released under the GNU General Public License.
<P>
-Usage is simple. It accepts a username and password on standard input.
-It will return OK if the username/password is valid for the domain,
-or ERR if there was some problem.
-Check syslog messages for reported problems.
+<i>basic_msnt_auth</i> follows the standard Squid basic authentication helper protocol.
+See <a href="http://wiki.squid-cache.org/Features/AddonHelpers#Basic_Scheme"
+>http://wiki.squid-cache.org/Features/AddonHelpers#Basic_Scheme</a> for details.
+Problems are logged to syslog.
<P>
Msntauth works in environments with NT domain controllers on
-Windows (TM) NT 4, 2000, and Samba.
+Windows (TM) NT 4, 2000, and Samba. It only uses the ancient <i>Lanman</i> protocol,
+the authenticating systems must be configured to accept it.
<A NAME="installation"><H2>Installation</H2>
Refer to Squid documentation for details.
If the build is suitable, you can skip this section.
-<P>
-Alternatively, a supplementary makefile is also provided for manual compiling.
-Review Makefile.MSNT, and modify it based on the target platform or
-site requirements.
-
-<P>
-Make any necessary changes to the source code.
-
-<P>
-Copy Makefile.MSNT to Makefile.
-Type 'make', then 'make install', then 'make clean'.
+<A NAME="configuration"><H2>Configuration</H2>
<P>
-To avoid using the makefile, it may compile with
-
- gcc -O2 -s -o msntauth *.c
-
-<P>
-'Make install' will put 'msntauth' into
-/usr/local/squid/bin.
-
-<A NAME="compiling"><H2>Issues when compiling</H2>
-
-<P>
-The Makefile uses your C compiler (usually GCC), assuming it's in your PATH.
-Msntauth is known to compile properly on Linux, FreeBSD, and Solaris.
-
-<P>
-When compiling under Solaris, link to the NSL and socket libraries.
-In the Makefile, enable the alternative CFLAGS line for Solaris.
-Ensure /usr/ccs/bin is in your PATH.
-In Smbencrypt.c, '#include <sys/vfs.h>' only gets included when
-compiled with Solaris.
-
-<P>
-For Digital Unix/Tru64, review the INSTALL line in the makefile.
-The install-bsd command is used to place files in their target location.
-
-<A NAME="configuration"><H2>Configuration file</H2>
-
-<P>
-Msntauth uses a configuration file, usually
-/usr/local/squid/etc/msntauth.conf.
-To change this, edit the following line in confload.c -
+As of version 3.0.0, a configuration file is no longer needed.
+The specification of the domains and domain controllers to use is
+passed as a list of arguments on the command line.
+The syntax is:
<PRE>
- #define CONFIGFILE "/usr/local/squid/etc/msntauth.conf"
+basic_msnt_auth domain1/domaincontroller1 [domain2/domaincontroller2 ...]
</PRE>
+An arbitrary number of domain controllers can be specified, for any number of daomains.
+Domain controllers will be attempted in the same order they are configured, until
+any of them successfully authenticates the user passed by squid. If all domain
+controllers fail to authenticate the user, then access is denied.
+Domain controllers can be specified by their NetBios name.
<P>
-An example configuration file is provided -
-
-<PRE>
-# Sample MSNT authenticator configuration file
-# Antonino Iannella, Stellar-X Pty Ltd
-# Tue Aug 26 17:26:59 GMT+9 2003
-
-# NT domain hosts. Best to put the hostnames in /etc/hosts.
-server myPDC myBDC myNTdomain
-server otherPDC otherBDC otherdomain
-
-# Denied and allowed users. Comment these if not needed.
-denyusers /usr/local/squid/etc/denyusers
-allowusers /usr/local/squid/etc/allowusers
-</PRE>
-
-<P>
-All comments start with '#'.
-
-<P>
-NT servers are used to query user accounts. The 'server' lines
-are used for this, with the PDC, BDC, and NT domain as parameters.
-Up to 5 servers/domains can be queried. If this is not enough,
-modify the MAXSERVERS define in confload.c.
-At least one server must be specified, or msntauth will not start.
-Server names must be resolvable by the system. If not, msntauth
-reports an error. If you can't ping it, you might have a host
-resolution problem.
-
-<P>
-The name you specify is used in the NetBIOS protocol when
-communicating with the target server.
-The name must be resolvable by the local system, and it must be a
-name that the target server uses.
-You cannot simply invent a hostname.
-You cannot use it IP address.
-
-<P>
-When a user provides a username/password, each of these
-servers will be queried to authenticate the username.
-It stops after a user has been successfully authenticated,
-so it makes sense to specify the most commonly queried
-server first. Make sure the servers can be reached and
-are active, or else msntauth will report failures.
-
-<P>
-The 'denyusers' and 'allowusers' lines give the absolute path
-to files of user accounts. They can be used to deny or allow
-access to the proxy. Remove these directives if you
-do not need these features.
-
-<A NAME="denying"><H2>Denying users</H2>
-
-<P>
-Users who are not allowed to access the web proxy can be added to
-the denied user list. This list is read around every minute, or when
-the msntauth process receives a SIGHUP signal.
-
-<P>
-The denied user file is set using the 'denyusers' directive
-in msntauth.conf. The denied user file
-contains a list of usernames, one per line.
-If the file does not exist, no users are denied.
-The file must be readable by the web proxy user.
-
-<P>
-Msntauth will send syslog messages if a user was denied,
-at LOG_USER facility. Check your syslog messages for clues.
-
-<A NAME="allowing"><H2>Allowing users</H2>
-
-<P>
-Similar to denying users, you can allow users to access the proxy
-by username. This is useful if only a number of people are
-allowed to use a proxy.
-
-<P>
-The allowed user file is set using the 'allowusers' directive
-in msntauth.conf.
-If the file does not exist or if empty, all users are allowed.
-
-<P>
-You could make use of the SHOWMBRS tool in Microsoft Technet.
-This gives you a list of users which are in a particular
-NT Domain Group. This list can be made into the allowed users
-file using sed or awk.
-
-<P>
-Some other rules -
-
-<OL>
-<LI> The operation of the denied user file is independent of the
-allowed user file. The former file is checked first.
-<LI> You can use none, one, or both files.
-<LI> If a username appears in the denied user file, they will
-be denied, even if they are in the allowed user file.
-<LI> If a username is not in either file, they will be denied,
-because they have not been allowed.
-<LI> If the allowed user file is in use and is empty, all
-users will be allowed.
-</OL>
+<B>WARNING!</B> this means that a wrong password will be attempted a number of times.
+Watch out for domain lock-out policies!
<A NAME="squid"><H2>Squid.conf changes</H2>
The number of children needed is site-dependent, so some
experimentation may be required to find the best number.
There should be no visible delay in performance with Squid once
-msntauth is in use. As an example, a firm with 1500 users and a T1
-internet connection required a value of 30.
+msntauth is in use.
-<PRE>
- proxy_auth_realm enterprise web gateway
- authenticate_program /usr/local/squid/bin/msntauth
- authenticate_ttl 5
- authenticate_children 20
-</PRE>
+Please see <A href="http://www.squid-cache.org/Doc/config/auth_param/"
+>http://www.squid-cache.org/Doc/config/auth_param/</A> or your <TT>squid.conf.default</TT>
+file to check how to configure squid to make use of this helper.
<A NAME="testing"><H2>Testing</H2>
<P>
I strongly urge that Msntauth is tested prior to being used in a
production environment. It may behave differently on different platforms.
-To test it, run it from the command line. Enter username and password
+To test it, run it from the command line, and enter username and password
pairs separated by a space.
<P>
function in msntauth.c. Inform the Squid maintainers of any problems.
<P>
-Usernames cannot have whitespace in them, but passwords can.
-
-<P>
-As of version 2.0.3, the msntauth version can be found in the executable.
-Type this to retrieve it -
-
-<PRE>
- strings msntauth | grep -i msntauth
-</PRE>
+Usernames and passwords are expected to be URL-encoded (see RFC 1738 for details)
<A NAME="contact"><H2>Support details</H2>
<P>
Refer to the Squid website at http://www.squid-cache.org.
-Submit problems or fixes using their Bugzilla facility.
-
-<A NAME="unknown"><H2>Unknown username issue</H2>
-
-<P>
-For an unknown username, Msntauth returns OK.
-This is because the PDC returns guest access for unknown users,
-even if guest access is disabled.
-This problem was reported by Mr Vadim Popov (vap@iilsr.minsk.by).
-
-<P>
-The tested environment consisted of PDC on Windows NT 4, SP 6.
-Squid 2.3 and Msntauth was tested on SuSe, RedHat, and Debian Linux.
-A fix was provided in case you have this problem.
-Apply the provided patch before compiling, using
-
-<PRE>
- patch smblib.c < smblib.c.patch
-</PRE>
-
-<A NAME="changes"><H2>Revision history</H2>
-
-<P>
-The following sequence of changes have been made to improve msntauth.
-
-<UL>
-<LI>Added many patches from Duane Wessels to stop compilation errors
-<LI>Improved the main() function yet again
-<LI>Created a more informative Makefile
-<LI>Added an 'allowed users' feature to complement the 'denied users' feature
-<LI>Stopped the use of alarm() which was causing problems under Solaris
-<LI>Added more syslog messages for authentication problems
-<LI>Added the use of a configuration file, instead of hard-coding NT server details
-<LI>Allowed for querying multiple NT servers and domains (this was a hot issue)
-<LI>Changed README into an HTML document to improve readability
-<LI>Removed denied/allowed username substring search limitation
-<LI>Fixed a bug which occurred when reading denied/allowed usernames
-<LI>Allows whitespace in passwords
-<LI>To check user list changes, doesn't use an alarm every minute.
-<LI>Fixed a sigaction compilation error, causing problems on FreeBSD and HPUX
-<LI>Removed a problem of finding a valid username as a substring in the denied user list.
-<LI>Support email address change from antonino@usa.net to antonino@rager.com.au.
-<LI>Msntauth was successfully tested on Tru64.
-<LI>PDC and BDC hostnames are now checked if they are resolvable.
-<LI>Smbencrypt.c does not have to be checked for Solaris systems any more.
-<LI>Imbedded version information in the executable.
-<LI>Version 2.0.3 and later now supported by the Squid team.
-</UL>
-
-<P>
-A future improvement may be to cache accepted usernames and passwords,
-to reduce network authentication traffic, and improve the Squid response time.
+You can submit problems or fixes using the Squid project's Bugzilla database.
</BODY>
</HTML>
projects / thirdparty / squid.git / commitdiff
