<H1>
MSNT Auth v2.0.3-squid.1<BR>
Squid web proxy NT authentication module<BR>
-Antonino Iannella, Stellar-X Pty Ltd<BR>
-Sun Sep 2 15:01:58 CST 2001<BR>
Modified by the Squid HTTP Proxy team<BR>
-Wed Jun 26 21:16:32 CEST 2002
+Wed Jun 26 21:16:32 CEST 2002<BR>
+Original release by Antonino Iannella, Stellar-X Pty Ltd<BR>
</H1>
<H2>Contents</H2>
<LI> <A HREF="#squid">Squid.conf changes</A>
<LI> <A HREF="#testing">Testing</A>
<LI> <A HREF="#contact">Contact details</A>
-<LI> <A HREF="#reported">Reported problem</A>
+<LI> <A HREF="#unknown">Unknown username issue</A>
<LI> <A HREF="#changes">Revision history</A>
</UL>
<P>
This is an authentication module for the Squid proxy server
-to authenticate users on an NT domain.
+to use an NT domain server.
<P>
It originates from the Samba and SMB packages by Andrew Tridgell
-and Richard Sharpe. This version is sourced from the Pike
-authentication module by William Welliver (hwellive@intersil.com).
+and Richard Sharpe. It is sourced from the Pike
+authentication module by William Welliver (hwellive@intersil.com),
+and the SMB 1.0.1 libraries.
+Releases up to version 2.0.3 were created by Antonino Iannella
+(antonino@rager.com.au, http://stellarx.tripod.com).
+The module is now distributed with Squid, and is maintained by the
+Squid proxy team as an Open Source effort.
+Msntauth is released under the GNU General Public License.
<P>
Usage is simple. It accepts a username and password on standard input.
Check syslog messages for reported problems.
<P>
-Msntauth is released under the GNU General Public License and
-is available from
-<A HREF="http://www.tripod.com/stellarx">http://www.tripod.com/stellarx</A>.
-It also ships with the Squid web proxy,
-<A HREF="http://www.squid-proxy.org">http://www.squid-proxy.org</A>.
-
-<P>
-Msntauth has not been tested with Windows 2000 domains yet.
+Msntauth works in environments with NT domain controllers on
+Windows (TM) NT 4, 2000, and Samba.
<A NAME="installation"><H2>Installation</H2>
<P>
-Make any changes to the source code you need.
+Msntauth will be compiled when you compile Squid, using
+their autoconf system.
+Refer to Squid documentation for details.
+If the build is suitable, you can skip this section.
<P>
-If you are using the source provided with Squid, then Msntauth
-will be compiled when you compile Squid. Refer to Squid documentation
-for details.
+Alternatively, a supplementary makefile is also provided for manual compiling.
+Review Makefile.MSNT, and modify it based on the target platform or
+site requirements.
<P>
-If you have downloaded Msntauth from the Stellar-X website, then
-copy <CODE>Makefile.MSNT</CODE> to <CODE>Makefile</CODE>.
-Review the Makefile, and modify based on target platform or
-site requirements.
+Make any necessary changes to the source code.
<P>
+Copy Makefile.MSNT to Makefile.
Type 'make', then 'make install', then 'make clean'.
<P>
<P>
'Make install' will put 'msntauth' into
-/usr/local/squid/bin by default.
-
-<P>
-Hopefully nobody has problems compiling msntauth.
+/usr/local/squid/bin.
<A NAME="compiling"><H2>Issues when compiling</H2>
<P>
-The Makefile uses the GCC compiler, and assumes that it is in the current PATH.
-Msntauth is known to compile properly on Redhat Linux 6, and FreeBSD 3.1
-without problems. Other operating systems are untested,
-but use a recent copy of the GNU C compiler.
-In Smbencrypt.c, '#include <sys/vfs.h>' only gets included when
-compiled with Solaris.
+The Makefile uses your C compiler (usually GCC), assuming it's in your PATH.
+Msntauth is known to compile properly on Linux, FreeBSD, and Solaris.
<P>
-When compiling under Solaris, the socket libraries must be linked to.
-In the Makefile, hash the default CFLAGS line, and unhash the Solaris
-CFLAGS line. It always helps to have /usr/ccs/bin in your path
-prior to compiling.
+When compiling under Solaris, link to the NSL and socket libraries.
+In the Makefile, enable the alternative CFLAGS line for Solaris.
+Ensure /usr/ccs/bin is in your PATH.
+In Smbencrypt.c, '#include <sys/vfs.h>' only gets included when
+compiled with Solaris.
<P>
For Digital Unix/Tru64, review the INSTALL line in the makefile.
+The install-bsd command is used to place files in their target location.
<A NAME="configuration"><H2>Configuration file</H2>
<P>
-Msntauth uses a configuration file as of version 2.
-The file is /usr/local/squid/etc/msntauth.conf.
-If this path needs to be changed, it is defined in confload.c -
+Msntauth uses a configuration file, usually
+/usr/local/squid/etc/msntauth.conf.
+To change this, edit the following line in confload.c -
<PRE>
#define CONFIGFILE "/usr/local/squid/etc/msntauth.conf"
</PRE>
<P>
-An example configuration file is provided. It looks like
+An example configuration file is provided -
<PRE>
# Sample MSNT authenticator configuration file
# Antonino Iannella, Stellar-X Pty Ltd
-# Tue Sep 26 17:26:59 CST 2000
+# Tue Aug 26 17:26:59 GMT+9 2003
-server my_PDC my_BDC my_NTdomain
-server other_PDC other_BDC otherdomain
+# NT domain hosts. Best to put the hostnames in /etc/hosts.
+server myPDC myBDC myNTdomain
+server otherPDC otherBDC otherdomain
+# Denied and allowed users. Comment these if not needed.
denyusers /usr/local/squid/etc/denyusers
allowusers /usr/local/squid/etc/allowusers
</PRE>
are used for this, with the PDC, BDC, and NT domain as parameters.
Up to 5 servers/domains can be queried. If this is not enough,
modify the MAXSERVERS define in confload.c.
-At least one server must be specified, or msntauth will not
-run.
+At least one server must be specified, or msntauth will not start.
Server names must be resolvable by the system. If not, msntauth
reports an error. If you can't ping it, you might have a host
resolution problem.
-You can't use NetBIOS hostnames, nor IP addresses.
+
+<P>
+The name you specify is used in the NetBIOS protocol when
+communicating with the target server.
+The name must be resolvable by the local system, and it must be a
+name that the target server uses.
+You cannot simply invent a hostname.
+You cannot use it IP address.
<P>
When a user provides a username/password, each of these
It stops after a user has been successfully authenticated,
so it makes sense to specify the most commonly queried
server first. Make sure the servers can be reached and
-are active, or else msntauth will start failing user accounts!
+are active, or else msntauth will report failures.
<P>
The 'denyusers' and 'allowusers' lines give the absolute path
to files of user accounts. They can be used to deny or allow
-access to the proxy. Do not use these directives if you
+access to the proxy. Remove these directives if you
do not need these features.
<A NAME="denying"><H2>Denying users</H2>
<P>
The denied user file is set using the 'denyusers' directive
in msntauth.conf. The denied user file
-contains a list of usernames in no particular structure or form.
+contains a list of usernames, one per line.
If the file does not exist, no users are denied.
The file must be readable by the web proxy user.
<P>
Msntauth will send syslog messages if a user was denied,
-at LOG_USER facility.
+at LOG_USER facility. Check your syslog messages for clues.
<A NAME="allowing"><H2>Allowing users</H2>
<P>
Similar to denying users, you can allow users to access the proxy
by username. This is useful if only a number of people are
-allowed supposed to be accessing a proxy.
+allowed to use a proxy.
<P>
The allowed user file is set using the 'allowusers' directive
You could make use of the SHOWMBRS tool in Microsoft Technet.
This gives you a list of users which are in a particular
NT Domain Group. This list can be made into the allowed users
-file.
+file using sed or awk.
<P>
Some other rules -
users will be allowed.
</OL>
-<P>
-Hopefully this wasn't too confusing.
-
<A NAME="squid"><H2>Squid.conf changes</H2>
<P>
your access list -
<PRE>
- acl <yourACL> proxy_auth REQUIRED
+ acl <I>yourACL</I> proxy_auth REQUIRED
http_access allow password
- http_access allow <yourACL>
+ http_access allow <I>yourACL</I>
http_access deny all
</PRE>
experimentation may be required to find the best number.
There should be no visible delay in performance with Squid once
msntauth is in use. As an example, a firm with 1500 users and a T1
-internet connection required a value of 30.-
+internet connection required a value of 30.
<PRE>
proxy_auth_realm enterprise web gateway
<P>
If the above didn't work as expected, you may need to modify the main()
-function in msntauth.c. Inform the maintainer of any problems.
+function in msntauth.c. Inform the Squid maintainers of any problems.
<P>
Usernames cannot have whitespace in them, but passwords can.
strings msntauth | grep -i msntauth
</PRE>
-<A NAME="contact"><H2>Contact details</H2>
-
-<P>
-To contact the maintainer of this package, email Antonino Iannella
-at antonino@rager.com.au, or antonino.iannella@santos.com.au, or ring
-+61 8408 800 007.
+<A NAME="contact"><H2>Support details</H2>
<P>
-The latest version may be found on http://members.tripod.com/stellarx.
-It is also distributed as part of Squid.
+Refer to the Squid website at http://www.squid-cache.org.
+Submit problems or fixes using their Bugzilla facility.
-<A NAME="reported"><H2>Reported problem</H2>
+<A NAME="unknown"><H2>Unknown username issue</H2>
<P>
For an unknown username, Msntauth returns OK.
This is because the PDC returns guest access for unknown users,
even if guest access is disabled.
This problem was reported by Mr Vadim Popov (vap@iilsr.minsk.by).
-I am not able to replicate this.
<P>
The tested environment consisted of PDC on Windows NT 4, SP 6.
<P>
The following sequence of changes have been made to improve msntauth.
-I have not had a chance to do too much testing due
-to lack of resources. There should be no problems, though.
<UL>
-<LI>Added many patches from Duane Wessels to stop compilation errors (?)
+<LI>Added many patches from Duane Wessels to stop compilation errors
<LI>Improved the main() function yet again
<LI>Created a more informative Makefile
<LI>Added an 'allowed users' feature to complement the 'denied users' feature
<LI>PDC and BDC hostnames are now checked if they are resolvable.
<LI>Smbencrypt.c does not have to be checked for Solaris systems any more.
<LI>Imbedded version information in the executable.
+<LI>Version 2.0.3 and later now supported by the Squid team.
</UL>
<P>
-Hopefully msntauth and Squid prove to be a valuable auditing combination.
-Feel free to send me success or problem stories.
+A future improvement may be to cache accepted usernames and passwords,
+to reduce network authentication traffic, and improve the Squid response time.
</BODY>
</HTML>
projects / thirdparty / squid.git / commitdiff
