From: Francesco Chemolli Date: Sun, 28 Dec 2014 20:49:25 +0000 (+0100) Subject: Documentation updates X-Git-Tag: merge-candidate-3-v1~410^2~6 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=17222e89ffce85eb72371fae5072abd8d955103b;p=thirdparty%2Fsquid.git Documentation updates --- diff --git a/helpers/basic_auth/MSNT/README.html b/helpers/basic_auth/MSNT/README.html index 1c45cbb01a..ae242379bf 100644 --- a/helpers/basic_auth/MSNT/README.html +++ b/helpers/basic_auth/MSNT/README.html @@ -10,10 +10,9 @@ HTML-text package from http://members.tripod.com/stellarx. -->

-MSNT Auth v2.0.3-squid.1
+MSNT Auth v3.0.0
Squid web proxy NT authentication module
Modified by the Squid HTTP Proxy team
-Wed Jun 26 21:16:32 CEST 2002
Original release by Antonino Iannella, Stellar-X Pty Ltd

@@ -22,15 +21,10 @@ Original release by Antonino Iannella, Stellar-X Pty Ltd

Introduction

@@ -51,14 +45,15 @@ Squid proxy team as an Open Source effort. Msntauth is released under the GNU General Public License.

-Usage is simple. It accepts a username and password on standard input. -It will return OK if the username/password is valid for the domain, -or ERR if there was some problem. -Check syslog messages for reported problems. +basic_msnt_auth follows the standard Squid basic authentication helper protocol. +See http://wiki.squid-cache.org/Features/AddonHelpers#Basic_Scheme for details. +Problems are logged to syslog.

Msntauth works in environments with NT domain controllers on -Windows (TM) NT 4, 2000, and Samba. +Windows (TM) NT 4, 2000, and Samba. It only uses the ancient Lanman protocol, +the authenticating systems must be configured to accept it.

Installation

@@ -68,157 +63,26 @@ their autoconf system. Refer to Squid documentation for details. If the build is suitable, you can skip this section. -

-Alternatively, a supplementary makefile is also provided for manual compiling. -Review Makefile.MSNT, and modify it based on the target platform or -site requirements. - -

-Make any necessary changes to the source code. - -

-Copy Makefile.MSNT to Makefile. -Type 'make', then 'make install', then 'make clean'. +

Configuration

-To avoid using the makefile, it may compile with - - gcc -O2 -s -o msntauth *.c - -

-'Make install' will put 'msntauth' into -/usr/local/squid/bin. - -

Issues when compiling

- -

-The Makefile uses your C compiler (usually GCC), assuming it's in your PATH. -Msntauth is known to compile properly on Linux, FreeBSD, and Solaris. - -

-When compiling under Solaris, link to the NSL and socket libraries. -In the Makefile, enable the alternative CFLAGS line for Solaris. -Ensure /usr/ccs/bin is in your PATH. -In Smbencrypt.c, '#include ' only gets included when -compiled with Solaris. - -

-For Digital Unix/Tru64, review the INSTALL line in the makefile. -The install-bsd command is used to place files in their target location. - -

Configuration file

- -

-Msntauth uses a configuration file, usually -/usr/local/squid/etc/msntauth.conf. -To change this, edit the following line in confload.c - +As of version 3.0.0, a configuration file is no longer needed. +The specification of the domains and domain controllers to use is +passed as a list of arguments on the command line. +The syntax is: 

-  #define CONFIGFILE   "/usr/local/squid/etc/msntauth.conf"
+basic_msnt_auth domain1/domaincontroller1 [domain2/domaincontroller2 ...]
+An arbitrary number of domain controllers can be specified, for any number of daomains. +Domain controllers will be attempted in the same order they are configured, until +any of them successfully authenticates the user passed by squid. If all domain +controllers fail to authenticate the user, then access is denied. +Domain controllers can be specified by their NetBios name.

-An example configuration file is provided - - -

-# Sample MSNT authenticator configuration file
-# Antonino Iannella, Stellar-X Pty Ltd
-# Tue Aug 26 17:26:59 GMT+9 2003
-
-# NT domain hosts. Best to put the hostnames in /etc/hosts.
-server myPDC           myBDC          myNTdomain
-server otherPDC        otherBDC       otherdomain
-
-# Denied and allowed users. Comment these if not needed.
-denyusers       /usr/local/squid/etc/denyusers
-allowusers      /usr/local/squid/etc/allowusers
-
- -

-All comments start with '#'. - -

-NT servers are used to query user accounts. The 'server' lines -are used for this, with the PDC, BDC, and NT domain as parameters. -Up to 5 servers/domains can be queried. If this is not enough, -modify the MAXSERVERS define in confload.c. -At least one server must be specified, or msntauth will not start. -Server names must be resolvable by the system. If not, msntauth -reports an error. If you can't ping it, you might have a host -resolution problem. - -

-The name you specify is used in the NetBIOS protocol when -communicating with the target server. -The name must be resolvable by the local system, and it must be a -name that the target server uses. -You cannot simply invent a hostname. -You cannot use it IP address. - -

-When a user provides a username/password, each of these -servers will be queried to authenticate the username. -It stops after a user has been successfully authenticated, -so it makes sense to specify the most commonly queried -server first. Make sure the servers can be reached and -are active, or else msntauth will report failures. - -

-The 'denyusers' and 'allowusers' lines give the absolute path -to files of user accounts. They can be used to deny or allow -access to the proxy. Remove these directives if you -do not need these features. - -

Denying users

- -

-Users who are not allowed to access the web proxy can be added to -the denied user list. This list is read around every minute, or when -the msntauth process receives a SIGHUP signal. - -

-The denied user file is set using the 'denyusers' directive -in msntauth.conf. The denied user file -contains a list of usernames, one per line. -If the file does not exist, no users are denied. -The file must be readable by the web proxy user. - -

-Msntauth will send syslog messages if a user was denied, -at LOG_USER facility. Check your syslog messages for clues. - -

Allowing users

- -

-Similar to denying users, you can allow users to access the proxy -by username. This is useful if only a number of people are -allowed to use a proxy. - -

-The allowed user file is set using the 'allowusers' directive -in msntauth.conf. -If the file does not exist or if empty, all users are allowed. - -

-You could make use of the SHOWMBRS tool in Microsoft Technet. -This gives you a list of users which are in a particular -NT Domain Group. This list can be made into the allowed users -file using sed or awk. - -

-Some other rules - - -

    -
  1. The operation of the denied user file is independent of the -allowed user file. The former file is checked first. -
  2. You can use none, one, or both files. -
  3. If a username appears in the denied user file, they will -be denied, even if they are in the allowed user file. -
  4. If a username is not in either file, they will be denied, -because they have not been allowed. -
  5. If the allowed user file is in use and is empty, all -users will be allowed. -
+WARNING! this means that a wrong password will be attempted a number of times. +Watch out for domain lock-out policies!

Squid.conf changes

@@ -240,22 +104,18 @@ msntauth children spawned is set with authenticate_children. The number of children needed is site-dependent, so some experimentation may be required to find the best number. There should be no visible delay in performance with Squid once -msntauth is in use. As an example, a firm with 1500 users and a T1 -internet connection required a value of 30. +msntauth is in use. -
-  proxy_auth_realm enterprise web gateway
-  authenticate_program /usr/local/squid/bin/msntauth
-  authenticate_ttl 5
-  authenticate_children 20
-
+Please see http://www.squid-cache.org/Doc/config/auth_param/ or your squid.conf.default +file to check how to configure squid to make use of this helper.

Testing

I strongly urge that Msntauth is tested prior to being used in a production environment. It may behave differently on different platforms. -To test it, run it from the command line. Enter username and password +To test it, run it from the command line, and enter username and password pairs separated by a space.

@@ -279,72 +139,13 @@ If the above didn't work as expected, you may need to modify the main() function in msntauth.c. Inform the Squid maintainers of any problems.

-Usernames cannot have whitespace in them, but passwords can. - -

-As of version 2.0.3, the msntauth version can be found in the executable. -Type this to retrieve it - - -

-  strings msntauth | grep -i msntauth
-
+Usernames and passwords are expected to be URL-encoded (see RFC 1738 for details)

Support details

Refer to the Squid website at http://www.squid-cache.org. -Submit problems or fixes using their Bugzilla facility. - -

Unknown username issue

- -

-For an unknown username, Msntauth returns OK. -This is because the PDC returns guest access for unknown users, -even if guest access is disabled. -This problem was reported by Mr Vadim Popov (vap@iilsr.minsk.by). - -

-The tested environment consisted of PDC on Windows NT 4, SP 6. -Squid 2.3 and Msntauth was tested on SuSe, RedHat, and Debian Linux. -A fix was provided in case you have this problem. -Apply the provided patch before compiling, using - -

-  patch smblib.c < smblib.c.patch
-
- -

Revision history

- -

-The following sequence of changes have been made to improve msntauth. - -

- -

-A future improvement may be to cache accepted usernames and passwords, -to reduce network authentication traffic, and improve the Squid response time. +You can submit problems or fixes using the Squid project's Bugzilla database.