This is an authentication module for the Squid proxy server -to authenticate users on an NT domain. +to use an NT domain server.
It originates from the Samba and SMB packages by Andrew Tridgell -and Richard Sharpe. This version is sourced from the Pike -authentication module by William Welliver (hwellive@intersil.com). +and Richard Sharpe. It is sourced from the Pike +authentication module by William Welliver (hwellive@intersil.com), +and the SMB 1.0.1 libraries. +Releases up to version 2.0.3 were created by Antonino Iannella +(antonino@rager.com.au, http://stellarx.tripod.com). +The module is now distributed with Squid, and is maintained by the +Squid proxy team as an Open Source effort. +Msntauth is released under the GNU General Public License.
Usage is simple. It accepts a username and password on standard input. @@ -52,32 +57,27 @@ or ERR if there was some problem. Check syslog messages for reported problems.
-Msntauth is released under the GNU General Public License and -is available from -http://www.tripod.com/stellarx. -It also ships with the Squid web proxy, -http://www.squid-proxy.org. - -
-Msntauth has not been tested with Windows 2000 domains yet.
+Msntauth works in environments with NT domain controllers on
+Windows (TM) NT 4, 2000, and Samba.
-Make any changes to the source code you need.
+Msntauth will be compiled when you compile Squid, using
+their autoconf system.
+Refer to Squid documentation for details.
+If the build is suitable, you can skip this section.
-If you are using the source provided with Squid, then Msntauth
-will be compiled when you compile Squid. Refer to Squid documentation
-for details.
+Alternatively, a supplementary makefile is also provided for manual compiling.
+Review Makefile.MSNT, and modify it based on the target platform or
+site requirements.
-If you have downloaded Msntauth from the Stellar-X website, then
-copy
+Copy Makefile.MSNT to Makefile.
Type 'make', then 'make install', then 'make clean'.
@@ -87,52 +87,49 @@ To avoid using the makefile, it may compile with
'Make install' will put 'msntauth' into
-/usr/local/squid/bin by default.
-
-
-Hopefully nobody has problems compiling msntauth.
+/usr/local/squid/bin.
-The Makefile uses the GCC compiler, and assumes that it is in the current PATH.
-Msntauth is known to compile properly on Redhat Linux 6, and FreeBSD 3.1
-without problems. Other operating systems are untested,
-but use a recent copy of the GNU C compiler.
-In Smbencrypt.c, '#include
-When compiling under Solaris, the socket libraries must be linked to.
-In the Makefile, hash the default CFLAGS line, and unhash the Solaris
-CFLAGS line. It always helps to have /usr/ccs/bin in your path
-prior to compiling.
+When compiling under Solaris, link to the NSL and socket libraries.
+In the Makefile, enable the alternative CFLAGS line for Solaris.
+Ensure /usr/ccs/bin is in your PATH.
+In Smbencrypt.c, '#include
For Digital Unix/Tru64, review the INSTALL line in the makefile.
+The install-bsd command is used to place files in their target location.
-Msntauth uses a configuration file as of version 2.
-The file is /usr/local/squid/etc/msntauth.conf.
-If this path needs to be changed, it is defined in confload.c -
+Msntauth uses a configuration file, usually
+/usr/local/squid/etc/msntauth.conf.
+To change this, edit the following line in confload.c -
-An example configuration file is provided. It looks like
+An example configuration file is provided -
+The name you specify is used in the NetBIOS protocol when
+communicating with the target server.
+The name must be resolvable by the local system, and it must be a
+name that the target server uses.
+You cannot simply invent a hostname.
+You cannot use it IP address.
When a user provides a username/password, each of these
@@ -158,12 +161,12 @@ servers will be queried to authenticate the username.
It stops after a user has been successfully authenticated,
so it makes sense to specify the most commonly queried
server first. Make sure the servers can be reached and
-are active, or else msntauth will start failing user accounts!
+are active, or else msntauth will report failures.
The 'denyusers' and 'allowusers' lines give the absolute path
to files of user accounts. They can be used to deny or allow
-access to the proxy. Do not use these directives if you
+access to the proxy. Remove these directives if you
do not need these features.
The denied user file is set using the 'denyusers' directive
in msntauth.conf. The denied user file
-contains a list of usernames in no particular structure or form.
+contains a list of usernames, one per line.
If the file does not exist, no users are denied.
The file must be readable by the web proxy user.
Msntauth will send syslog messages if a user was denied,
-at LOG_USER facility.
+at LOG_USER facility. Check your syslog messages for clues.
Similar to denying users, you can allow users to access the proxy
by username. This is useful if only a number of people are
-allowed supposed to be accessing a proxy.
+allowed to use a proxy.
The allowed user file is set using the 'allowusers' directive
@@ -200,7 +203,7 @@ If the file does not exist or if empty, all users are allowed.
You could make use of the SHOWMBRS tool in Microsoft Technet.
This gives you a list of users which are in a particular
NT Domain Group. This list can be made into the allowed users
-file.
+file using sed or awk.
Some other rules -
@@ -217,9 +220,6 @@ because they have not been allowed.
users will be allowed.
-
-Hopefully this wasn't too confusing.
-
@@ -228,9 +228,9 @@ You will need to set the following lines to enable authentication for
your access list -
If the above didn't work as expected, you may need to modify the main()
-function in msntauth.c. Inform the maintainer of any problems.
+function in msntauth.c. Inform the Squid maintainers of any problems.
Usernames cannot have whitespace in them, but passwords can.
@@ -289,25 +289,19 @@ Type this to retrieve it -
strings msntauth | grep -i msntauth
-To contact the maintainer of this package, email Antonino Iannella
-at antonino@rager.com.au, or antonino.iannella@santos.com.au, or ring
-+61 8408 800 007.
+
-The latest version may be found on http://members.tripod.com/stellarx.
-It is also distributed as part of Squid.
+Refer to the Squid website at http://www.squid-cache.org.
+Submit problems or fixes using their Bugzilla facility.
-
For an unknown username, Msntauth returns OK.
This is because the PDC returns guest access for unknown users,
even if guest access is disabled.
This problem was reported by Mr Vadim Popov (vap@iilsr.minsk.by).
-I am not able to replicate this.
The tested environment consisted of PDC on Windows NT 4, SP 6.
@@ -323,11 +317,9 @@ Apply the provided patch before compiling, using
The following sequence of changes have been made to improve msntauth.
-I have not had a chance to do too much testing due
-to lack of resources. There should be no problems, though.
-Hopefully msntauth and Squid prove to be a valuable auditing combination.
-Feel free to send me success or problem stories.
+A future improvement may be to cache accepted usernames and passwords,
+to reduce network authentication traffic, and improve the Squid response time.
Installation
Makefile.MSNT to Makefile.
-Review the Makefile, and modify based on target platform or
-site requirements.
+Make any necessary changes to the source code.
Issues when compiling
Configuration file
#define CONFIGFILE "/usr/local/squid/etc/msntauth.conf"
# Sample MSNT authenticator configuration file
# Antonino Iannella, Stellar-X Pty Ltd
-# Tue Sep 26 17:26:59 CST 2000
+# Tue Aug 26 17:26:59 GMT+9 2003
-server my_PDC my_BDC my_NTdomain
-server other_PDC other_BDC otherdomain
+# NT domain hosts. Best to put the hostnames in /etc/hosts.
+server myPDC myBDC myNTdomain
+server otherPDC otherBDC otherdomain
+# Denied and allowed users. Comment these if not needed.
denyusers /usr/local/squid/etc/denyusers
allowusers /usr/local/squid/etc/allowusers
@@ -145,12 +142,18 @@ NT servers are used to query user accounts. The 'server' lines
are used for this, with the PDC, BDC, and NT domain as parameters.
Up to 5 servers/domains can be queried. If this is not enough,
modify the MAXSERVERS define in confload.c.
-At least one server must be specified, or msntauth will not
-run.
+At least one server must be specified, or msntauth will not start.
Server names must be resolvable by the system. If not, msntauth
reports an error. If you can't ping it, you might have a host
resolution problem.
-You can't use NetBIOS hostnames, nor IP addresses.
+
+Denying users
@@ -176,20 +179,20 @@ the msntauth process receives a SIGHUP signal.
Allowing users
Squid.conf changes
- acl
@@ -241,7 +241,7 @@ The number of children needed is site-dependent, so some
experimentation may be required to find the best number.
There should be no visible delay in performance with Squid once
msntauth is in use. As an example, a firm with 1500 users and a T1
-internet connection required a value of 30.-
+internet connection required a value of 30.
proxy_auth_realm enterprise web gateway
@@ -276,7 +276,7 @@ It should behave in the following way -
-Contact details
-
-Support details
Reported problem
+Unknown username issue
-