Re: [squid-users] proxy-auth NTLM stop working
On 11/05/11 05:44, Ricardo Nuno wrote: Hi, I had a working setup with Ubuntu 10.04 LTS x64 with the following versions: squid 3.0.STABLE19-1ubuntu0.1 samba 2:3.4.7~dfsg-1ubuntu3.5 We have a AD domain with around 50 clients using Windows 7 and joined in the domain. For this clients we user squid with kerberos and it's working fine with no issues. We had a second auth method (NTLM basic,ntlmssp) for clients that were not joined in the domain. For this clients normally a pop-up auth appear in the browser witch then the user should provide AD credentials in the following manner: User: MYDOMAIN\user Pass: password Since last week NTLM seams to stop working, but from all the tests i run from the proxy shell it seams ok Here is what i already did to debug the issue: root@proxy:/# net ads testjoin Join is OK root@proxy:/# wbinfo -t checking the trust secret via RPC calls succeeded root@proxy:/# wbinfo -a lsquintella%lsquintella plaintext password authentication succeeded challenge/response password authentication succeeded wbinfo -u and wbinfo -g both work and list users and groups without the domain. I'm using ntml binary from the samba: root@proxy:/# /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic mydomain+lsquintella lsquintella OK Im running out of ideas to solve this im missing something here? Okay to Basic auth protocol works. Now what about the other two? you have Negotiate configured as first option and NTLM configured as second. It is *entirely* up to the browser which of the three options it picks to use. - IE is known only to pick the first it can use and not failover. - Recent windows OS will not respond to NTLM by default. Or it could be a simpler failure in the helpers looking up the other protocols tokens. Can someone please point me to the right direction. You can test the other protocols by cut-n-pasting the HTTP header value received from the logs and pasting it to the helper. Squid just tacks a TT onto the beginning and passes the header line on unchanged to the helper hoping for an AF (success) or BH (fail) result. /etc/squid3/squid.conf visible_hostname proxy1.mydomain.lan http_port 3128 hierarchy_stoplist cgi-bin ? cache_mem 1024 MB maximum_object_size 8096 KB cache_dir aufs /var/spool/squid3 5 16 256 cache_access_log /var/log/squid3/access.log cache_log /var/log/squid3/cache.log squid cache_store_log none #Suggested default: refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern . 0 20% 4320 refresh_pattern -i (cgi-bin|\?) 0 0% 0 refresh_pattern -i \.index.(html|htm)$ 0 40% 10080 refresh_pattern -i \.(html|htm|css|js)$ 144040% 40320 auth_param negotiate program /usr/lib/squid3/squid_kerb_auth -s HTTP/ldapb...@mydomain.lan auth_param negotiate children 20 auth_param negotiate keep_alive on auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 10 auth_param ntlm keep_alive on auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 10 auth_param basic realm Mydomain Log auth_param basic credentialsttl 2 hours auth_param basic casesensitive off external_acl_type FaGroup ttl=900 %LOGIN /usr/lib/squid3/squid_ldap_group -R -b dc=mydomain,dc=lan -D cn=ldapbind,cn=users,dc=mydomain,dc=lan -W /etc$ authenticate_ttl 1 hour authenticate_cache_garbage_interval 1 hour acl manager proto cache_object acl localhost src 127.0.0.1 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 8443 # https acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 631 # cups acl Safe_ports port 873 # rsync acl Safe_ports port 901 # SWAT acl purge method PURGE acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access deny purge http_access deny !Safe_ports http_access deny CONNECT !SSL_ports acl rede_interna src 192.168.20.0/24 acl rede_servidores src 192.168.10.0/24 acl h_trabalho_manha time MTWHF 09:00-13:00 acl h_trabalho_tarde time MTWHF 14:30-18:00 acl FullAccess external FaGroup InetFA acl sites_internos_nocache dst 192.168.10.0/24 cache deny sites_internos_nocache acl Publicidade url_regex /etc/squid3/list/publicidade.acl acl BlockFiles urlpath_regex -i
Re: [squid-users] proxy-auth NTLM stop working
Okay to Basic auth protocol works. Now what about the other two? you have Negotiate configured as first option and NTLM configured as second. It is *entirely* up to the browser which of the three options it picks to use. - IE is known only to pick the first it can use and not failover. - Recent windows OS will not respond to NTLM by default. Or it could be a simpler failure in the helpers looking up the other protocols tokens. Actually i narrowed the problem down it's even more weird than i tough. All machines joined in the domain have no issues with the squid_kerb_auth. We use WPAD on our network by DNS alias for Firefox and by DHCP for IE. The machines not joined in the domain using IE8 or IE7 for NTLM helper to work I had to the the following: In Internet Options-Connections- LAN settings: * Remove the check from Automatically detect settings (Witch is crucial for WPAD) * Introduce proxy host and port manually In Internet Options-Advanced-Settings: * Remove the check from Enable Integrated Windows Authentication restart IE and it starts working again with no changes on squid or samba config. So some update changed the behavior of IE in this last 2 months i will try to find out witch one. Any clues? The way Windows 7 handles NTML was a known issue for me that I normally change in Local Security Policy or in the joined domain machines i handle it with GPO. Is there any know issue with WPAD implementation on IE? Is there any other helper i can use that could do kerberos auth and fall-back to NTML? http_access deny !FullAccess Publicidade FullAccess requires auth to be known in order to use these lines all contradict http_access allow all NoAuthNeeded below. Changed to: http_access allow NoAuthNeeded I use this rule to not get the auth prompt in some sites. -- Ricardo
Re: [squid-users] proxy-auth NTLM stop working
On 12/05/11 02:34, Ricardo Nuno wrote: Okay to Basic auth protocol works. Now what about the other two? you have Negotiate configured as first option and NTLM configured as second. It is *entirely* up to the browser which of the three options it picks to use. - IE is known only to pick the first it can use and not failover. - Recent windows OS will not respond to NTLM by default. Or it could be a simpler failure in the helpers looking up the other protocols tokens. Actually i narrowed the problem down it's even more weird than i tough. All machines joined in the domain have no issues with the squid_kerb_auth. We use WPAD on our network by DNS alias for Firefox and by DHCP for IE. The machines not joined in the domain using IE8 or IE7 for NTLM helper to work I had to the the following: In Internet Options-Connections- LAN settings: * Remove the check from Automatically detect settings (Witch is crucial for WPAD) * Introduce proxy host and port manually In Internet Options-Advanced-Settings: * Remove the check from Enable Integrated Windows Authentication restart IE and it starts working again with no changes on squid or samba config. What you have done with Enable Integrated Windows Authentication is disable SSO form using the windows box login token to also login to the proxy. The token is tightly bound to the particular username and password spelling, domain name, and encryption hash algorithm. This is reminding me of some earlier comments (just a few months ago) about Windows 7 silently moving Kerberos tickets to a new form of AES hash algorithm some older OpenSSL do not support. So some update changed the behavior of IE in this last 2 months i will try to find out witch one. Any clues? The way Windows 7 handles NTML was a known issue for me that I normally change in Local Security Policy or in the joined domain machines i handle it with GPO. Is there any know issue with WPAD implementation on IE? Only a very old bug about IE cropping one byte from the WPAD filename if the extension was 3 bytes. And old IE not understanding the IPv6 java extensions to PAC. Neither of those should be relevant. Is there any other helper i can use that could do kerberos auth and fall-back to NTML? The negotiate_wrapper might help, but only if you are seeing complaints about unexpected token types in your cache.log. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.12 Beta testers wanted for 3.2.0.7 and 3.1.12.1
[squid-users] proxy-auth NTLM stop working
Hi, I had a working setup with Ubuntu 10.04 LTS x64 with the following versions: squid 3.0.STABLE19-1ubuntu0.1 samba 2:3.4.7~dfsg-1ubuntu3.5 We have a AD domain with around 50 clients using Windows 7 and joined in the domain. For this clients we user squid with kerberos and it's working fine with no issues. We had a second auth method (NTLM basic,ntlmssp) for clients that were not joined in the domain. For this clients normally a pop-up auth appear in the browser witch then the user should provide AD credentials in the following manner: User: MYDOMAIN\user Pass: password Since last week NTLM seams to stop working, but from all the tests i run from the proxy shell it seams ok Here is what i already did to debug the issue: root@proxy:/# net ads testjoin Join is OK root@proxy:/# wbinfo -t checking the trust secret via RPC calls succeeded root@proxy:/# wbinfo -a lsquintella%lsquintella plaintext password authentication succeeded challenge/response password authentication succeeded wbinfo -u and wbinfo -g both work and list users and groups without the domain. I'm using ntml binary from the samba: root@proxy:/# /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic mydomain+lsquintella lsquintella OK Im running out of ideas to solve this im missing something here? Can someone please point me to the right direction. Below is are my config files: /etc/samba/smb.conf [global] #log level = 5 netbios name = proxy security = ads realm = MYDOMAIN.LAN workgroup = MYDOMAIN ; winbind separator = + idmap uid = 1-2 idmap gid = 1-2 winbind enum users = yes winbind enum groups = yes client use spnego = yes client ntlmv2 auth = yes encrypt passwords = true winbind use default domain = yes restrict anonymous = 2 /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/ksadmind.log [libdefaults] default_realm = MYDOMAIN.LAN dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes default_tgs_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC default_tkt_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC preferred_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC fcc-mit-ticketflags = true default_keytab_name = FILE:/etc/krb5.keytab [realms] MYDOMAIN.LAN = { kdc = dc1.mydomain.lan kdc = dc2.mydomain.lan admin_server = dc1.mydomain.lan default_domain = mydomain.lan } [domain_realm] .mydomain.lan = MYDOMAIN.LAN mydomain.lan = MYDOMAIN.LAN [kdc] profile = /var/kerberos/krb5kdc/kdc.conf [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } /etc/squid3/squid.conf visible_hostname proxy1.mydomain.lan http_port 3128 hierarchy_stoplist cgi-bin ? cache_mem 1024 MB maximum_object_size 8096 KB cache_dir aufs /var/spool/squid3 5 16 256 cache_access_log /var/log/squid3/access.log cache_log /var/log/squid3/cache.log squid cache_store_log none #Suggested default: refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern . 0 20% 4320 refresh_pattern -i (cgi-bin|\?) 0 0% 0 refresh_pattern -i \.index.(html|htm)$ 0 40% 10080 refresh_pattern -i \.(html|htm|css|js)$ 144040% 40320 auth_param negotiate program /usr/lib/squid3/squid_kerb_auth -s HTTP/ldapb...@mydomain.lan auth_param negotiate children 20 auth_param negotiate keep_alive on auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 10 auth_param ntlm keep_alive on auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 10 auth_param basic realm Mydomain Log auth_param basic credentialsttl 2 hours auth_param basic casesensitive off external_acl_type FaGroup ttl=900 %LOGIN /usr/lib/squid3/squid_ldap_group -R -b dc=mydomain,dc=lan -D cn=ldapbind,cn=users,dc=mydomain,dc=lan -W /etc$ authenticate_ttl 1 hour authenticate_cache_garbage_interval 1 hour acl manager proto cache_object acl localhost src 127.0.0.1 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 8443 # https acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 631 # cups acl Safe_ports port