subject:"Re\: \[squid\-users\] proxy\-auth NTLM stop working"

Re: [squid-users] proxy-auth NTLM stop working

2011-05-11 Thread Amos Jeffries


On 11/05/11 05:44, Ricardo Nuno wrote:

Hi,

I had a working setup with Ubuntu 10.04 LTS x64 with the following versions:

squid 3.0.STABLE19-1ubuntu0.1
samba 2:3.4.7~dfsg-1ubuntu3.5

We have a AD domain with around 50 clients using Windows 7 and joined
in the domain.
For this clients we user squid with kerberos and it's working fine
with no issues.

We had a second auth method (NTLM basic,ntlmssp) for clients that were
not joined in the domain.
For this clients normally a pop-up auth appear in the browser witch
then the user should provide AD
credentials in the following manner:

User: MYDOMAIN\user
Pass: password

Since last week NTLM seams to stop working, but from all the tests i
run from the proxy shell it seams ok
Here is what i already did to debug the issue:

root@proxy:/# net ads testjoin
Join is OK

root@proxy:/# wbinfo -t
checking the trust secret via RPC calls succeeded

root@proxy:/# wbinfo -a lsquintella%lsquintella
plaintext password authentication succeeded
challenge/response password authentication succeeded

wbinfo -u and wbinfo -g both work and list users and groups without the domain.
I'm using ntml binary from the samba:

root@proxy:/# /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
mydomain+lsquintella lsquintella
OK

Im running out of ideas to solve this im missing something here?


Okay to Basic auth protocol works. Now what about the other two? you 
have Negotiate configured as first option and NTLM configured as second.
 It is *entirely* up to the browser which of the three options it picks 
to use.

 - IE is known only to pick the first it can use and not failover.
 - Recent windows OS will not respond to NTLM by default.

Or it could be a simpler failure in the helpers looking up the other 
protocols tokens.



Can someone please point me to the right direction.



You can test the other protocols by cut-n-pasting the HTTP header value 
received from the logs and pasting it to the helper. Squid just tacks a 
TT  onto the beginning and passes the header line on unchanged to the 
helper hoping for an AF (success) or BH (fail) result.




/etc/squid3/squid.conf

visible_hostname proxy1.mydomain.lan
http_port 3128

hierarchy_stoplist cgi-bin ?

cache_mem 1024 MB
maximum_object_size 8096 KB

cache_dir aufs /var/spool/squid3 5 16 256
cache_access_log  /var/log/squid3/access.log
cache_log  /var/log/squid3/cache.log squid
cache_store_log none

#Suggested default:
refresh_pattern ^ftp:   144020% 10080
refresh_pattern ^gopher:14400%  1440
refresh_pattern .   0   20% 4320
refresh_pattern -i (cgi-bin|\?) 0
  0%  0
refresh_pattern -i \.index.(html|htm)$  0   40%
   10080
refresh_pattern -i \.(html|htm|css|js)$ 144040% 40320

auth_param negotiate program /usr/lib/squid3/squid_kerb_auth -s
HTTP/ldapb...@mydomain.lan
auth_param negotiate children 20
auth_param negotiate keep_alive on

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 10
auth_param ntlm keep_alive on

auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 10
auth_param basic realm Mydomain Log
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

external_acl_type FaGroup ttl=900 %LOGIN
/usr/lib/squid3/squid_ldap_group -R -b dc=mydomain,dc=lan -D
cn=ldapbind,cn=users,dc=mydomain,dc=lan -W /etc$

authenticate_ttl 1 hour
authenticate_cache_garbage_interval 1 hour

acl manager proto cache_object
acl localhost src 127.0.0.1
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563 8443 # https

acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 563 # https
acl Safe_ports port 70  # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge


http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

acl rede_interna src 192.168.20.0/24
acl rede_servidores src 192.168.10.0/24
acl h_trabalho_manha time MTWHF 09:00-13:00
acl h_trabalho_tarde time MTWHF 14:30-18:00
acl FullAccess external FaGroup InetFA

acl sites_internos_nocache dst 192.168.10.0/24
cache deny sites_internos_nocache

acl Publicidade url_regex /etc/squid3/list/publicidade.acl
acl BlockFiles urlpath_regex -i

Re: [squid-users] proxy-auth NTLM stop working

2011-05-11 Thread Ricardo Nuno

 Okay to Basic auth protocol works. Now what about the other two? you have
 Negotiate configured as first option and NTLM configured as second.
  It is *entirely* up to the browser which of the three options it picks to
 use.
  - IE is known only to pick the first it can use and not failover.
  - Recent windows OS will not respond to NTLM by default.

 Or it could be a simpler failure in the helpers looking up the other
 protocols tokens.

Actually i narrowed the problem down it's even more weird than i tough.
All machines joined in the domain have no issues with the squid_kerb_auth.

We use WPAD on our network by DNS alias for Firefox and by DHCP for IE.

The machines not joined in the domain using IE8 or IE7 for NTLM helper to work
I had to the the following:

In Internet Options-Connections- LAN settings:
* Remove the check from Automatically detect settings (Witch is
crucial for WPAD)
* Introduce proxy host and port manually

In Internet Options-Advanced-Settings:
* Remove the check from Enable Integrated Windows Authentication

restart IE and it starts working again with no changes on squid or samba config.

So some update changed the behavior of IE in this last 2 months i will
try to find out witch one. Any clues?

The way Windows 7 handles NTML was a known issue for me that I
normally change in Local Security Policy
or in the joined domain machines i handle it with GPO.

Is there any know issue with WPAD implementation on IE?
Is there any other helper i can use that could do kerberos auth and
fall-back to NTML?


 http_access deny !FullAccess Publicidade

 FullAccess requires auth to be known in order to use these lines all
 contradict http_access allow all NoAuthNeeded below.

Changed to: http_access allow NoAuthNeeded
I use this rule to not get the auth prompt in some sites.

-- 
Ricardo

Re: [squid-users] proxy-auth NTLM stop working

2011-05-11 Thread Amos Jeffries


On 12/05/11 02:34, Ricardo Nuno wrote:

Okay to Basic auth protocol works. Now what about the other two? you have
Negotiate configured as first option and NTLM configured as second.
  It is *entirely* up to the browser which of the three options it picks to
use.
  - IE is known only to pick the first it can use and not failover.
  - Recent windows OS will not respond to NTLM by default.

Or it could be a simpler failure in the helpers looking up the other
protocols tokens.


Actually i narrowed the problem down it's even more weird than i tough.
All machines joined in the domain have no issues with the squid_kerb_auth.

We use WPAD on our network by DNS alias for Firefox and by DHCP for IE.

The machines not joined in the domain using IE8 or IE7 for NTLM helper to work
I had to the the following:

In Internet Options-Connections-  LAN settings:
* Remove the check from Automatically detect settings (Witch is
crucial for WPAD)
* Introduce proxy host and port manually

In Internet Options-Advanced-Settings:
* Remove the check from Enable Integrated Windows Authentication

restart IE and it starts working again with no changes on squid or samba config.


What you have done with Enable Integrated Windows Authentication is 
disable SSO form using the windows box login token to also login to the 
proxy. The token is tightly bound to the particular username and 
password spelling, domain name, and encryption hash algorithm.


This is reminding me of some earlier comments (just a few months ago) 
about Windows 7 silently moving Kerberos tickets to a new form of AES 
hash algorithm some older OpenSSL do not support.




So some update changed the behavior of IE in this last 2 months i will
try to find out witch one. Any clues?

The way Windows 7 handles NTML was a known issue for me that I
normally change in Local Security Policy
or in the joined domain machines i handle it with GPO.

Is there any know issue with WPAD implementation on IE?


Only a very old bug about IE cropping one byte from the WPAD filename if 
the extension was 3 bytes. And old IE not understanding the IPv6 java 
extensions to PAC.

 Neither of those should be relevant.


Is there any other helper i can use that could do kerberos auth and
fall-back to NTML?



The negotiate_wrapper might help, but only if you are seeing complaints 
about unexpected token types in your cache.log.


Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.12
  Beta testers wanted for 3.2.0.7 and 3.1.12.1

Re: [squid-users] proxy-auth NTLM stop working

Re: [squid-users] proxy-auth NTLM stop working

Re: [squid-users] proxy-auth NTLM stop working

3 matches

Site Navigation

Mail list logo

Footer information