Hi Louis, When you have an offline PC do you use DHCP to give an IP ? If so can you also provide the PC with a WINS server via DHCP ? If that is possible and you run WINS you can authenticate the user with u...@domain.com when you get the authentication popup. The WINS server will point the PC to the AD server of the domain DOMAIN.COM ( I assume you have given out some AD guest accounts to the none domain PC )
Regards Markus "L.P.H. van Belle" <be...@bazuin.nl> wrote in message news:vmime.55d2d089.2ba7.1a22bdbf5ed74...@ms249-lin-003.rotterdam.bazuin.nl... Nobody any hint where the NTLM auth is going wrong, or what i can do to fix this. ------------------------------------------------------------------------------ Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens L.P.H. van Belle Verzonden: maandag 17 augustus 2015 17:06 Aan: squid-users@lists.squid-cache.org Onderwerp: [squid-users] debian Jessie squid with auth (kerberos/ntlm/basic) ERROR type NTLM type 3 Hai all, I have a Debian Jessie setup with squid 3.4 , all debian packages. Im using samba 4 AD as domain controllers for my kerberos authentication. I've a setup as followed here : http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory I have my kerberos auth working, so i dont type any password with a "domain joined computer" when i want to internet. I Have my Ldap auth working, for my "Non windows, non domain joined" Devices. Now, i need to give users access to the internet, a non domain joined, windows PC. Im getting : ( with markus negotiate_wrapper 1.0.1 ) 2015/08/17 16:31:51 kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: NT_STATUS_UNSUCCESSFUL * NT_STATUS_UNSUCCESSFUL; } 2015/08/17 16:32:03| negotiate_wrapper: Got 'YR TlR.... =' from squid (length: 59). 2015/08/17 16:32:03| negotiate_wrapper: Decode 'TlR... =' (decoded length: 40). 2015/08/17 16:32:03| negotiate_wrapper: received type 1 NTLM token 2015/08/17 16:32:03| negotiate_wrapper: Return 'TT TlR...... AA= * 2015/08/17 16:32:03| negotiate_wrapper: Got 'KK TlR.... 8=' from squid (length: 711). 2015/08/17 16:32:03| negotiate_wrapper: Decode 'TlR.....8=' (decoded length: 530). 2015/08/17 16:32:03| negotiate_wrapper: received type 3 NTLM token 2015/08/17 16:32:03| negotiate_wrapper: Return 'BH NT_STATUS_UNSUCCESSFUL * NT_STATUS_UNSUCCESSFUL 2015/08/17 16:32:03 kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: NT_STATUS_UNSUCCESSFUL * NT_STATUS_UNSUCCESSFUL; }} I know the following : ( and correct me if im thinking wrong here.) ## 1) Pure Kerberos. Passthrough auth for windows users with windows DOMAIN JOINED pc's. ## Fallback to Ldap for NON WINDOWS NON DOMAIN JOINED Devices. ## NO NTLM. AKA, a windows pc, NOT JOINED in the domain, with end up in always user popup for auth. ## Which will always fail because of NTLM TYPE 1 and TYPE 2, authorisations. ## 2) NEGOTIATE AUTH, which will do all of above, but also authenticated Windows PC's Not domain Joined. But i recieve a type 3 NTLM token... This are the configs have tested and these 2 work. For kerberos auth auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -s HTTP/hostname.fqdn@REALM for basic auth auth_param basic program /usr/lib/squid3/basic_ldap_auth -R \ -b "dc=internal,dc=domain,dc=tld" \ -D ldap-b...@internal.domain.tld -W /etc/squid3/private/ldap-bind \ -f (|(userPrincipalName=%s)(sAMAccountName=%s)) \ -h addc.internal.domain.tld These dont work. auth_param negotiate program /usr/lib/squid3/negotiate_wrapper_auth -d \ --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=BAZRTD \ --kerberos /usr/lib/squid3/negotiate_kerberos_auth -d -s GSS_C_NO_NAME or auth_param negotiate program /usr/local/bin/negotiate_wrapper -d \ --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=BAZRTD \ --kerberos /usr/lib/squid3/negotiate_kerberos_auth -d -s GSS_C_NO_NAME tried here the supplied wrapper with squid.: /usr/lib/squid3/negotiate_wrapper_auth and i have tried the negotiate_wrapper of Markus, as the wiki.squid-cache.org also says here http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory ( Install negotiate_wrapper ) the kerberos part works but not the ntlm . when i try with only: ### pure ntlm authentication auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=EXAMPLE auth_param ntlm children 10 auth_param ntlm keep_alive off im also unable to authenticat on the proxy. all winbind test work.. I googled a lot, but i didnt find any solutions so im hoping someone here knows more. so anyone any hint where to look, i cant figure this out. Greetz, Louis -------------------------------------------------------------------------------- _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
