[squid-users] debian Jessie squid with auth (kerberos/ntlm/basic) ERROR type NTLM type 3

L.P.H. van Belle belle at bazuin.nl
Tue Aug 18 06:28:25 UTC 2015


Nobody any hint where the NTLM auth is going wrong, or what i can do to fix this. 
 

Van: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] Namens L.P.H. van Belle
Verzonden: maandag 17 augustus 2015 17:06
Aan: squid-users at lists.squid-cache.org
Onderwerp: [squid-users] debian Jessie squid with auth (kerberos/ntlm/basic) ERROR type NTLM type 3



Hai all, 
 
I have a Debian Jessie setup with squid 3.4 , all debian packages. 
Im using samba 4 AD as domain controllers for my kerberos authentication. 
 
I've a setup as followed here : 
http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory 
 
I have my kerberos auth working, so i dont type any password with a "domain joined computer"  when i want to internet. 
I Have my Ldap auth working, for my "Non windows, non domain joined" Devices. 
 
Now, i need to give users access to the internet, a non domain joined, windows PC. 
 
Im getting :  ( with markus negotiate_wrapper 1.0.1  ) 
2015/08/17 16:31:51 kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: NT_STATUS_UNSUCCESSFUL * NT_STATUS_UNSUCCESSFUL; }
2015/08/17 16:32:03| negotiate_wrapper: Got 'YR TlR....   =' from squid (length: 59). 
2015/08/17 16:32:03| negotiate_wrapper: Decode 'TlR... =' (decoded length: 40).
2015/08/17 16:32:03| negotiate_wrapper: received type 1 NTLM token
2015/08/17 16:32:03| negotiate_wrapper: Return 'TT TlR......  AA= * 
2015/08/17 16:32:03| negotiate_wrapper: Got 'KK TlR....  8=' from squid (length: 711).
2015/08/17 16:32:03| negotiate_wrapper: Decode 'TlR.....8=' (decoded length: 530).
2015/08/17 16:32:03| negotiate_wrapper: received type 3 NTLM token
2015/08/17 16:32:03| negotiate_wrapper: Return 'BH NT_STATUS_UNSUCCESSFUL * NT_STATUS_UNSUCCESSFUL
2015/08/17 16:32:03 kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: NT_STATUS_UNSUCCESSFUL * NT_STATUS_UNSUCCESSFUL; }} 
 
 
 
I know the following : ( and correct me if im thinking wrong here.) 
## 1) Pure Kerberos. Passthrough auth for windows users with windows DOMAIN JOINED pc's.
##    Fallback to Ldap for NON WINDOWS NON DOMAIN JOINED Devices.
##    NO NTLM. AKA, a windows pc, NOT JOINED in the domain, with end up in always user popup for auth.
##    Which will always fail because of NTLM TYPE 1 and TYPE 2, authorisations.
## 2) NEGOTIATE AUTH, which will do all of above, but also authenticated Windows PC's Not domain Joined.

But i recieve a type 3 NTLM token...  
 
 
This are the configs have tested and these 2 work. 
For kerberos auth 
auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -s HTTP/hostname.fqdn at REALM    
 
for basic auth 
auth_param basic program /usr/lib/squid3/basic_ldap_auth -R \
    -b "dc=internal,dc=domain,dc=tld" \
    -D ldap-bind at internal.domain.tld -W /etc/squid3/private/ldap-bind \
    -f (|(userPrincipalName=%s)(sAMAccountName=%s)) \
    -h addc.internal.domain.tld  

These dont work. 
 
auth_param negotiate program /usr/lib/squid3/negotiate_wrapper_auth -d \
    --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=BAZRTD \
    --kerberos /usr/lib/squid3/negotiate_kerberos_auth -d -s GSS_C_NO_NAME
or 
auth_param negotiate program /usr/local/bin/negotiate_wrapper -d \
    --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=BAZRTD \
    --kerberos /usr/lib/squid3/negotiate_kerberos_auth -d -s GSS_C_NO_NAME

tried here the supplied wrapper with squid.:     /usr/lib/squid3/negotiate_wrapper_auth  
and i have tried the negotiate_wrapper of Markus, as the wiki.squid-cache.org also says  here
http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory   ( Install negotiate_wrapper )  
 
the kerberos part works but not the ntlm . 
 
when i try with only: 
 
### pure ntlm authentication
auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=EXAMPLE
auth_param ntlm children 10
auth_param ntlm keep_alive off
 
im also unable to authenticat on the proxy. 
 
all winbind test work..  
 
I googled a lot, but i didnt find any solutions so im hoping someone here knows more. 
 
so anyone any hint where to look, i cant figure this out. 
 
 
Greetz, 
 
Louis
 
 
 
 
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150818/52b5ffbd/attachment-0001.html>


More information about the squid-users mailing list