[squid-users] debian Jessie squid with auth (kerberos/ntlm/basic) ERROR type NTLM type 3

Amos Jeffries squid3 at treenet.co.nz
Tue Aug 18 06:39:04 UTC 2015

On 18/08/2015 3:06 a.m., L.P.H. van Belle wrote:
> Hai all, 
> I have a Debian Jessie setup with squid 3.4 , all debian packages. 
> Im using samba 4 AD as domain controllers for my kerberos authentication. 
> I've a setup as followed here : 
> http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory 
> I have my kerberos auth working, so i dont type any password with a "domain joined computer"  when i want to internet. 
> I Have my Ldap auth working, for my "Non windows, non domain joined" Devices. 
> Now, i need to give users access to the internet, a non domain joined, windows PC. 
> Im getting :  ( with markus negotiate_wrapper 1.0.1  ) 
> 2015/08/17 16:31:51 kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: NT_STATUS_UNSUCCESSFUL * NT_STATUS_UNSUCCESSFUL; }
> 2015/08/17 16:32:03| negotiate_wrapper: Got 'YR TlR....   =' from squid (length: 59). 
> 2015/08/17 16:32:03| negotiate_wrapper: Decode 'TlR... =' (decoded length: 40).
> 2015/08/17 16:32:03| negotiate_wrapper: received type 1 NTLM token

Type 1 NTLM.

> 2015/08/17 16:32:03| negotiate_wrapper: Return 'TT TlR......  AA= * 
> 2015/08/17 16:32:03| negotiate_wrapper: Got 'KK TlR....  8=' from squid (length: 711).
> 2015/08/17 16:32:03| negotiate_wrapper: Decode 'TlR.....8=' (decoded length: 530).
> 2015/08/17 16:32:03| negotiate_wrapper: received type 3 NTLM token
> 2015/08/17 16:32:03| negotiate_wrapper: Return 'BH NT_STATUS_UNSUCCESSFUL * NT_STATUS_UNSUCCESSFUL
> 2015/08/17 16:32:03 kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: NT_STATUS_UNSUCCESSFUL * NT_STATUS_UNSUCCESSFUL; }} 
> I know the following : ( and correct me if im thinking wrong here.) 
> ## 1) Pure Kerberos. Passthrough auth for windows users with windows DOMAIN JOINED pc's.
> ##    Fallback to Ldap for NON WINDOWS NON DOMAIN JOINED Devices.
> ##    NO NTLM. AKA, a windows pc, NOT JOINED in the domain, with end up in always user popup for auth.
> ##    Which will always fail because of NTLM TYPE 1 and TYPE 2, authorisations.
> ## 2) NEGOTIATE AUTH, which will do all of above, but also authenticated Windows PC's Not domain Joined.

Regarding (1):

* "Pure kerberos" aka "Kerberos " auth scheme is not supported in Squid.
Only Negotate/Kerberos. It was accepted by Squid-2 as an alias for
Negotiate, but Squid-3 operates differently and it was dropped for now.

* Rejecting NTLM (ie Negotiate/NTLM) is an artifact of the Squid
kerberos-only helper rejecting NTLM tokens. Nothing more.

You could reject the Negotiate/Kerberos tokens by configuring a
NTLM-only helper in the "auth_param negotiate program".

* off-domain machines only ever worked using Basic authentication or
similar protocols called LanMan which sent passwords inside NTLM or
Negotiate/NTLM tokens. But LanMan are so insecure they are no longer
 NP: if you have a client that will only authenticate with LanMan (SMB
LM) protocols you are better off security-wise not authenticating it at
all. At least that stops it broadcasting the users password to the world.

Regarding (2):

* The machine still does need to be domain joined, at least recently
enough to have a valid Kerberos token. What can be avoided is being
connected "live" during the handshake itself.

 But that is a feature of the client software not related to Squid. So
some clients support it, most actually dont.

> But i recieve a type 3 NTLM token...  

You also received NTLM type 1 prior to it. I suspect a machine not
joined to the domain is trying to use NTLM, which requires being on the

There is no problem with this *unless* the client machine is refusing to
fallback to Negotiate/Kerberos or Basic auth after the failure.

There is no reason a popup should occur unless all forms of
Negotiate/Kerberos Negotiate/NTLM, NTLM, and Basic which are offered by
the proxy have failed.

> This are the configs have tested and these 2 work. 
> For kerberos auth 
> auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -s HTTP/hostname.fqdn at REALM    
> for basic auth 
> auth_param basic program /usr/lib/squid3/basic_ldap_auth -R \
>     -b "dc=internal,dc=domain,dc=tld" \
>     -D ldap-bind at internal.domain.tld -W /etc/squid3/private/ldap-bind \
>     -f (|(userPrincipalName=%s)(sAMAccountName=%s)) \
>     -h addc.internal.domain.tld  
> These dont work. 

I assume that by the positioning of your "these" statements you meant
the above work, and the below dont.

> auth_param negotiate program /usr/lib/squid3/negotiate_wrapper_auth -d \
>     --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=BAZRTD \
>     --kerberos /usr/lib/squid3/negotiate_kerberos_auth -d -s GSS_C_NO_NAME
> or 
> auth_param negotiate program /usr/local/bin/negotiate_wrapper -d \
>     --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=BAZRTD \
>     --kerberos /usr/lib/squid3/negotiate_kerberos_auth -d -s GSS_C_NO_NAME
> tried here the supplied wrapper with squid.:     /usr/lib/squid3/negotiate_wrapper_auth  
> and i have tried the negotiate_wrapper of Markus, as the wiki.squid-cache.org also says  here
> http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory   ( Install negotiate_wrapper )  
> the kerberos part works but not the ntlm . 

One puzzling thing is why Win7 client is trying to use NTLM in the first
place. NTLM is disabled by default in Vista and later due to its lack of

Try adding "auth_param negotiate keep_alive off" to close connections
when Negotiate/NTLM is used and force the client to retry with other
auth credentials on a clean connection.

> when i try with only: 
> ### pure ntlm authentication
> auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=EXAMPLE
> auth_param ntlm children 10
> auth_param ntlm keep_alive off
> im also unable to authenticat on the proxy. 

NTLM will only work with current MS software if the client is joined to
the domain, and if NTLM is explicitly re-enabled.

The 1970-80's LanMan protocols are no longer supported since 2006 (WinXP
SP3). The most secure of these can be decrypted in under 50 milliseconds
- ie "live".

Ironically that was exactly how Squid helpers used to work for
off-domain clients all through the 2000's. LanMan passwords being
decrypted in real-time allowed Basic auth APIs in AD to be used. Giving
the appearance that off-domain machines were authenticating securely,
when in fact they were just broadcasting their passwords about. Not a
good situation.

The old 1990's NTLM v1 and v2 are also on the way out since Vista. NTLM
v1 can be decrypted in a few seconds, v2 in a few minutes.


More information about the squid-users mailing list