[squid-users] ntlm_auth defaulting to succeed

Noel Kelly nkelly at citrusnetworks.net
Sun Dec 6 20:54:59 UTC 2015


Thanks for this Francesco.  I have been experimenting with the various 
authenticators without much success.

I have compiled squid-3.5.11 from source and ntlm_fake_auth doesn't 
appear to work.  I have scoured the docs and the forums but I can't find 
anyone saying it doesn't work.

I have it set up like this in my squid.conf:

auth_param ntlm program /usr/local/squid/libexec/ntlm_fake_auth -d -v -S

but I just get denied access whilst sending ADS 2008R2 domain 
authentication via Firefox:

==> /usr/local/squid/var/logs/access.log <==
1449434911.652      0 192.168.5.35 TCP_DENIED/407 4473 GET 
http://www.bbc.co.uk/ - HIER_NONE/- text/html

==> /usr/local/squid/var/logs/cache.log <==
ntlm_fake_auth.cc(163): pid=30933 :Got 'YR' from Squid with data:
[0000]   4E 54 4C 4D 53 53 50 00   01 00 00 00 07 82 08 A2 NTLMSSP. ........
[0010]   00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 ........ ........
[0020]   06 01 B1 1D 00 00 00 0F   00 00 ........ ..
ntlm_fake_auth.cc(185): pid=30933 :sending 'TT' to squid with data:
[0000]   4E 54 4C 4D 53 53 50 00   02 00 00 00 09 00 09 00 NTLMSSP. ........
[0010]   AE AA AA AA 07 82 08 A2   E4 9D FA 04 45 14 D1 A5 ........ ....E...
[0020]   00 00 00 00 00 00 3A 00   57 4F 52 4B 47 52 4F 55 ........ WORKGROU
[0030]   50                                                  P

==> /usr/local/squid/var/logs/access.log <==
1449434911.660      0 192.168.5.35 TCP_DENIED/407 4640 GET 
http://www.bbc.co.uk/ - HIER_NONE/- text/html
1449434911.706      0 192.168.5.35 TCP_IMS_HIT/304 249 GET 
http://tex.uk.plc:8080/squid-internal-static/icons/SN.png - HIER_NONE/- 
image/png
1449434913.266      0 192.168.5.35 TCP_DENIED/407 4473 GET 
http://www.bbc.co.uk/ - HIER_NONE/- text/html

==> /usr/local/squid/var/logs/cache.log <==
ntlm_fake_auth.cc(163): pid=30933 :Got 'YR' from Squid with data:
[0000]   4E 54 4C 4D 53 53 50 00   01 00 00 00 07 82 08 A2 NTLMSSP. ........
[0010]   00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 ........ ........
[0020]   06 01 B1 1D 00 00 00 0F   00 00 ........ ..
ntlm_fake_auth.cc(185): pid=30933 :sending 'TT' to squid with data:
[0000]   4E 54 4C 4D 53 53 50 00   02 00 00 00 09 00 09 00 NTLMSSP. ........
[0010]   AE AA AA AA 07 82 08 A2   CE 7D A2 0A 08 8A 68 B2 ........ ......h.
[0020]   00 00 00 00 00 00 3A 00   57 4F 52 4B 47 52 4F 55 ........ WORKGROU
[0030]   50                                                  P

==> /usr/local/squid/var/logs/access.log <==
1449434913.272      0 192.168.5.35 TCP_DENIED/407 4640 GET 
http://www.bbc.co.uk/ - HIER_NONE/- text/html
1449434913.319      0 192.168.5.35 TCP_IMS_HIT/304 249 GET 
http://tex.uk.plc:8080/squid-internal-static/icons/SN.png - HIER_NONE/- 
image/png


I have tried ntlm_fake_auth.pl.in and ntlm_smb_lm_auth without success 
too.  We have used ntlm_auth for years but have issues with the process 
sometimes failing due to ADS password changes etc so hence the desire 
for a dummy/fake authentication.

Does anyone know if ntlm_fake_auth should work with squid v3.5.11 ?

Many thanks
Noel

On 03/12/15 05:19, Kinkie wrote:
> Hi,
>    you can check the ntlm_fake_auth helper; it'll blandly trust
> anything the user says.
>
> On Wed, Dec 2, 2015 at 10:10 PM, Noel Kelly<nkelly at citrusnetworks.net>  wrote:
>> Hello All
>>
>> We have been using Squid and ntlm_auth for many years with mainly success.
>> However we have always had a few annoyances like continual authentication
>> pop-ups if a user has changed their password and not restarted their session
>> or, as now, persistent popups which seem related to a browser update (Google
>> Chrome is the suspect currently).
>>
>> It occurred to me that thee days we don't use ntlm_auth to block Internet
>> access per se but rather to capture the username to manage access using ACLs
>> and the username.
>>
>> So I was wondering if anyone had any ideas for a Squid config where the
>> ntlm_auth helper always succeeded regardless of the password  so they user
>> gets waived through and Squid has the username needed to process the ACLs?
>>
>> Thanks
>> Noel
>>
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>

-- 
=======================
Noel Kelly
Citrus Networks
m: 07939 528 478
t: 0207 100 2410
e:nkelly at citrusnetworks.net
=======================
Citrus Networks UK Ltd is registered
in England and Wales with company
number 3927941. Registered Office:
Gladstone House, 77-79 High St,
Egham, Surrey TW20 9HY.
VAT Reg. 748716690
=======================



More information about the squid-users mailing list