[squid-users] Problems with NTLM authentication

Amos Jeffries squid3 at treenet.co.nz
Tue Nov 24 23:49:44 UTC 2015 

On 25/11/2015 4:44 a.m., Brendan Kearney wrote:
> On 11/24/2015 10:08 AM, VerĂ³nica Ovando wrote:
>> My Squid Version:  Squid 3.4.8
>>
>> OS Version:  Debian 8
>>
>> I have installed Squid on a server using Debian 8 and seem to have the
>> basics operating, at least when I start the squid service, I have am
>> no longer getting any error messages.  At this time, the goal is to
>> authenticate users from Active Directory and log the user and the
>> websites they are accessing.

Please ensure you run "squid3 -k parse" to check if there is anything
minor still potentially being a problem. I doubt it will help with the
current issue, but you may find some things to make it work more smoothly.

>>
>> I followed the official guide
>> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm. I
>> verified that samba is properly configured, as the guide suggest, with
>> the basic helper in this way:
>>
>> # /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-basic
>> domain\user pass
>> OK
>>
>> Here is a part of my squid.conf where I defined my ACLs for the groups
>> in AD:
>>
>> ========================================================================================================
>>
>> auth_param ntlm program /usr/local/bin/ntlm_auth
>> --helper-protocol=squid-2.5-ntlmssp --domain=DOMAIN.com
>> auth_param ntlm children 30

Try also using:
  auth_param ntlm keepalive off

>>
>> auth_param basic program /usr/local/bin/ntlm_auth
>> --helper-protocol=squid-2.5-basic
>> auth_param basic children 5
>> auth_param basic realm Servidor proxy-cache de mi Dominio
>> auth_param basic credentialsttl 2 hours
>>
>> external_acl_type AD_Grupos ttl=10 children=10 %LOGIN
>> /usr/lib/squid3/ext_wbinfo_group_acl -d
>>
>> acl AD_Standard external Grupos_AD Standard
>> acl AD_Exceptuados external Grupos_AD Exceptuados
>> acl AD_Bloqueados external Grupos_AD Bloqueados
>>
>> acl face url_regex -i "/etc/squid3/facebook"
>> acl gob url_regex -i "/etc/squid3/gubernamentales"
>>
>> http_access allow AD_Standard
>> http_access allow AD_Exceptuados !face !gob
>> http_access deny AD_Bloqueados
>> ========================================================================================================
>>
>>
>> I tested using only the basic scheme (I commented the lines out for
>> NTLM auth) and every time I open the browser it asks me my user and
>> pass. And it works well because I can see in the access.log my
>> username and all the access policies defined are correctly applied.
>>

Good.

>> But if I use NTLM auth, the browser still shows me the pop-up (it must
>> no be shown) and if I enter my user and pass it still asks me for them
>> until I cancel it.
>>
>> My access.log, in that case, shows a TCP_DENIED/407 as expected.

It should show one with Basic, and two with NTLM. Always.

The popup and 407 are different things.

* The 407 means the client is behaving and not broadcasting credentials
everywhere. Also Squid is now informing it that they do need to be sent
on this connection, using the Basic or NTLM schema.

* The popup means the browser was unable to find credentials to answer
the 407 with. If some were sent earlier the proxy rejected them.

 ... that includes the proxy rejecting via "deny AD_Bloqueados". Users
in group Bloqueados may be prompted for a popup until they enter
somebody elses credentials, who is not in that group.
Add " all" to the right hand end of the "deny AD_Bloqueados" line to
prevent that.


>>
>> What could be the problem? It suppose that both Kerberos and NTLM
>> protocols work together, I mean that can live together in the same
>> environment and Kerberos is used by default.

You have not configued your Squid to offer Kerberos. Therefore it is not
an option the client can choose, and not part of the equation.

If the client is new enough software with no NTLM support. eg most MS
software written since Vista / ~2008. Then lack of Kerberos may be the
problem. In which case it should use the Basic.

If the client is pre-empting the initial 407, by sending Kerberos
credentials. Broken.

FYI: Basic authentication is ironically more secure than NTLM these
days. Even the "secure" NTLMv2 extensions can now be decrypted given a
few hours. At least with Basic the software handling it assumes
insecurity and does necessary paranoid things to protect the credentials
- most NTLM software does not.


>> How can I check that NTLM
>> is really working? Could it be a squid problem in the conf? Or maybe
>> AD is not allowing NTLM traffic?

NTLM does not work. It was designed broken. (sorry, joke. But not far
from the truth).

>>
>> Sorry for my English. Thanks in advance.
>>

> make sure Internet Explorer is set to use Integrated Windows
> Authentication (IWA).  Tools --> Internet Options --> Advanced -->
> Security --> Enable Integrated Windows Authentication.

And be aware that sometimes random software on the machine will do
automated HTTP requests to the proxy using the machines own AD account
credentials. Not a "user" account.

Also use a line that does authentication explicity before checking the
group access. NTLM badly violates HTTP requirements and some of the
older Squid bugs can result in problems when external ACL %LOGIN is the
trigger behind authentication happening.

What I mean is using:

 acl login proxy_auth REQUIRED
 http_access deny !login

 http_access allow AD_Standard
 http_access allow AD_Exceptuados !face !gob
 http_access deny AD_Bloqueados all

Even if it is not strictly necessary, it will clarify exactly what point
authentication happens and eliminates those bug side effects from being
a worry.

Amos

More information about the squid-users mailing list