[squid-users] NTLM Authentication Failing

Ilias Clifton adilias3 at gmx.com
Tue Oct 20 03:36:29 UTC 2015 

Sorry, re-post in plain-text..

Hi All,

I've been following the guide at this location for Active Directory integration
http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Proxy
 
First, some versions for sanity..
Ubuntu : 14.04.3 LTS
Squid  : 3.3.8 (from ubuntu repositories)
Samba  : 4.1.6-Ubuntu
DC     : Windows Server 2012 R2
 
I am currently testing the authentication, negotiate kerberos and basic ldap are both working correctly. However ntlm is not and I don't seem to making any progress on debugging further.
 
Here is the relevant part of squid.conf
 
### negotiate kerberos and ntlm authentication
auth_param negotiate program /usr/lib/squid3/negotiate_wrapper_auth -d --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=DOMAIN --kerberos /usr/lib/squid3/negotiate_kerberos_auth -d -s GSS_C_NO_NAME
auth_param negotiate children 10
auth_param negotiate keep_alive off
### pure ntlm authentication
auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=DOMAIN
auth_param ntlm children 10
auth_param ntlm keep_alive off
### provide basic authentication via ldap for clients not authenticated via kerberos/ntlm
auth_param basic program /usr/lib/squid3/basic_ldap_auth -R -b "DC=domain,DC=local" -D proxyuser at domain.local -W /etc/squid3/ldappass.txt -f sAMAccountName=%s -h dc1.domain.local
auth_param basic children 10
auth_param basic realm Internet Proxy
auth_param basic credentialsttl 30 minutes
### ldap authorisation
external_acl_type memberof %LOGIN /usr/lib/squid3/ext_ldap_group_acl -R -K -S -b "DC=domain,DC=local" -D proxyuser at domain.local -W /etc/squid3/ldappass.txt -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%g,OU=Proxy,DC=domain,DC=local))" -h dc1.domain.local
 

With kerberos and ldap working correctly, this seems to cover all my users, except for non-domain joined internet explorer, which unfortunately I still need to cater for.
For testing I have allowed the proxy user to login.
 
The following commands work successfully as proxy user
 
wbinfo -p
wbinfo -u
wbinfo -g
 
wbinfo -t does not run successfully as proxy user, but does run as root.
 
testing ntlm_auth at the command line works correctly.
 
ntlm_auth --helper-protocol=squid-2.5-basic
DOMAIN\user password
OK

When a non-domain joined user with internet explorer attempt to use the proxy, they are continually prompted for credentials. In /var/log/cache.log, I see:
 
2015/10/20 12:33:19| negotiate_wrapper: Got 'YR TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGA4AlAAAADw==' from squid (length: 59).
2015/10/20 12:33:19| negotiate_wrapper: Decode 'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGA4AlAAAADw==' (decoded length: 40).
2015/10/20 12:33:19| negotiate_wrapper: received type 1 NTLM token
2015/10/20 12:33:19| negotiate_wrapper: Return 'TT TlRMTVNTUAACAAAAEAAQADgAAAAVgoninreK53QrtdEAAAAAAAAAADgAOABIAAAABgEAAAAAAA9JAE4AUwBFAEMAVQBSAEUAAgAQAEkATgBTAEUAQwBVAFIARQABAAoAUABSAE8AWABZAAQAAAADAAoAcAByAG8AeAB5AAAAAAA=
'
2015/10/20 12:33:19| negotiate_wrapper: Got 'KK TlRMTVNTUAADAAAAGAAYAHQAAADYANgAjAAAABAAEABYAAAACAAIAGgAAAAEAAQAcAAAABAAEABkAQAAFYKI4gYDgCUAAAAP4J12bZve1C56VHP1YUJ5N2kAbgBzAGUAYwB1AHIAZQBiAHIAYQBkAEkATwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAI1+mUr3xj8iMVIytXIZcbAQEAAAAAAADgQryt3wrRAStLKXVkL/kDAAAAAAIAEABJAE4AUwBFAEMAVQBSAEUAAQAKAFAAUgBPAFgAWQAEAAAAAwAKAHAAcgBvAHgAeQAIADAAMAAAAAAAAAABAAAAABAAALfe6ZoORXwOZjR0QdSusCHwlNUGYo79byijLZDZARCDCgAQAAAAAAAAAAAAAAAAAAAAAAAJACQASABUAFQAUAAvADEANwAyAC4AMgA4AC4AMgA5AC4AMQA0ADcAAAAAAAAAAACEC4x7NJBCdMLgU3gJ6QTq' from squid (length: 499).
2015/10/20 12:33:19| negotiate_wrapper: Decode 'TlRMTVNTUAADAAAAGAAYAHQAAADYANgAjAAAABAAEABYAAAACAAIAGgAAAAEAAQAcAAAABAAEABkAQAAFYKI4gYDgCUAAAAP4J12bZve1C56VHP1YUJ5N2kAbgBzAGUAYwB1AHIAZQBiAHIAYQBkAEkATwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAI1+mUr3xj8iMVIytXIZcbAQEAAAAAAADgQryt3wrRAStLKXVkL/kDAAAAAAIAEABJAE4AUwBFAEMAVQBSAEUAAQAKAFAAUgBPAFgAWQAEAAAAAwAKAHAAcgBvAHgAeQAIADAAMAAAAAAAAAABAAAAABAAALfe6ZoORXwOZjR0QdSusCHwlNUGYo79byijLZDZARCDCgAQAAAAAAAAAAAAAAAAAAAAAAAJACQASABUAFQAUAAvADEANwAyAC4AMgA4AC4AMgA5AC4AMQA0ADcAAAAAAAAAAACEC4x7NJBCdMLgU3gJ6QTq' (decoded length: 372).
2015/10/20 12:33:19| negotiate_wrapper: received type 3 NTLM token
2015/10/20 12:33:19| negotiate_wrapper: Return 'BH NT_STATUS_UNSUCCESSFUL NT_STATUS_UNSUCCESSFUL
'
2015/10/20 12:33:19| ERROR: Negotiate Authentication validating user. Error returned 'BH NT_STATUS_UNSUCCESSFUL NT_STATUS_UNSUCCESSFUL'
 
 
 
 
Can anyone give me any pointers on what I am doing incorrectly?
 
Thank you.
 
Ilias

More information about the squid-users mailing list