[squid-users] Squid/NTLM Auth

Amos Jeffries squid3 at treenet.co.nz
Thu Oct 22 08:52:39 UTC 2015 

On 22/10/2015 8:21 a.m., Keith White wrote:
> 
> I have squid running on Centos 7 and am trying to setup AD
> authentication. I have samba/winbindd installed and the system was added
> to the domain with authconfig. I have tested authentication with
> auth_ntlm and that works. I have also tested group membership with
> auth_ntlm and that works as well. When attempting to access squid with
> either IE or Firefox I am presented with the authentication dialog box.


If you have cache_effective_user or cache_effective_group directives in
your config file remove them. They break the Winbind helpers group
permissions.


Were your successful tests made using the Squid low-privileged user
account ?
 If no, then your test results are not relevant. Re-test as the Squid
user. Which will need membership of the winbindd_priv group.

What Windows version are the IE and Firefox being run on?
If it is newer than Windows 2000, then you should be moving to
Negotiate/Kerberos authentication instead of NTLM.

Does the client machine have Windows Integrated Authentication enabled?
and is it on-domain?
 Off-domain machines have no chance of NTLM working. Disable their
integrated authentication settings.
Note that without the integrated auth Firefox has no access to NTLM
credentials and MSIE has a tendency to use the machine credentials
instead of the users.



> Manually entering credentials does not work. What debugging can I enable
> to see what is going on? Squid is built with the following

<http://wiki.squid-cache.org/KnowledgeBase/DebugSections>

At least these:
  debug_options ALL,0 11,2 28,5 29,5


> 
> Squid Cache: Version 3.5.9-20150917-r13917
> Service Name: squid
> configure options:  '--prefix=/usr' '--includedir=/usr/include' '--datadir=/usr/share' '--bindir=/usr/sbin' '--libexecdir=/usr/lib/squid' '--localstatedir=/varsquid' '--sysconfdir=/etc/squid' '--enable-auth' '--enable-auth-ntlm' '--enable-external-acl-helpers' '--enable-auth-negotiate' '--enable-auth-basic' '--enable-auth-digest'
> 
> 
> relevant section from squid.conf
> 
> auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 5
> auth_param ntlm keep_alive on
> auth_param basic program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-basic
> auth_param basic children 5
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 2 hours

You should list Basic as first choice since it is the more secure of
those two protocols.

Sounds like a joke, but it is true NTLM is less secure these days than
Basic auth. Namely because clients that accept NTLM can be
auto-downgraded by attackers to using LanMan protocols that broadcast
the username and password just like Basic - BUT most network software
treats Basic auth as the insecure one and do a lot more to protect its
weak credentials.


> 
> acl AuthorizedUsers proxy_auth REQUIRED
> http_access allow localnet
> http_access allow AuthorizedUsers
> http_access allow localhost

The above implies that the authenticated users will be outside the LAN
(localnet). The 'L' in NTLM is "LAN" and old 1980-1990's style flat LAN
networks are where it was designed for use. It does *not* work properly
over Internet connections or even in many of todays complex LAN
environments.

You need Negotiate/Kerberos auth for Internet clients to even have half
a chance of authenticating securely. Then you also need to get the whole
on/off domain thing sorted out and working.


PS. you will probably need a few hundred helpers for NTLM. It is an
*extremely* inefficient protocol. I've not seen even a home network
operate with less than 50, usual minimum is 100.

Amos

More information about the squid-users mailing list