[squid-users] Strange NTLM problem.

Tue Jun 28 13:45:56 UTC 2016

On 28/06/2016 6:14 p.m., drcimino drcimino wrote:
> Dear all,
> 
> 
>  
> 
> 
> i have a strange problem with my squid 3.5.19 and authentication NTLM.
> 
> 
> On my configuration i have 2 auth method:
> 
> 
>  
> 
> 
> NTLM negotiated with ntlm_auth from samba 3
> 
> 
>  
> 
> 
> auth_param ntlm program /usr/local/samba/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp
> 
> auth_param ntlm children 200 startup=100 idle=10 concurrency=0
> 
> auth_param ntlm keep_alive on
> 
> 
> 
> 
> and as a fallback basic ntlm
> 

Just to be clear. There is no such thing as "basic ntlm".

What you have configured is Basic authentication (user:password in the
clear over the network.
It just happens that the Samba helper is called "ntlm_auth". That name
does not make it NTLM protocol in any way.

> 
>  
> 
> 
> auth_param basic program /usr/local/samba/bin/ntlm_auth
> --helper-protocol=squid-2.5-basic
> 
> auth_param basic children 25 startup=15 idle=5 concurrency=0
> 
> auth_param basic realm PROXY AUTHORIZATION REQUIRED
> 
> auth_param basic credentialsttl 30 minutes
> 
> 
>  
> 
> 
> TTL
> 
> 
> 
> 
> authenticate_cache_garbage_interval 1 hours
> 
> authenticate_ttl 30 minutes
> 
> authenticate_ip_ttl 30 minutes
> 
> 
> 
> 
> Groups identification with LDAPS
> 
> 
>  
> 
> 
> external_acl_type NAV children-max=200 children-startup=100 children-idle=10
> ttl=1800 %LOGIN
> 
> /usr/local/squid/libexec/ext_ldap_group_acl -s sub -b "dc=domain,dc=xxx" -D
> "cn=squid,cn=Users,dc
> 
> =domain,dc=xxx" -w "password" -f
> "(&(objectclass=person)(sAMAccountName=%v)(membero
> 
> f=cn=%a,ou=INTERNET,ou=AAA,dc=domain,dc=xxx))" -S -K -H
> ldaps://domain.xxx:3269
> 
> 
>  
> 
> 
> ... and all work very well.
> 
> 
> Sometimes and randomly, my users reported to me that squid cannot do ntlm
> transparent authentication and request for user/password pair (falling back
> to ntlm basic).

No. It is falling back *past* the Basic authentication to user input.

> Entering right credential does not work and to proceed further  users
> need to click on "abort" button many times.
> 

One popup for each connection which the browser has opened and not been
able to authenticate.

NTLM is both slow and has a limited number of connections that it can
make to AD simultaneously for authentication. All those popups for one
user, multiplied by the number of users currently doing authentication
across the whole time period that NTLM handshakes take up and its easy
to get very large numbers of concurrent authentication actions.
 And when the system gets bogged down, users start to feel the impact
either in longer latency or outright ejected logins.

> 
> On my cache.log i see:
> 
> Login for user [DOMAIN]\[userx]@[PC_XXX] failed due to [Access denied]
> 
> NTLMSSP BH: NT_STATUS_ACCESS_DENIED
> 
> 2016/06/27 22:59:06 kid1| ERROR: NTLM Authentication validating user.
> Result: {result=BH, notes={mes
> 
> sage: NT_STATUS_ACCESS_DENIED; }}

Means the credentials were not correct like you said. It can be tricky
since the browser does not give much in the way of hints about which
auth protocol the popup details will be used in. You could need to enter
the Basic user + password, or Basic DOMAIN\user + password, or NTLM user
+ password, or NTLM DOMAIN\user + password, or NTLM MACHINE\user + password.
 About the only thing that you can use to provide any hints which one is
needed is the "realm" string Squid provides for each auth type.

> 
> every times a user receive credential request.
> 
> 
> After aborting each requests squid do, users can surf the internet without
> problems and i cannot replicate the issue.
> 
> 
> Trying to close the browser, clear cache, and going to the same site does
> not produce same error.
> 
> 
> Stopping squid, remove cache, starting squid does not produce same error.
> 
> 
> It's totally random and i'm going mad to understand why.
> 
> 
> Can someone help me to debug and understand the problem?
> 

You will likely need to enable debugging on the helper to see what it
has to say about the rejection.

Bruno already mentioned Kerberos. I second that. Kerberos can be a bit
of a learning curve, but is worth it for the extra speed and security
gained.

Amos