[squid-users] NTLM Authentication / Centos 7

Amos Jeffries squid3 at treenet.co.nz
Mon Aug 20 19:54:09 UTC 2018


On 21/08/18 4:15 AM, Jon Cuthbert wrote:
> On a new installation, I can not get the ntlm_auth working correctly:
> Squid - v 3.5.20 
> 
> 2018/08/20 17:00:27| helperOpenServers: Starting 1/5 'ntlm_auth' processes
> 2018/08/20 17:00:27| WARNING: basicauthenticator #Hlpr243 exited
> 2018/08/20 17:00:27| Too few basicauthenticator processes are running
> (need 1/5)
> 2018/08/20 17:00:27| Starting new helpers
> 2018/08/20 17:00:27| helperOpenServers: Starting 1/5 'ntlm_auth' processes
> 2018/08/20 17:00:27| WARNING: basicauthenticator #Hlpr244 exited
> 2018/08/20 17:00:27| Too few basicauthenticator processes are running
> (need 1/5)
> 2018/08/20 17:00:27| Starting new helpers
> 2018/08/20 17:00:27| helperOpenServers: Starting 1/5 'ntlm_auth' processes
> 
> The ntlm_auth process respawns constantly, with the following error once
> the request & user authentication attempt is sent from the browser:
> 'helperOpenServers: Starting 1/10 'ntlm_auth' processes
> username must be specified!'
> 
> Above is with auth_param ntlm # commented out but the same happens if
> ntlm is first.
> 
> squid.conf file contains:
> 
> auth_param ntlm program /usr/bin/ntlm_auth
> -–helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 10
> auth_param basic program /usr/bin/ntlm_auth
> -–helper-protocol=squid-2.5-basic
> auth_param basic children 5
> acl AuthorizedUsers proxy_auth REQUIRED

> http_access allow all AuthorizedUsers

This use of "all" does nothing but add confusion.

Also, what then do the other lines in your config then say to do with
the NTLM type-1 requests (no credentials) and failed-login requests?

Note those are different types of message. "http_access allow" only
handles completed + successful logins.

This is why our recommended and example configs always have three parts
and a "deny" action associated to the login:


 # ... things which don't require login credentials
 http_access deny login
 # ... things which depend on credentials


> 
> The following ownerships are in place:
> root:wbpriv /var/lib/samba/winbindd_privileged/   
> root:wbpriv /var/run/samba/winbindd/pipe
> 
> wbinfo - works for both plaintext & challenge/response
> wbinfo -t works

Is the proxy user a member of that wbpriv group, AND the old
cache_effective_* directives _absent_ from your squid.conf.


> 
> /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic 
> works correctly - (if a space is left after the c basic, otherwise it
> complains about username - I've tried squid.conf leaving a space as well)

That's odd.

> 
> /usr/bin/ntlm_auth -–helper-protocol=squid-2.5-ntlmssp
> gives BH SPNEGO request invalid prefix - assume related to Negotiate,
> but will investigate after basic authentication in case related).
> 
> I've looked at as many install instructions as possible, and this should
> be okay?


The "BH SPEGNO" indicates that the client/ Browser is *not* sending NTLM
authentication in the HTTP messages labled "Proxy-Authorization: NTLM ..."

Have you considered configuring Kerberos instead? All MS products since
WinXP should be defaulting to that more secure scheme.

Amos


More information about the squid-users mailing list