[squid-users] The issue NTLM_AUTH with --require-membership-of

L.P.H. van Belle belle at bazuin.nl
Thu Feb 21 10:14:11 UTC 2019


I think you problem has todo NT1. 

I assum you already tried the setting in smb.conf :  
ntlm auth =  ntlmv1-permitted 
(which is the alias for yes) 


And which samba/ntlm_auth version it this? Standard centos? 
I must say i noob in Centos, so i'll shown you what i know from debian. 
And it might be better to switch to kerberos auth. 

I know there are problems with the groups in ntlm_auth and its detection.
If i recall right, a patch passed recently, so waiting for that on the next samba version. 

I use the following.

auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \
    --kerberos /usr/lib/squid/negotiate_kerberos_auth -s HTTP/$(hostname -f)@MY_REALM \
    --ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOM

With ldap fallback
auth_param basic program /usr/lib/squid/basic_ldap_auth -R -v 3 \
    -b "ou=Office,dc=some,dc=domain,dc=tld" \
    -D ldap-bind at MY_REALM \
    -W /etc/squid/private/ldap-bind \
    -f sAMAccountName=%s \
    -H ldaps://dc1.FQDN \
    -H ldaps://dc2.FQDN

The ldap-bind account, needs, no pre-check on kerberos auth and disable passwd expire. 

The group part, now im not using it myself but per example. Should be something like this. 

Basicly its : 
Search for %LOGIN from this point : DC=office,DC=some,DC=domain,DC=tld  And get person-%a from group Proxygroups

external_acl_type ldapgroup %LOGIN /usr/lib/squid/squid_ldap_group -b DC=office,DC=some,DC=domain,DC=tld \
    -f (&(objectclass=person)(cn=%v)(groupMembership=cn=%a,ou=Proxygroups,DC=office,DC=some,DC=domain,DC=tld)) \
    -D ldap-bind at MY_REALM \
    -W /etc/squid/private/ldap-bind \
    -H ldaps://dc1.FQDN \
    -H ldaps://dc2.FQDN


external_acl_type AD_Group %LOGIN /usr/lib64/squid/squid_ldap_group -b DC=office,DC=some,DC=domain,DC=tld \
    -s sub \
    -R -v3 \
    -D ldap-bind at MY_REALM \
    -W /etc/squid/private/ldap-bind \
    -f "(&(objectclass=person)(userPrincipalName=%v)(memberof=cn=%a,ou=Proxygroups,DC=office,DC=some,DC=domain,DC=tld))" \
    -H ldaps://dc1.FQDN \
    -H ldaps://dc2.FQDN

I Hope this helps a bit. 

Greetz, 

Louis



> -----Oorspronkelijk bericht-----
> Van: squid-users 
> [mailto:squid-users-bounces at lists.squid-cache.org] Namens 
> Amos Jeffries
> Verzonden: donderdag 21 februari 2019 10:18
> Aan: squid-users at lists.squid-cache.org
> Onderwerp: Re: [squid-users] The issue NTLM_AUTH with 
> --require-membership-of
> 
> On 21/02/19 9:35 pm, WANG TOM wrote:
> > 
> --------------------------------------------------------------
> --------------------------------
> > And I have tested run ntlm_auth directly, it looks successfully.
> > "ntlm_auth --require-membership-of='IBM\Domain Users'
> > --username=Administrators --password=123456
> > NT_STATUS_OK: The operation completed successfully. (0x0)"
> > 
> --------------------------------------------------------------
> --------------------------------
> > I have no idea what I have missed or made mistake, could 
> someone can help.
> > 
> 
> Very likely that whitespace in the parameter string. Squid does not
> support double-quote encoding of most parameters.
> 
> That means the helper will be passed two different environment
> arguments.  One being "--require-membership-of='IBM\Domain".
> The second being "Users'"
> 
> IIRC you can probably %-encode that (as "IBM\Domain%20Users").
> 
> 
> If not that then you are going to have to debug what the 
> helper is doing.
> 
> 
> NP: This helper is provided by Samba, it is not part of Squid. So
> questions about its abilities and encodings supported are a 
> question for
> their help channels. Someone here _might_ know, but do not 
> count on that.
> 
> 
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
> 



More information about the squid-users mailing list