[squid-users] 答复: The issue NTLM_AUTH with --require-membership-of

WANG TOM chinaid at msn.com
Fri Feb 22 06:32:35 UTC 2019 

Hi All,

Thanks a lot!

Issue has been solved, hope it's useful for other people if they encounter the same situation as me.

--------------------------------------------

--require-membership-of="IBM\Domain Users" with Quotation Mark is not supported, has to be removed as:
--require-membership-of=IBM\Domain_Users

But what if Domain Group must has a space, use SID to instead of Domain Group Name :
--require-membership-of=S-1-5-21-1386769244-779028218-18449361

--------------------------------------------

debug:

To reduce unnecessary logs, it's good to set debug level as
debug_options 29,9

To get SID by winbind
wbinfo -n "IBM\Domain Users"

To test ntlm_auth
ntlm_auth --username=Administrator --require-membership-of="IBM\Domain_Users"
OR
ntlm_auth --username=Administrator --require-membership-of=IBM\\Domain_Users
OR
ntlm_auth --username=Administrator --require-membership-of="S-1-5-21-1386769244-779028218-18449361"
OR
ntlm_auth --username=Administrator --require-membership-of=S-1-5-21-1386769244-779028218-18449361

To join computer as a Domain Member without modify krb5.conf manually. 🙂
realm join --user=Administrators ibm.local -v

But Samba need to be configured manually. 🙁

--------------------------------------------

Working for me on CentOS7 + Squid4.5 + Windows AD

Best regards.
TOM.WANG


________________________________
发件人: squid-users <squid-users-bounces at lists.squid-cache.org> 代表 L.P.H. van Belle <belle at bazuin.nl>
发送时间: 2019年2月21日 10:14
收件人: squid-users at lists.squid-cache.org
主题: Re: [squid-users] The issue NTLM_AUTH with --require-membership-of

I think you problem has todo NT1.

I assum you already tried the setting in smb.conf :
ntlm auth =  ntlmv1-permitted
(which is the alias for yes)


And which samba/ntlm_auth version it this? Standard centos?
I must say i noob in Centos, so i'll shown you what i know from debian.
And it might be better to switch to kerberos auth.

I know there are problems with the groups in ntlm_auth and its detection.
If i recall right, a patch passed recently, so waiting for that on the next samba version.

I use the following.

auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \
    --kerberos /usr/lib/squid/negotiate_kerberos_auth -s HTTP/$(hostname -f)@MY_REALM \
    --ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOM

With ldap fallback
auth_param basic program /usr/lib/squid/basic_ldap_auth -R -v 3 \
    -b "ou=Office,dc=some,dc=domain,dc=tld" \
    -D ldap-bind at MY_REALM \
    -W /etc/squid/private/ldap-bind \
    -f sAMAccountName=%s \
    -H ldaps://dc1.FQDN \
    -H ldaps://dc2.FQDN

The ldap-bind account, needs, no pre-check on kerberos auth and disable passwd expire.

The group part, now im not using it myself but per example. Should be something like this.

Basicly its :
Search for %LOGIN from this point : DC=office,DC=some,DC=domain,DC=tld  And get person-%a from group Proxygroups

external_acl_type ldapgroup %LOGIN /usr/lib/squid/squid_ldap_group -b DC=office,DC=some,DC=domain,DC=tld \
    -f (&(objectclass=person)(cn=%v)(groupMembership=cn=%a,ou=Proxygroups,DC=office,DC=some,DC=domain,DC=tld)) \
    -D ldap-bind at MY_REALM \
    -W /etc/squid/private/ldap-bind \
    -H ldaps://dc1.FQDN \
    -H ldaps://dc2.FQDN


external_acl_type AD_Group %LOGIN /usr/lib64/squid/squid_ldap_group -b DC=office,DC=some,DC=domain,DC=tld \
    -s sub \
    -R -v3 \
    -D ldap-bind at MY_REALM \
    -W /etc/squid/private/ldap-bind \
    -f "(&(objectclass=person)(userPrincipalName=%v)(memberof=cn=%a,ou=Proxygroups,DC=office,DC=some,DC=domain,DC=tld))" \
    -H ldaps://dc1.FQDN \
    -H ldaps://dc2.FQDN

I Hope this helps a bit.

Greetz,

Louis



> -----Oorspronkelijk bericht-----
> Van: squid-users
> [mailto:squid-users-bounces at lists.squid-cache.org] Namens
> Amos Jeffries
> Verzonden: donderdag 21 februari 2019 10:18
> Aan: squid-users at lists.squid-cache.org
> Onderwerp: Re: [squid-users] The issue NTLM_AUTH with
> --require-membership-of
>
> On 21/02/19 9:35 pm, WANG TOM wrote:
> >
> --------------------------------------------------------------
> --------------------------------
> > And I have tested run ntlm_auth directly, it looks successfully.
> > "ntlm_auth --require-membership-of='IBM\Domain Users'
> > --username=Administrators --password=123456
> > NT_STATUS_OK: The operation completed successfully. (0x0)"
> >
> --------------------------------------------------------------
> --------------------------------
> > I have no idea what I have missed or made mistake, could
> someone can help.
> >
>
> Very likely that whitespace in the parameter string. Squid does not
> support double-quote encoding of most parameters.
>
> That means the helper will be passed two different environment
> arguments.  One being "--require-membership-of='IBM\Domain".
> The second being "Users'"
>
> IIRC you can probably %-encode that (as "IBM\Domain%20Users").
>
>
> If not that then you are going to have to debug what the
> helper is doing.
>
>
> NP: This helper is provided by Samba, it is not part of Squid. So
> questions about its abilities and encodings supported are a
> question for
> their help channels. Someone here _might_ know, but do not
> count on that.
>
>
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>

_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20190222/f5b0416b/attachment-0001.html>

More information about the squid-users mailing list