[squid-users] Squid V 3.5.23 authenticating in AD: User names not showing in log

Amos Jeffries squid3 at treenet.co.nz
Thu May 16 09:13:14 UTC 2019


On 16/05/19 5:45 am, Rafael Silva Daniel wrote:
> Helo! im in need of serious help, in my company we need the access logs by
> user name, is the only reason the proxy is setted to authenticate. but it
> just dont show it, the relevant parts of the .conf is looking like this:
> 
> (...)
> auth_param ntlm program /usr/bin/ntlm_auth --diagnostics
> --helper-protocol=squid-2.5-ntlmssp --domain=XXXXX(domain name)
> auth_param ntlm children 100
> auth_param ntlm keep_alive off
> 
> external_acl_type NT_global_group %LOGIN /usr/lib/squid/ext_wbinfo_group_acl
> acl users external NT_global_group "/etc/squid/fapgrp"
> (...)
> 
> (...)
> http_access deny !users
> http_access allow users
> http_access deny !auth
> (...)
> 

There is no natural reason why those CONNECT should be exempt from
authenticating.

I usually find situations like what you describe happen where someone
has misunderstood the default security rules and "customized" them a
bit. They are finely tuned rules, so vast changes to proxy behaviour
(like complete bypass of auth) can result if updates to them are not
done correctly.

Can you please show more of your http_access rules? all of them would be
best. At minimum all of the ones above that "http_access deny !auth"
line, and the definition lines for any ACLs used in those rules (include
that "auth" ACL definition too please).



> ***("/etc/squid/fapgrp" is a text file with the text "Usuários do dóminio",
> its "Domain Users" in portuguese)
> 
> when i test the helper:
> 
> /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp
> --domain=XXXXX
> user password
> BH SPNEGO request invalid prefix
> 
> i read somewhere that ntlmssp can be tested like this, because we are
> sending the credentials as plain text, so i tested with basic and the result
> is this:
> 
> /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-basic
> --domain=XXXXX
> user password
> OK
> user password
> ERR
> 
> so, im assuming that the way squid is processing the challenges are fine, is
> it right?

That is a test that the helper is talking to the AD service okay. It
cannot tell you whether the client and Squid are communicating the NTLM
credentials.


The NTLM protocol does not deliver passwords across the network. NTLM
uses (weak) encrypted tokens instead. All Squid does is pass the token
as-is to the helper. The helper then informs Squid what username to log
for that token (if any).
 So to test that part you need to locate a valid token and pass that to
the helper instead of username/password.

However, before you go to any trouble over that. I do not think the
helper or auth are the problem here. Something is clearly letting the
CONNECT happen without even going near the auth process.


Amos


More information about the squid-users mailing list