<HTML><HEAD>
<META content="text/html; charset=us-ascii" http-equiv=Content-Type>
<META name=GENERATOR content="MSHTML 11.00.9600.17937"></HEAD>
<BODY dir=ltr>
<DIV dir=ltr>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: 'Calibri'; COLOR: #000000">
<DIV>Hi Louis,</DIV>
<DIV> </DIV>
<DIV> When you have an offline PC do you use DHCP to give an IP
? If so can you also provide the PC with a WINS server via DHCP
? If that is possible and you run WINS you can authenticate the user with
<A href="mailto:user@DOMAIN.COM">user@DOMAIN.COM</A> when you get the
authentication popup. The WINS server will point the PC to the AD server of the
domain DOMAIN.COM ( I assume you have given out some AD guest accounts to the
none domain PC ) </DIV>
<DIV> </DIV>
<DIV>Regards</DIV>
<DIV>Markus</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV
style="BORDER-TOP-COLOR: #000000; BORDER-BOTTOM-COLOR: #000000; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 4px solid; BORDER-RIGHT-COLOR: #000000">
<DIV
style="FONT-SIZE: small; FONT-FAMILY: 'Calibri'; FONT-WEIGHT: normal; COLOR: #000000; FONT-STYLE: normal; TEXT-DECORATION: none; DISPLAY: inline">
<DIV>"L.P.H. van Belle" <belle@bazuin.nl> wrote in message
news:vmime.55d2d089.2ba7.1a22bdbf5ed74699@ms249-lin-003.rotterdam.bazuin.nl...</DIV></DIV></DIV>
<DIV
style="BORDER-TOP-COLOR: #000000; BORDER-BOTTOM-COLOR: #000000; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 4px solid; BORDER-RIGHT-COLOR: #000000">
<DIV
style="FONT-SIZE: small; FONT-FAMILY: 'Calibri'; FONT-WEIGHT: normal; COLOR: #000000; FONT-STYLE: normal; TEXT-DECORATION: none; DISPLAY: inline">
<DIV dir=ltr align=left><SPAN class=128162706-18082015><FONT color=#0000ff
size=2 face=Arial>Nobody any hint where the NTLM auth is going wrong, or what i
can do to fix this. </FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=128162706-18082015></SPAN><SPAN
class=128162706-18082015><FONT color=#0000ff size=2
face=Arial></FONT></SPAN> </DIV><BR>
<BLOCKQUOTE
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px"
dir=ltr>
<DIV lang=nl class=OutlookMessageHeader dir=ltr align=left>
<HR tabIndex=-1>
<FONT size=2 face=Tahoma><B>Van:</B> squid-users
[mailto:squid-users-bounces@lists.squid-cache.org] <B>Namens </B>L.P.H. van
Belle<BR><B>Verzonden:</B> maandag 17 augustus 2015 17:06<BR><B>Aan:</B>
squid-users@lists.squid-cache.org<BR><B>Onderwerp:</B> [squid-users] debian
Jessie squid with auth (kerberos/ntlm/basic) ERROR type NTLM type
3<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV><FONT size=2 face=Arial><SPAN class=403484514-17082015>Hai all,
</SPAN></FONT></DIV>
<DIV><FONT size=2 face=Arial><SPAN
class=403484514-17082015></SPAN></FONT> </DIV>
<DIV><FONT size=2 face=Arial><SPAN class=403484514-17082015>I have a Debian
Jessie setup with squid 3.4 , all debian packages. </SPAN></FONT></DIV>
<DIV><FONT size=2 face=Arial><SPAN class=403484514-17082015>Im using samba 4
AD as domain controllers for my kerberos authentication. </SPAN></FONT></DIV>
<DIV><FONT size=2 face=Arial><SPAN
class=403484514-17082015></SPAN></FONT> </DIV>
<DIV><FONT size=2 face=Arial><SPAN class=403484514-17082015>I've a setup as
followed here : </SPAN></FONT></DIV>
<DIV><SPAN class=403484514-17082015><A
href="http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory"><FONT
size=2
face=Arial>http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory</FONT></A><FONT
size=2 face=Arial> </FONT></SPAN></DIV>
<DIV><FONT size=2 face=Arial><SPAN
class=403484514-17082015></SPAN></FONT> </DIV>
<DIV><FONT size=2 face=Arial><SPAN class=403484514-17082015>I have my kerberos
auth working, so i dont type any password with a "domain joined
computer" when i want to internet. </SPAN></FONT></DIV>
<DIV><FONT size=2 face=Arial><SPAN class=403484514-17082015>I Have my Ldap
auth working, for my "Non windows, non domain joined" Devices.
</SPAN></FONT></DIV>
<DIV><FONT size=2 face=Arial><SPAN
class=403484514-17082015></SPAN></FONT> </DIV>
<DIV><FONT size=2 face=Arial><SPAN class=403484514-17082015>Now, i need to
give users access to the internet, a non domain joined, windows PC.
</SPAN></FONT></DIV>
<DIV><FONT size=2 face=Arial><SPAN
class=403484514-17082015></SPAN></FONT> </DIV>
<DIV><FONT size=2 face=Arial><SPAN class=403484514-17082015>Im getting :
( with markus negotiate_wrapper 1.0.1 ) </SPAN></FONT></DIV>
<DIV><FONT size=2 face=Arial><SPAN class=403484514-17082015>2015/08/17
16:31:51 kid1| ERROR: Negotiate Authentication validating user. Result:
{result=BH, notes={message: NT_STATUS_UNSUCCESSFUL * NT_STATUS_UNSUCCESSFUL;
}</SPAN></FONT></DIV>
<DIV><FONT size=2 face=Arial><SPAN class=403484514-17082015>2015/08/17
16:32:03| negotiate_wrapper: Got 'YR TlR.... =' from squid
(length: 59). </SPAN></FONT></DIV>
<DIV><FONT size=2><FONT face=Arial>2015/08/17 16:32:03| negotiate_wrapper:
Decode 'TlR...<SPAN class=403484514-17082015> =' (decoded length:
40).</SPAN></FONT></FONT></DIV>
<DIV><FONT size=2><FONT face=Arial>2015/08/17 16:32:03| negotiate_wrapper:
received type 1 NTLM token<BR>2015/08/17 16:32:03| negotiate_wrapper: Return
'TT TlR<SPAN class=403484514-17082015>...... AA= *
</SPAN></FONT></FONT></DIV>
<DIV><FONT size=2 face=Arial><SPAN class=403484514-17082015>2015/08/17
16:32:03| negotiate_wrapper: Got 'KK TlR.... 8=' from squid (length:
711).</SPAN></FONT></DIV>
<DIV><FONT size=2><FONT face=Arial>2015/08/17 16:32:03| negotiate_wrapper:
Decode 'TlR<SPAN class=403484514-17082015>.....8=' (decoded length:
530).</SPAN></FONT></FONT></DIV>
<DIV><FONT size=2 face=Arial><SPAN class=403484514-17082015>2015/08/17
16:32:03| negotiate_wrapper: received type 3 NTLM token<BR>2015/08/17
16:32:03| negotiate_wrapper: Return 'BH NT_STATUS_UNSUCCESSFUL *
NT_STATUS_UNSUCCESSFUL</SPAN></FONT></DIV>
<DIV><FONT size=2 face=Arial>2015/08/17 16:32:03 kid1| ERROR: Negotiate
Authentication validating user. Result: {result=BH, notes={message:
NT_STATUS_UNSUCCESSFUL * NT_STATUS_UNSUCCESSFUL; }} </FONT></DIV>
<DIV><FONT size=2 face=Arial></FONT> </DIV>
<DIV><FONT size=2 face=Arial></FONT> </DIV>
<DIV><FONT size=2 face=Arial><SPAN
class=403484514-17082015></SPAN></FONT> </DIV>
<DIV><FONT size=2 face=Arial><SPAN class=403484514-17082015>I know the
following : ( and correct me if im thinking wrong here.) </SPAN></FONT></DIV>
<DIV><FONT size=2 face=Arial><SPAN class=403484514-17082015>## 1) Pure
Kerberos. Passthrough auth for windows users with windows DOMAIN JOINED
pc's.<BR>## Fallback to Ldap for NON WINDOWS NON DOMAIN
JOINED Devices.<BR>## NO NTLM. AKA, a windows pc, NOT JOINED
in the domain, with end up in always user popup for
auth.<BR>## Which will always fail because of NTLM TYPE 1
and TYPE 2, authorisations.<BR>## 2) NEGOTIATE AUTH, which will do all of
above, but also authenticated Windows PC's Not domain
Joined.<BR></SPAN></FONT></DIV>
<DIV><FONT size=2 face=Arial><SPAN class=403484514-17082015>But i recieve a
type 3 NTLM token... </SPAN></FONT></DIV>
<DIV><FONT size=2 face=Arial><SPAN
class=403484514-17082015></SPAN></FONT> </DIV>
<DIV><FONT size=2 face=Arial><SPAN
class=403484514-17082015></SPAN></FONT> </DIV>
<DIV><FONT size=2 face=Arial><SPAN class=403484514-17082015>This are the
configs have tested and these 2 work. </SPAN></FONT></DIV>
<DIV><FONT size=2 face=Arial><SPAN class=403484514-17082015>For kerberos auth
</SPAN></FONT></DIV>
<DIV><SPAN class=403484514-17082015><FONT size=2 face=Arial>auth_param
negotiate program /usr/lib/squid3/negotiate_kerberos_auth -s </FONT><A
href="mailto:HTTP/hostname.fqdn@REALM"><FONT size=2
face=Arial>HTTP/hostname.fqdn@REALM</FONT></A><FONT size=2
face=Arial> </FONT></SPAN></DIV>
<DIV><FONT size=2 face=Arial><SPAN
class=403484514-17082015></SPAN></FONT> </DIV>
<DIV><FONT size=2 face=Arial><SPAN class=403484514-17082015>for basic auth
</SPAN></FONT></DIV>
<DIV><FONT size=2 face=Arial>auth_param basic program
/usr/lib/squid3/basic_ldap_auth -R \<BR> -b "dc=<SPAN
class=403484514-17082015>internal</SPAN>,dc=<SPAN
class=403484514-17082015>domain</SPAN>,dc=<SPAN
class=403484514-17082015>tld</SPAN>" \<BR> -D </FONT><A
href="mailto:ldap-bind@internal.domainl"><A
href="mailto:ldap-bind@internal.domain.tld"><A
href="mailto:ldap-bind@internal.domain.tld"><FONT size=2><FONT
face=Arial>ldap-bind@<SPAN
class=403484514-17082015>internal.domain</SPAN></FONT></FONT></A><SPAN
class=403484514-17082015></SPAN><FONT size=2><FONT face=Arial>.<SPAN
class=403484514-17082015>tld</SPAN></FONT></FONT></A></A><FONT size=2
face=Arial> -W</FONT><FONT size=2 face=Arial> /etc/squid3/private/ldap-bind
\<BR> -f (|(userPrincipalName=%s)(sAMAccountName=%s))
\<BR> -h <SPAN
class=403484514-17082015>addc.internal.domain.tld
</SPAN><BR></FONT></DIV>
<DIV><FONT size=2 face=Arial><SPAN class=403484514-17082015>These dont work.
</SPAN></FONT></DIV>
<DIV><FONT size=2 face=Arial><SPAN
class=403484514-17082015></SPAN></FONT> </DIV>
<DIV><FONT size=2 face=Arial><SPAN class=403484514-17082015>auth_param
negotiate program /usr/lib/squid3/negotiate_wrapper_auth -d
\<BR> --ntlm /usr/bin/ntlm_auth --diagnostics
--helper-protocol=squid-2.5-ntlmssp --domain=BAZRTD \<BR>
--kerberos /usr/lib/squid3/negotiate_kerberos_auth -d -s
GSS_C_NO_NAME</SPAN></FONT></DIV><SPAN class=403484514-17082015>
<DIV><SPAN class=403484514-17082015></SPAN><FONT face=Arial><FONT
size=2>o<SPAN class=403484514-17082015>r </SPAN></FONT></FONT></DIV>
<DIV><FONT face=Arial><FONT size=2><SPAN class=403484514-17082015><SPAN
class=403484514-17082015>auth_param negotiate program
/usr/local/bin/negotiate_wrapper -d \<BR> --ntlm
/usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp
--domain=BAZRTD \<BR> --kerberos
/usr/lib/squid3/negotiate_kerberos_auth -d -s
GSS_C_NO_NAME</SPAN></SPAN></FONT></FONT></DIV>
<DIV><FONT face=Arial><FONT size=2><SPAN class=403484514-17082015><SPAN
class=403484514-17082015></SPAN></SPAN></FONT></FONT><FONT size=2
face=Arial></FONT><FONT size=2 face=Arial></FONT><FONT size=2
face=Arial></FONT><FONT size=2 face=Arial></FONT><FONT size=2
face=Arial></FONT><BR><FONT size=2 face=Arial>tried here the supplied wrapper
with squid.:
/usr/lib/squid3/negotiate_wrapper_auth </FONT></DIV>
<DIV></SPAN><SPAN class=403484514-17082015><FONT size=2 face=Arial>and i have
tried the negotiate_wrapper of Markus, as the wiki.squid-cache.org also
says here</FONT></SPAN></DIV>
<DIV><SPAN class=403484514-17082015><SPAN class=403484514-17082015><A
href="http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory"><FONT
size=2
face=Arial>http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory</FONT></A><FONT
size=2 face=Arial> ( Install negotiate_wrapper )
</FONT></SPAN></SPAN></DIV>
<DIV><FONT size=2><FONT face=Arial><SPAN class=403484514-17082015><SPAN
class=403484514-17082015></SPAN></SPAN><SPAN
class=403484514-17082015> </DIV></SPAN></FONT></FONT>
<DIV><FONT size=2 face=Arial><SPAN class=403484514-17082015>the kerberos part
works but not the ntlm . </SPAN></FONT></DIV>
<DIV><FONT size=2 face=Arial><SPAN
class=403484514-17082015></SPAN></FONT> </DIV>
<DIV><FONT size=2 face=Arial><SPAN class=403484514-17082015>when i try with
only: </SPAN></FONT></DIV>
<DIV><FONT size=2 face=Arial><SPAN
class=403484514-17082015></SPAN></FONT> </DIV>
<DIV><FONT size=2 face=Arial><SPAN class=403484514-17082015>### pure ntlm
authentication<BR><SPAN id=line-9-2 class=anchor></SPAN>auth_param ntlm
program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp
--domain=EXAMPLE<BR><SPAN id=line-10-1 class=anchor></SPAN>auth_param ntlm
children 10<BR><SPAN id=line-11-1 class=anchor></SPAN>auth_param ntlm
keep_alive off</SPAN></FONT></DIV>
<DIV><FONT size=2 face=Arial><SPAN
class=403484514-17082015></SPAN></FONT> </DIV>
<DIV><FONT size=2 face=Arial><SPAN class=403484514-17082015>im also unable to
authenticat on the proxy. </SPAN></FONT></DIV>
<DIV><FONT size=2 face=Arial><SPAN
class=403484514-17082015></SPAN></FONT> </DIV>
<DIV><FONT size=2 face=Arial><SPAN class=403484514-17082015>all winbind test
work.. </SPAN></FONT></DIV>
<DIV><FONT size=2><FONT face=Arial><SPAN class=403484514-17082015></SPAN><SPAN
class=403484514-17082015></SPAN></FONT></FONT> </DIV>
<DIV><FONT size=2 face=Arial><SPAN class=403484514-17082015>I googled a lot,
but i didnt find any solutions so im hoping someone here knows more.
</SPAN></FONT></DIV>
<DIV><FONT size=2 face=Arial><SPAN
class=403484514-17082015></SPAN></FONT> </DIV>
<DIV><FONT face=Arial><FONT size=2><SPAN class=403484514-17082015>so anyone
any hint where to look, i cant figure this out. </SPAN></FONT></FONT></DIV>
<DIV><FONT face=Arial><FONT size=2><SPAN
class=403484514-17082015></SPAN></FONT></FONT> </DIV>
<DIV><FONT face=Arial><FONT size=2><SPAN
class=403484514-17082015></SPAN></FONT></FONT> </DIV>
<DIV><FONT face=Arial><FONT size=2><SPAN class=403484514-17082015>Greetz,
</SPAN></FONT></FONT></DIV>
<DIV><FONT face=Arial><FONT size=2><SPAN
class=403484514-17082015></SPAN></FONT></FONT> </DIV>
<DIV><FONT face=Arial><FONT size=2><SPAN
class=403484514-17082015>Louis</SPAN></FONT></FONT></DIV>
<DIV><FONT face=Arial><FONT size=2><SPAN
class=403484514-17082015> </DIV></SPAN></FONT></FONT>
<DIV><SPAN class=403484514-17082015><FONT size=2
face=Arial></FONT></SPAN> </DIV>
<DIV><FONT size=2 face=Arial><SPAN
class=403484514-17082015></SPAN></FONT> </DIV>
<DIV><FONT size=2 face=Arial><SPAN
class=403484514-17082015></SPAN></FONT> </DIV>
<DIV><FONT face=Arial><FONT size=2><SPAN
class=403484514-17082015> </DIV></BLOCKQUOTE></SPAN></FONT></FONT>
<P>
<HR>
_______________________________________________<BR>squid-users mailing
list<BR>squid-users@lists.squid-cache.org<BR>http://lists.squid-cache.org/listinfo/squid-users<BR></DIV></DIV></DIV></DIV></BODY></HTML>