<html><head></head><body><div style="font-family: Verdana;font-size: 12.0px;"><div>
<div>Hi All,</div>
<div> </div>
<div>I've been following the guide at this location for Active Directory integration<br/>
http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Proxy<br/>
<br/>
First, some versions for sanity..<br/>
Ubuntu : 14.04.3 LTS<br/>
Squid : 3.3.8 (from ubuntu repositories)<br/>
Samba : 4.1.6-Ubuntu<br/>
DC : Windows Server 2012 R2<br/>
<br/>
I am currently testing the authentication, negotiate kerberos and basic ldap are both working correctly. However ntlm is not and I don't seem to making any progress on debugging further.<br/>
<br/>
Here is the relevant part of squid.conf<br/>
<br/>
### negotiate kerberos and ntlm authentication<br/>
auth_param negotiate program /usr/lib/squid3/negotiate_wrapper_auth -d --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=DOMAIN --kerberos /usr/lib/squid3/negotiate_kerberos_auth -d -s GSS_C_NO_NAME<br/>
auth_param negotiate children 10<br/>
auth_param negotiate keep_alive off<br/>
### pure ntlm authentication<br/>
auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=DOMAIN<br/>
auth_param ntlm children 10<br/>
auth_param ntlm keep_alive off<br/>
### provide basic authentication via ldap for clients not authenticated via kerberos/ntlm<br/>
auth_param basic program /usr/lib/squid3/basic_ldap_auth -R -b "DC=domain,DC=local" -D proxyuser@domain.local -W /etc/squid3/ldappass.txt -f sAMAccountName=%s -h dc1.domain.local<br/>
auth_param basic children 10<br/>
auth_param basic realm Internet Proxy<br/>
auth_param basic credentialsttl 30 minutes<br/>
### ldap authorisation<br/>
external_acl_type memberof %LOGIN /usr/lib/squid3/ext_ldap_group_acl -R -K -S -b "DC=domain,DC=local" -D proxyuser@domain.local -W /etc/squid3/ldappass.txt -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%g,OU=Proxy,DC=domain,DC=local))" -h dc1.domain.local<br/>
</div>
<div>With kerberos and ldap working correctly, this seems to cover all my users, except for non-domain joined internet explorer, which unfortunately I still need to cater for.<br/>
For testing I have allowed the proxy user to login.<br/>
<br/>
The following commands work successfully as proxy user<br/>
<br/>
wbinfo -p<br/>
wbinfo -u<br/>
wbinfo -g<br/>
<br/>
wbinfo -t does not run successfully as proxy user, but does run as root.<br/>
<br/>
testing ntlm_auth at the command line works correctly.<br/>
<br/>
ntlm_auth --helper-protocol=squid-2.5-basic<br/>
DOMAIN\user password<br/>
OK</div>
<div> </div>
<div>When a non-domain joined user with internet explorer attempt to use the proxy, they are continually prompted for credentials. In /var/log/cache.log, I see:<br/>
<br/>
2015/10/20 12:33:19| negotiate_wrapper: Got 'YR TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGA4AlAAAADw==' from squid (length: 59).<br/>
2015/10/20 12:33:19| negotiate_wrapper: Decode 'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGA4AlAAAADw==' (decoded length: 40).<br/>
2015/10/20 12:33:19| negotiate_wrapper: received type 1 NTLM token<br/>
2015/10/20 12:33:19| negotiate_wrapper: Return 'TT TlRMTVNTUAACAAAAEAAQADgAAAAVgoninreK53QrtdEAAAAAAAAAADgAOABIAAAABgEAAAAAAA9JAE4AUwBFAEMAVQBSAEUAAgAQAEkATgBTAEUAQwBVAFIARQABAAoAUABSAE8AWABZAAQAAAADAAoAcAByAG8AeAB5AAAAAAA=<br/>
'<br/>
2015/10/20 12:33:19| negotiate_wrapper: Got 'KK TlRMTVNTUAADAAAAGAAYAHQAAADYANgAjAAAABAAEABYAAAACAAIAGgAAAAEAAQAcAAAABAAEABkAQAAFYKI4gYDgCUAAAAP4J12bZve1C56VHP1YUJ5N2kAbgBzAGUAYwB1AHIAZQBiAHIAYQBkAEkATwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAI1+mUr3xj8iMVIytXIZcbAQEAAAAAAADgQryt3wrRAStLKXVkL/kDAAAAAAIAEABJAE4AUwBFAEMAVQBSAEUAAQAKAFAAUgBPAFgAWQAEAAAAAwAKAHAAcgBvAHgAeQAIADAAMAAAAAAAAAABAAAAABAAALfe6ZoORXwOZjR0QdSusCHwlNUGYo79byijLZDZARCDCgAQAAAAAAAAAAAAAAAAAAAAAAAJACQASABUAFQAUAAvADEANwAyAC4AMgA4AC4AMgA5AC4AMQA0ADcAAAAAAAAAAACEC4x7NJBCdMLgU3gJ6QTq' from squid (length: 499).<br/>
2015/10/20 12:33:19| negotiate_wrapper: Decode 'TlRMTVNTUAADAAAAGAAYAHQAAADYANgAjAAAABAAEABYAAAACAAIAGgAAAAEAAQAcAAAABAAEABkAQAAFYKI4gYDgCUAAAAP4J12bZve1C56VHP1YUJ5N2kAbgBzAGUAYwB1AHIAZQBiAHIAYQBkAEkATwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAI1+mUr3xj8iMVIytXIZcbAQEAAAAAAADgQryt3wrRAStLKXVkL/kDAAAAAAIAEABJAE4AUwBFAEMAVQBSAEUAAQAKAFAAUgBPAFgAWQAEAAAAAwAKAHAAcgBvAHgAeQAIADAAMAAAAAAAAAABAAAAABAAALfe6ZoORXwOZjR0QdSusCHwlNUGYo79byijLZDZARCDCgAQAAAAAAAAAAAAAAAAAAAAAAAJACQASABUAFQAUAAvADEANwAyAC4AMgA4AC4AMgA5AC4AMQA0ADcAAAAAAAAAAACEC4x7NJBCdMLgU3gJ6QTq' (decoded length: 372).<br/>
2015/10/20 12:33:19| negotiate_wrapper: received type 3 NTLM token<br/>
2015/10/20 12:33:19| negotiate_wrapper: Return 'BH NT_STATUS_UNSUCCESSFUL NT_STATUS_UNSUCCESSFUL<br/>
'<br/>
2015/10/20 12:33:19| ERROR: Negotiate Authentication validating user. Error returned 'BH NT_STATUS_UNSUCCESSFUL NT_STATUS_UNSUCCESSFUL'<br/>
<br/>
<br/>
<br/>
<br/>
Can anyone give me any pointers on what I am doing incorrectly?<br/>
<br/>
Thank you.<br/>
<br/>
Ilias<br/>
</div>
</div></div></body></html>