<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix"><br>
</div>
<blockquote
cite="mid:VI1PR0501MB1967EDD767E33EE779D8C877A7EE0@VI1PR0501MB1967.eurprd05.prod.outlook.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
<div id="divtagdefaultwrapper" dir="ltr" style="font-size:12pt;
color:#000000; font-family:Calibri,Arial,Helvetica,sans-serif">
<p>Hello list,</p>
<p><br>
</p>
<p>I need your help with a Squid-Proxy (3.5) NTLM Auth, the aim
is to use SSO for my windows clients.</p>
<p>My Windows-Clients are using Active-Directory running on a
Samba4-PDC.</p>
<p>I set up ldap basic auth in a developer environment, now I
want to achieve SSO. (using NTLM?)</p>
<p>The Documentation on <a moz-do-not-send="true"
href="http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm"
class="OWAAutoLink" id="LPlnk469215" previewremoved="true">
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm</a>
doesn't really help me enough (on my knowledge about squid and
forms of authentication/samba).</p>
<p><br>
</p>
<p>Tests:</p>
<p>-> testing Kerberos</p>
<p>I'm able to obtain (kinit) tickets and list them (klist)<br>
</p>
<p><br>
</p>
<div>root@xxx-testproxy01:~# kinit Administrator<br>
Password for <a class="moz-txt-link-abbreviated"
href="mailto:Administrator@X-XXX.LOCAL">Administrator@X-XXX.LOCAL</a>:
<br>
root@xxx-testproxy01:~# klist<br>
Ticket cache: <a class="moz-txt-link-freetext"
href="FILE:/tmp/krb5cc_0">FILE:/tmp/krb5cc_0</a><br>
Default principal: <a class="moz-txt-link-abbreviated"
href="mailto:Administrator@X-XXX.LOCAL">Administrator@X-XXX.LOCAL</a><br>
<br>
Valid starting Expires Service principal<br>
2017-05-09 08:43:25 2017-05-09 18:43:25 <a
class="moz-txt-link-abbreviated"
href="mailto:krbtgt/X-XXX.LOCAL@X-XXX.LOCAL">krbtgt/X-XXX.LOCAL@X-XXX.LOCAL</a><br>
renew until 2017-05-10 08:43:21<br>
<br>
-> testing Samba:<br>
I joined my domain X-XXX.<br>
Test support for ntlm:<br>
<div>root@xxx-testproxy01:~# wbinfo -a testuser%<span>xxxxxxxxxxx</span><br>
plaintext password authentication succeeded<br>
challenge/response password authentication succeeded</div>
<br>
</div>
<div>root@xxx-testproxy01:~# wbinfo -a testuser%xxxxxxxxxxx<br>
plaintext password authentication succeeded<br>
challenge/response password authentication succeeded<br>
root@xxx-testproxy01:~# wbinfo -t<br>
checking the trust secret for domain X-XXX via RPC calls
succeeded<br>
root@xxx-testproxy01:~# wbinfo -g<br>
X-XXX\cert publishers<br>
...negotiate_wrapper<br>
X-XXX\webusers<br>
<br>
-> Testing NTLM-helper:<br>
<div>Now here's my problem.<br>
</div>
<br>
<div>root@xxx-testproxy01:~# /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp --username=testuser
--password=<span>xxxxxxxxxxx</span><br>
x-xxx\testuser<span> xxxxxxxxxxx</span><br>
SPNEGO request [testuser <span>xxxxxxxxxxx</span>] invalid
prefix<br>
BH SPNEGO request invalid prefix</div>
<br>
<div>root@xxx-testproxy01:~# /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic --username=testuser
--password=<span>xxxxxxxxxxx</span><br>
x-xxx\testuser <span>xxxxxxxxxxx</span><br>
OK</div>
<br>
What is ntlmssp? I read both helpers on tutorials. If I need
both, why do I need both?<br>
My squid is starting how it should, logs are looking normal,
PopUp for authentication appears aswell, but I can't log in. I
shoudn't need to authenticate in the first place because it
should use SSO.<br>
What is missing/faulty?<br>
The rest of squid is basic stuff:mail/u/0/<br>
<div>auth_param ntlm program /usr/bin/ntlm_auth
–helper-protocol=squid-2.5-ntlmssp --username=testuser
--password=Passme123<br>
auth_param ntlm children 10<br>
auth_param basic program /usr/bin/ntlm_auth
–helper-protocol=squid-2.5-basic --username=testuser
--password=Passme123<br>
auth_param basic children 5<br>
auth_param basic realm Proxy Server<br>
auth_param basic credentialsttl 2 hours<br>
auth_param basic casesensitive off<br>
authenticate_cache_garbage_interval 10 seconds</div>
...<br>
<div>acl auth proxy_auth REQUIRED<br>
<div>acl SSL_ports port 443<br>
acl Safe_ports port 80 # http<br>
acl Safe_ports port 21 # ftp<br>
acl Safe_ports port 443 # https<br>
acl Safe_ports port 70 # gopher<br>
acl Safe_ports port 210 # wais<br>
acl Safe_ports port 1025-65535 # unregistered ports<br>
acl Safe_ports port 280 # http-mgmt<br>
acl Safe_ports port 488 # gss-http<br>
acl Safe_ports port 591 # filemaker<br>
acl Safe_ports port 777 # multiling http<br>
acl CONNECT method CONNECT<br>
...
<div>http_access deny !Safe_ports<br>
<br>
# Deny CONNECT to other than secure SSL ports<br>
http_access deny CONNECT !SSL_ports<br>
<br>
# Only allow cachemgr access from localhost<br>
http_access allow localnet<br>
<span>http_access allow </span>localhost manager<br>
http_access deny !auth<br>
http_access allow auth</div>
<div>http_access deny all<br>
</div>
...<br>
</div>
<div>url_rewrite_program /usr/bin/squidGuard -c
/etc/squidguard/squidGuard.conf<br>
url_rewrite_children 5<br>
</div>
<br>
</div>
Does anyone know further? Thanks in advance.<br>
- Kevin<br>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
squid-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a>
<a class="moz-txt-link-freetext" href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</a>
</pre>
</blockquote>
<br>
<p>Hi,</p>
<p><br>
</p>
<p>1. There is no point in testing kerberos (kinit) when you're
going to use ntlm_auth helper; squid has it's spnego helper,
'negotiate_wrapper ', which is capable doing negotiation between
kerberos and NTLM. Just look for squid-helpers package for your
OS; if it's not in OS repo, check <a class="moz-txt-link-freetext" href="http://ngtech.co.il/repo/">http://ngtech.co.il/repo/</a> -
Eliezer is doing really good job here.
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</p>
<p>If kerberos is working in your environment, I would use
negotiate_wrapper or negotiate_kerberos_auth. Good thing about
negotiate_wrapper is -d switch, which is giving you a good portion
of debug info in cache.log<br>
</p>
<p>Really, NTLM is bitchy and it is not primary protocol even in MS
systems since 2003/XP. If you can fulfill kerberos' requirements
in your environment, I would go into kerberos, not NTLM.<br>
</p>
<p><br>
</p>
<p>2. My guess is that you have problem with access to
windbind_priviledged pipe; can you perform usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp --username=testuser
--password=<span>...et cetera witch ptrace? There is still a mess
with winbind's pipe location; /var/run/samba vs /var/lib/samba,
perharps you need some symlinking, ptrace can give you a clue. <br>
</span></p>
<p><span><br>
</span></p>
<p><span>3. Sometimes - just sometimes - passing
--domain=DOMAIN_NAME to </span>/usr/bin/ntlm_auth resolves
cosmic issues. Sometimes it's DOMAIN\username vs just username in
--username. <br>
</p>
<p><br>
</p>
<p>Last thing is error message: "BH SPNEGO request invalid prefix".
It is strange, at least for me. SPNEGO reply is rather kerberos or
negotiate reply; not ntlm_auth. What distro are you using?<br>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</p>
<pre class="moz-signature" cols="72">--
Dijx</pre>
</body>
</html>