[squid-users] debian Jessie squid with auth (kerberos/ntlm/basic) ERROR type NTLM type 3

Markus Moeller huaraz at moeller.plus.com
Tue Aug 18 22:02:33 UTC 2015 

Hi Louis,

   When you have an offline PC do you use DHCP to give an IP ?   If so can you also provide the PC with a WINS server via DHCP ?  If that is possible and you run WINS you can authenticate the user with user at DOMAIN.COM when you get the authentication popup. The WINS server will point the PC to the AD server of the domain DOMAIN.COM ( I assume you have given out some AD guest accounts to the none domain PC )  

Regards
Markus


"L.P.H. van Belle" <belle at bazuin.nl> wrote in message news:vmime.55d2d089.2ba7.1a22bdbf5ed74699 at ms249-lin-003.rotterdam.bazuin.nl...
Nobody any hint where the NTLM auth is going wrong, or what i can do to fix this. 




------------------------------------------------------------------------------
  Van: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] Namens L.P.H. van Belle
  Verzonden: maandag 17 augustus 2015 17:06
  Aan: squid-users at lists.squid-cache.org
  Onderwerp: [squid-users] debian Jessie squid with auth (kerberos/ntlm/basic) ERROR type NTLM type 3


  Hai all, 

  I have a Debian Jessie setup with squid 3.4 , all debian packages. 
  Im using samba 4 AD as domain controllers for my kerberos authentication. 

  I've a setup as followed here : 
  http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory 

  I have my kerberos auth working, so i dont type any password with a "domain joined computer"  when i want to internet. 
  I Have my Ldap auth working, for my "Non windows, non domain joined" Devices. 

  Now, i need to give users access to the internet, a non domain joined, windows PC. 

  Im getting :  ( with markus negotiate_wrapper 1.0.1  ) 
  2015/08/17 16:31:51 kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: NT_STATUS_UNSUCCESSFUL * NT_STATUS_UNSUCCESSFUL; }
  2015/08/17 16:32:03| negotiate_wrapper: Got 'YR TlR....   =' from squid (length: 59). 
  2015/08/17 16:32:03| negotiate_wrapper: Decode 'TlR... =' (decoded length: 40).
  2015/08/17 16:32:03| negotiate_wrapper: received type 1 NTLM token
  2015/08/17 16:32:03| negotiate_wrapper: Return 'TT TlR......  AA= * 
  2015/08/17 16:32:03| negotiate_wrapper: Got 'KK TlR....  8=' from squid (length: 711).
  2015/08/17 16:32:03| negotiate_wrapper: Decode 'TlR.....8=' (decoded length: 530).
  2015/08/17 16:32:03| negotiate_wrapper: received type 3 NTLM token
  2015/08/17 16:32:03| negotiate_wrapper: Return 'BH NT_STATUS_UNSUCCESSFUL * NT_STATUS_UNSUCCESSFUL
  2015/08/17 16:32:03 kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: NT_STATUS_UNSUCCESSFUL * NT_STATUS_UNSUCCESSFUL; }} 



  I know the following : ( and correct me if im thinking wrong here.) 
  ## 1) Pure Kerberos. Passthrough auth for windows users with windows DOMAIN JOINED pc's.
  ##    Fallback to Ldap for NON WINDOWS NON DOMAIN JOINED Devices.
  ##    NO NTLM. AKA, a windows pc, NOT JOINED in the domain, with end up in always user popup for auth.
  ##    Which will always fail because of NTLM TYPE 1 and TYPE 2, authorisations.
  ## 2) NEGOTIATE AUTH, which will do all of above, but also authenticated Windows PC's Not domain Joined.

  But i recieve a type 3 NTLM token...  


  This are the configs have tested and these 2 work. 
  For kerberos auth 
  auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -s HTTP/hostname.fqdn at REALM    

  for basic auth 
  auth_param basic program /usr/lib/squid3/basic_ldap_auth -R \
      -b "dc=internal,dc=domain,dc=tld" \
      -D ldap-bind at internal.domain.tld -W /etc/squid3/private/ldap-bind \
      -f (|(userPrincipalName=%s)(sAMAccountName=%s)) \
      -h addc.internal.domain.tld  

  These dont work. 

  auth_param negotiate program /usr/lib/squid3/negotiate_wrapper_auth -d \
      --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=BAZRTD \
      --kerberos /usr/lib/squid3/negotiate_kerberos_auth -d -s GSS_C_NO_NAME
  or 
  auth_param negotiate program /usr/local/bin/negotiate_wrapper -d \
      --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=BAZRTD \
      --kerberos /usr/lib/squid3/negotiate_kerberos_auth -d -s GSS_C_NO_NAME

  tried here the supplied wrapper with squid.:     /usr/lib/squid3/negotiate_wrapper_auth  
  and i have tried the negotiate_wrapper of Markus, as the wiki.squid-cache.org also says  here
  http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory   ( Install negotiate_wrapper )  

  the kerberos part works but not the ntlm . 

  when i try with only: 

  ### pure ntlm authentication
  auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=EXAMPLE
  auth_param ntlm children 10
  auth_param ntlm keep_alive off

  im also unable to authenticat on the proxy. 

  all winbind test work..  

  I googled a lot, but i didnt find any solutions so im hoping someone here knows more. 

  so anyone any hint where to look, i cant figure this out. 


  Greetz, 

  Louis







--------------------------------------------------------------------------------
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150818/67bd81f7/attachment.html>

More information about the squid-users mailing list