[squid-users] NTLM Authentication Failing

Amos Jeffries squid3 at treenet.co.nz
Tue Oct 20 05:06:17 UTC 2015 

On 20/10/2015 4:04 p.m., Ilias Clifton wrote:
> Hi All,
> I've been following the guide at this location for Active Directory integration
> http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Proxy
> 
> First, some versions for sanity..
> Ubuntu : 14.04.3 LTS
> Squid  : 3.3.8 (from ubuntu repositories)
> Samba  : 4.1.6-Ubuntu
> DC     : Windows Server 2012 R2
> 
> I am currently testing the authentication, negotiate kerberos and basic ldap are 
> both working correctly. However ntlm is not and I don't seem to making any 
> progress on debugging further.


There are several problems involved here.

1) NTLM is a proprietary protocol deprecated by its corporate creator in
2006 and officially has not been part of any MS products created after
that year.

With some trouble it can be enabled. But now, 9 years later, it is off
by default almost everywhere, or literally not existing in the new
products code.


2) NTLM has *never* worked properly over HTTP, particularly in the
presence of proxies.

Most of HTTP performance and optimization features have to be actively
disabled the instant NTLM auth is identified as happening.


3) off-domain clients have *never* been able to authenticate with NTLM
protocol.

Previously Squid helpers were performing a MITM downgrade attack on the
client software to cause it to use LanManager auth over "NTLM" tokens
then decrypting the user:pass credentials in real time and using the
Basic auth login to AD to authenticate. (sounds nasty? it is). LanMan
protocols are even more deprecated (since 1996) and non-existent in
modern MS software than NTLM.

 - NTLMv1 can still be MITM'd but takes longer. I think the older Samba
helpers maybe do that. But no guarantees.
 - NTLMv2 and v2 with security extensions are not able to be MITM'd.

So they wont work through Squid unless the client is "on-domain".


4) support for NTLM sub-protocol inside the "Negotiate" auth scheme is a
relatively new feature and still not working quite right.

Partially because of the above problems and deprecated nature of NTLM
meaning it is a low priority to fix. Partially because NTLM is also not
matching the behaviour requirements of Negotiate protocol itself.


5) The cache_effective_user or cache_effective_group directives are not
compatible with WinBind helpers.

see
<http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm?highlight=%28winbindd_priv%29#SMBD_and_Machine_Trust_Accounts>
for details on what to do there.


6) if you self-compiled Samba or Winbind tools on Ubuntu systems there
may also be a /var/lib/samba/winbindd_privileged directory created by
the winbind and ntlm_auth tools with root ownership. The group of that
folder needs to be changed to match the
/var/run/samba/winbindd_privileged location.


Your version of Squid has big problems with (4) and some with (2), and
your DC server version has big problems with (1) and (3).


Amos

More information about the squid-users mailing list