[squid-users] Squid - using NTLM for SSO

Dijxie dijxie at gmail.com
Wed May 10 00:16:08 UTC 2017 

> Hello list,
>
>
> I need your help with a Squid-Proxy (3.5) NTLM Auth, the aim is to use 
> SSO for my windows clients.
>
> My Windows-Clients are using Active-Directory running on a Samba4-PDC.
>
> I set up ldap basic auth in a developer environment, now I want to 
> achieve SSO. (using NTLM?)
>
> The Documentation on 
> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm 
> <http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm> doesn't 
> really help me enough (on my knowledge about squid and forms of 
> authentication/samba).
>
>
> Tests:
>
> -> testing Kerberos
>
> I'm able to obtain (kinit) tickets and list them (klist)
>
>
> root at xxx-testproxy01:~# kinit Administrator
> Password for Administrator at X-XXX.LOCAL:
> root at xxx-testproxy01:~# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: Administrator at X-XXX.LOCAL
>
> Valid starting       Expires              Service principal
> 2017-05-09 08:43:25  2017-05-09 18:43:25 krbtgt/X-XXX.LOCAL at X-XXX.LOCAL
>     renew until 2017-05-10 08:43:21
>
> -> testing Samba:
> I joined my domain X-XXX.
> Test support for ntlm:
> root at xxx-testproxy01:~# wbinfo -a testuser%xxxxxxxxxxx
> plaintext password authentication succeeded
> challenge/response password authentication succeeded
>
> root at xxx-testproxy01:~# wbinfo -a testuser%xxxxxxxxxxx
> plaintext password authentication succeeded
> challenge/response password authentication succeeded
> root at xxx-testproxy01:~# wbinfo -t
> checking the trust secret for domain X-XXX via RPC calls succeeded
> root at xxx-testproxy01:~# wbinfo -g
> X-XXX\cert publishers
> ...negotiate_wrapper
> X-XXX\webusers
>
> -> Testing NTLM-helper:
> Now here's my problem.
>
> root at xxx-testproxy01:~# /usr/bin/ntlm_auth 
> --helper-protocol=squid-2.5-ntlmssp --username=testuser 
> --password=xxxxxxxxxxx
> x-xxx\testuserxxxxxxxxxxx
> SPNEGO request [testuser xxxxxxxxxxx] invalid prefix
> BH SPNEGO request invalid prefix
>
> root at xxx-testproxy01:~# /usr/bin/ntlm_auth 
> --helper-protocol=squid-2.5-basic --username=testuser 
> --password=xxxxxxxxxxx
> x-xxx\testuser xxxxxxxxxxx
> OK
>
> What is ntlmssp? I read both helpers on tutorials. If I need both, why 
> do I need both?
> My squid is starting how it should, logs are looking normal, PopUp for 
> authentication appears aswell, but I can't log in. I shoudn't need to 
> authenticate in the first place because it should use SSO.
> What is missing/faulty?
> The rest of squid is basic stuff:mail/u/0/
> auth_param ntlm program /usr/bin/ntlm_auth 
> –helper-protocol=squid-2.5-ntlmssp --username=testuser 
> --password=Passme123
> auth_param ntlm children 10
> auth_param basic program /usr/bin/ntlm_auth 
> –helper-protocol=squid-2.5-basic --username=testuser --password=Passme123
> auth_param basic children 5
> auth_param basic realm Proxy Server
> auth_param basic credentialsttl 2 hours
> auth_param basic casesensitive off
> authenticate_cache_garbage_interval 10 seconds
> ...
> acl auth proxy_auth REQUIRED
> acl SSL_ports port 443
> acl Safe_ports port 80          # http
> acl Safe_ports port 21          # ftp
> acl Safe_ports port 443         # https
> acl Safe_ports port 70          # gopher
> acl Safe_ports port 210         # wais
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280         # http-mgmt
> acl Safe_ports port 488         # gss-http
> acl Safe_ports port 591         # filemaker
> acl Safe_ports port 777         # multiling http
> acl CONNECT method CONNECT
> ...
> http_access deny !Safe_ports
>
> # Deny CONNECT to other than secure SSL ports
> http_access deny CONNECT !SSL_ports
>
> # Only allow cachemgr access from localhost
> http_access allow localnet
> http_access allow localhost manager
> http_access deny !auth
> http_access allow auth
> http_access deny all
> ...
> url_rewrite_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf
> url_rewrite_children 5
>
> Does anyone know further? Thanks in advance.
> - Kevin
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

Hi,


1. There is no point in testing kerberos (kinit) when you're going to 
use ntlm_auth helper; squid has it's spnego helper, 'negotiate_wrapper 
', which is capable doing negotiation between kerberos and NTLM.  Just 
look for squid-helpers package for your OS; if it's not in OS repo, 
check http://ngtech.co.il/repo/ - Eliezer is doing really good job here.

If kerberos is working in your environment, I would use 
negotiate_wrapper or negotiate_kerberos_auth.  Good thing about 
negotiate_wrapper is -d switch, which is giving you a good portion of 
debug info in cache.log

Really, NTLM is bitchy and it is not primary protocol even in MS systems 
since 2003/XP. If you can fulfill kerberos' requirements in your 
environment,  I would go into kerberos, not NTLM.


2. My guess is that you have problem with access to windbind_priviledged 
pipe; can you perform usr/bin/ntlm_auth 
--helper-protocol=squid-2.5-ntlmssp --username=testuser --password=...et 
cetera witch ptrace? There is still a mess with winbind's pipe location; 
/var/run/samba vs /var/lib/samba, perharps you need some symlinking, 
ptrace can give you a clue.


3. Sometimes - just sometimes - passing --domain=DOMAIN_NAME to 
/usr/bin/ntlm_auth resolves cosmic issues. Sometimes it's 
DOMAIN\username vs just username in --username.


Last thing is error message: "BH SPNEGO request invalid prefix". It is 
strange, at least for me. SPNEGO reply is rather kerberos or negotiate 
reply; not ntlm_auth. What distro are you using?

-- 
Dijx

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170510/c103aa9a/attachment.html>

More information about the squid-users mailing list