[squid-users] squid 4 fails to authenticate using NTLM

zby at post.cz zby at post.cz
Tue Jul 23 14:34:16 UTC 2019


echo "KK TlRMTVNTUAADAAAAGAAYAIwA....." | ntlm_auth --helper-protocol=squid-
2.5-ntlmssp --domain=DOM1


NA NT_STATUS_INVALID_PARAMETER




---------------------------------------


squid.conf snippet:

...


## Authentication of NTLM:
auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=
squid-2.5-ntlmssp --domain=DOM1
auth_param ntlm children 100 startup=10

auth_param ntlm keep_alive off

external_acl_type ad_group ttl=600 children-max=200 %LOGIN /usr/lib/squid/
ext_wbinfo_group_acl

...

##No other auth scheme.

----------------------------------------------


## /var/lib/samba:

drwxr-x---  2 root winbindd_priv   4096 Jul 23 15:30 winbindd_privileged






Zbynek








---------- Původní e-mail ----------
Od: Amos Jeffries <squid3 at treenet.co.nz>
Komu: squid-users at lists.squid-cache.org
Datum: 23. 7. 2019 11:03:37
Předmět: Re: [squid-users] squid 4 fails to authenticate using NTLM 
"On 23/07/19 7:53 am, zby wrote:
> My problem:  my browser keeps on prompting for authentication.
> Facts:
> 
> Debian 10 x86_64
> squid-4.6 + samba-4.9
> joined AD using "net ads join -U ...". OK.
> wbinfo -t : OK
> wbinfo -P or -p : OK
> wbinfo -i userXYZ : returns data (OK)
> wbinfo -g (well, fails to "deliver", too many users?)
> smbclient -U userXYZ //host/share : works, logs me in

This is irrelevant to Squid. It only tells that the user account has
filesystem access privileges. Nothing about web access privileges, or
whether the *Squid* user account has access to authenticate user logins.


> 
> wbinfo -a domain\\user%pass:
> plaintext password authentication succeeded

"plaintext" means Basic authentication.

> challenge/response password authentication failed
> 

Challenge/Response could mean anything auth related.


> sqadmin at host13:~$ ntlm_auth --helper-protocol=squid-2.5-ntlmssp
> --domain=ad001
> userw01 Passwd001
> SPNEGO request [userw01 Passwd001] invalid prefix
> BH SPNEGO request invalid prefix
> 

"userw01 Passwd001" is not a SPNEGO token.

see
<https://wiki.squid-cache.org/Features/AddonHelpers#Negotiate_and_NTLM_
Scheme>

Pass the helper the "KK" request command and the token you see in the
HTTP headers. For example:

KK TlRMTVNTUAADAAAAGAAYAIwAAABOAU4BpAAAAAoACgBYAAAAEAAQAGIAAAAa...



Amos
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20190723/86421503/attachment.html>


More information about the squid-users mailing list