[squid-users] squid 4 fails to authenticate using NTLM
zby at post.cz
zby at post.cz
Wed Jul 24 07:02:34 UTC 2019
Good morning (CEST).
Solved for NTLM.
I added the squid user to the group winbindd_priv as described in "man ntml_
auth". Well, I just overlooked it.
Thanks all for reading/thinking/help.
Zbynek
---------- Původní e-mail ----------
Od: zby at post.cz
Komu: Amos Jeffries <squid3 at treenet.co.nz>
Datum: 23. 7. 2019 18:24:13
Předmět: Re: [squid-users] squid 4 fails to authenticate using NTLM
"
I found one more thing in the cache.log:
Got user=[user1] domain=[DOM1] workstation=[machine1] len1=24 len2=334
Login for user [DOM1\[user1]@[machine1 failed due to [Reading winbind reply
failed!]
ntlmssp_server_auth_send: Checking NTLMSSP password for DOM1\user1 failed:
NT_STATUS_UNSUCCESSFUL
gensec_update_done: ntlmssp[0x55713e452900]: NT_STATUS_UNSUCCESSFUL
GENSEC login failed: NT_STATUS_UNSUCCESSFUL
Why failed?
/var/lib/samba:
drwxr-x--- 2 root winbindd_priv 4096 Jul 23 18:09 winbindd_privileged
/var/run/samba:
drwxr-xr-x 2 root root 60 Jul 23 18:09 winbindd
If I chmod to anything else than expected winbindd fails to start
complaining about an unexpected dir mode.
The dir modes remain the same as "defined" in the debian package.
ntlm_auth --username=user1 run as a regular user results in: "NT_STATUS_OK:
The operation completed successfully. (0x0)"
It should fail if not allowed to read from winbind, I suppose.
Thanks.
Zb
---------- Původní e-mail ----------
Od: Amos Jeffries <squid3 at treenet.co.nz>
Komu: squid-users at lists.squid-cache.org
Datum: 23. 7. 2019 11:03:37
Předmět: Re: [squid-users] squid 4 fails to authenticate using NTLM
"On 23/07/19 7:53 am, zby wrote:
> My problem: my browser keeps on prompting for authentication.
> Facts:
>
> Debian 10 x86_64
> squid-4.6 + samba-4.9
> joined AD using "net ads join -U ...". OK.
> wbinfo -t : OK
> wbinfo -P or -p : OK
> wbinfo -i userXYZ : returns data (OK)
> wbinfo -g (well, fails to "deliver", too many users?)
> smbclient -U userXYZ //host/share : works, logs me in
This is irrelevant to Squid. It only tells that the user account has
filesystem access privileges. Nothing about web access privileges, or
whether the *Squid* user account has access to authenticate user logins.
>
> wbinfo -a domain\\user%pass:
> plaintext password authentication succeeded
"plaintext" means Basic authentication.
> challenge/response password authentication failed
>
Challenge/Response could mean anything auth related.
> sqadmin at host13:~$ ntlm_auth --helper-protocol=squid-2.5-ntlmssp
> --domain=ad001
> userw01 Passwd001
> SPNEGO request [userw01 Passwd001] invalid prefix
> BH SPNEGO request invalid prefix
>
"userw01 Passwd001" is not a SPNEGO token.
see
<https://wiki.squid-cache.org/Features/AddonHelpers#Negotiate_and_NTLM_
Scheme>
Pass the helper the "KK" request command and the token you see in the
HTTP headers. For example:
KK TlRMTVNTUAADAAAAGAAYAIwAAABOAU4BpAAAAAoACgBYAAAAEAAQAGIAAAAa...
Amos
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
"_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20190724/b47b3166/attachment-0001.html>
More information about the squid-users
mailing list