[squid-users] Squid V 3.5.23 authenticating in AD: User names not showing in log

L.P.H. van Belle belle at bazuin.nl
Thu May 16 09:48:36 UTC 2019


This is related to samba and MS disabling NTLM (smb1)
What is the samba version in question and the running OS? 

But first thing you can try is set in smb.conf 

ntlm auth = yes


Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: squid-users 
> [mailto:squid-users-bounces at lists.squid-cache.org] Namens 
> Amos Jeffries
> Verzonden: donderdag 16 mei 2019 11:13
> Aan: squid-users at lists.squid-cache.org
> Onderwerp: Re: [squid-users] Squid V 3.5.23 authenticating in 
> AD: User names not showing in log
> 
> On 16/05/19 5:45 am, Rafael Silva Daniel wrote:
> > Helo! im in need of serious help, in my company we need the 
> access logs by
> > user name, is the only reason the proxy is setted to 
> authenticate. but it
> > just dont show it, the relevant parts of the .conf is 
> looking like this:
> > 
> > (...)
> > auth_param ntlm program /usr/bin/ntlm_auth --diagnostics
> > --helper-protocol=squid-2.5-ntlmssp --domain=XXXXX(domain name)
> > auth_param ntlm children 100
> > auth_param ntlm keep_alive off
> > 
> > external_acl_type NT_global_group %LOGIN 
> /usr/lib/squid/ext_wbinfo_group_acl
> > acl users external NT_global_group "/etc/squid/fapgrp"
> > (...)
> > 
> > (...)
> > http_access deny !users
> > http_access allow users
> > http_access deny !auth
> > (...)
> > 
> 
> There is no natural reason why those CONNECT should be exempt from
> authenticating.
> 
> I usually find situations like what you describe happen where someone
> has misunderstood the default security rules and "customized" them a
> bit. They are finely tuned rules, so vast changes to proxy behaviour
> (like complete bypass of auth) can result if updates to them are not
> done correctly.
> 
> Can you please show more of your http_access rules? all of 
> them would be
> best. At minimum all of the ones above that "http_access deny !auth"
> line, and the definition lines for any ACLs used in those 
> rules (include
> that "auth" ACL definition too please).
> 
> 
> 
> > ***("/etc/squid/fapgrp" is a text file with the text 
> "Usuários do dóminio",
> > its "Domain Users" in portuguese)
> > 
> > when i test the helper:
> > 
> > /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp
> > --domain=XXXXX
> > user password
> > BH SPNEGO request invalid prefix
> > 
> > i read somewhere that ntlmssp can be tested like this, 
> because we are
> > sending the credentials as plain text, so i tested with 
> basic and the result
> > is this:
> > 
> > /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-basic
> > --domain=XXXXX
> > user password
> > OK
> > user password
> > ERR
> > 
> > so, im assuming that the way squid is processing the 
> challenges are fine, is
> > it right?
> 
> That is a test that the helper is talking to the AD service okay. It
> cannot tell you whether the client and Squid are 
> communicating the NTLM
> credentials.
> 
> 
> The NTLM protocol does not deliver passwords across the network. NTLM
> uses (weak) encrypted tokens instead. All Squid does is pass the token
> as-is to the helper. The helper then informs Squid what 
> username to log
> for that token (if any).
>  So to test that part you need to locate a valid token and 
> pass that to
> the helper instead of username/password.
> 
> However, before you go to any trouble over that. I do not think the
> helper or auth are the problem here. Something is clearly letting the
> CONNECT happen without even going near the auth process.
> 
> 
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
> 



More information about the squid-users mailing list