Re: NTLMSSP works with CONNECT but not with GET - SOLVED

["Aleksander F. Honma" <aleks@xxxxxxxxxxxxxx>]

Hello List,

   This just to save time from someone that might be having the same 
problems I had.

INFO-1
SAMBA 3.0.29 and 3.0.30 has a bug and NTLM DOES NOT if Winbind and Squid 
are both running in the PDC/BDC.
(https://bugzilla.samba.org/show_bug.cgi?id=5489)

INFO-2
AVG 8.0 Antivirus has a feature called WEB SHIELD which blocks host from 
send GET with AUTH info. This feature has to be disabled or correctly 
configured for NTLM to work correctly. Even sniffing traffic it gets 
hard to tell what the problem is.

   That's my two cents, which I hope to save people's time.

Thanks,

Aleksander França Honma




Aleksander F. Honma wrote:
> Hello List,
>
>    I'm having a quite strange problem that I just can't figure it out.
>    Using NTLM_AUTH with NTLMSSP helper, my browser (IE and Firefox) 
> can't connect to HTTP but it can connect to HTTPS site.
>    As an example, I can connect to "https://www.gmail.com"; but cannot 
> connect to "http://www.gmail.com";.
>
>    Checking my logs and sniffing packets, it became clear that CONNECT 
> requests do full successful authentication, but GET commands won't.
>    Could any good soul point me a direction? I've tried pretty much 
> everything I could in last 10 hours trying to isolate the problem, but 
> no matter what log level I use I just can't get a hint.
>
> FACTS
> # wbinfo -t
>
> checking the trust secret via RPC calls succeeded
>
> # wbinfo -a mydomain\\myuser%mypasswd
> plaintext password authentication succeeded
> challenge/response password authentication succeeded
>
> MY SETUP
> x86 box
> Fedora 6 ( 2.6.18-1.2798.fc6)
> Samba version 3.0.26a (RPM)
> OPENLDAP as passdb backend
> squid-2.6.STABLE20.tar.gz (compiled with ntlm,basic)
>
>
> SQUID is running on a BDC, with slave LDAP all sitting in a different 
> subnet from the PDC.
>
>
> PIECE OF LOG
> 2008/05/01 19:28:32| The request GET http://www.gmail.com/ is DENIED, 
> because it matched 'autenticados'
> 2008/05/01 19:28:32| The reply for GET http://www.gmail.com/ is 
> ALLOWED, because it matched 'autenticados'
> 2008/05/01 19:28:32| authenticateNTLMAuthenticateUser: need to 
> challenge client 
> 'TlRMTVNTUAACAAAAFAAUADAAAAAFgomitLh/n3nYBEkAAAAAAAAAAEAAQABEAAAAQQBTAFMASQBNAEUARABJAEMAQQACABQAQQBTAFMASQBNAEUARABJAEMAQQABAAwATgBFAFQAQgBEAEMABAAAAAMADABuAGUAdABiAGQAYwAAAAAA'! 
>
> 2008/05/01 19:28:32| The request GET http://www.gmail.com/ is DENIED, 
> because it matched 'autenticados'
> 2008/05/01 19:28:32| The reply for GET http://www.gmail.com/ is 
> ALLOWED, because it matched 'autenticados'
> 2008/05/01 19:28:32| clientReadRequest: FD 17: no data to process 
> ((11) Resource temporarily unavailable)
> 2008/05/01 19:28:36| The request CONNECT www.gmail.com:443 is DENIED, 
> because it matched 'autenticados'
> 2008/05/01 19:28:36| The reply for CONNECT www.gmail.com:443 is 
> ALLOWED, because it matched 'autenticados'
> 2008/05/01 19:28:36| authenticateNTLMAuthenticateUser: need to 
> challenge client 
> 'TlRMTVNTUAACAAAAFAAUADAAAAAFgomi2eV4B/2CiVAAAAAAAAAAAEAAQABEAAAAQQBTAFMASQBNAEUARABJAEMAQQACABQAQQBTAFMASQBNAEUARABJAEMAQQABAAwATgBFAFQAQgBEAEMABAAAAAMADABuAGUAdABiAGQAYwAAAAAA'! 
>
> 2008/05/01 19:28:36| The request CONNECT www.gmail.com:443 is DENIED, 
> because it matched 'autenticados'
> 2008/05/01 19:28:36| The reply for CONNECT www.gmail.com:443 is 
> ALLOWED, because it matched 'autenticados'
> 2008/05/01 19:28:36| clientReadRequest: FD 17: no data to process 
> ((11) Resource temporarily unavailable)
> 2008/05/01 19:28:37| authenticateAuthUserRequestSetIp: user 'aleks' 
> has been seen at a new IP address (192.168.1.235)
> 2008/05/01 19:28:37| The request CONNECT www.gmail.com:443 is ALLOWED, 
> because it matched 'autenticados'
> 2008/05/01 19:28:41| The request CONNECT mail.google.com:443 is 
> DENIED, because it matched 'autenticados'
> 2008/05/01 19:28:41| The reply for CONNECT mail.google.com:443 is 
> ALLOWED, because it matched 'autenticados'
> 2008/05/01 19:28:41| authenticateNTLMAuthenticateUser: need to 
> challenge client 
> 'TlRMTVNTUAACAAAAFAAUADAAAAAFgomib/Z8EcbV8moAAAAAAAAAAEAAQABEAAAAQQBTAFMASQBNAEUARABJAEMAQQACABQAQQBTAFMASQBNAEUARABJAEMAQQABAAwATgBFAFQAQgBEAEMABAAAAAMADABuAGUAdABiAGQAYwAAAAAA'! 
>
> 2008/05/01 19:28:41| The request CONNECT mail.google.com:443 is 
> DENIED, because it matched 'autenticados'
> 2008/05/01 19:28:41| The reply for CONNECT mail.google.com:443 is 
> ALLOWED, because it matched 'autenticados'
> 2008/05/01 19:28:41| clientReadRequest: FD 21: no data to process 
> ((11) Resource temporarily unavailable)
> 2008/05/01 19:28:41| The request CONNECT mail.google.com:443 is 
> ALLOWED, because it matched 'autenticados'
> 2008/05/01 19:28:44| The request CONNECT www.google.com:443 is DENIED, 
> because it matched 'autenticados'
> 2008/05/01 19:28:44| The reply for CONNECT www.google.com:443 is 
> ALLOWED, because it matched 'autenticados'
>
>
>    Any piece of useful information is more than welcome.
>
> Many thanks,
> Aleksander França Honma