Search squid archive

Re: ntlm_auth question/problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Does nobody use ntlm_auth ?

Markus

"Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx> wrote in message news:g317rp$9v7$1@xxxxxxxxxxxxxxxx
I am trying to authenticate users with ntlm_auth but fail and don't find the reason. I see the initial NTLM challenge, but then the Browser doesn't continue the next NTLM step ( at least that is what I think happens)

Any idea what I did wrong ?

Thank you
Markus

uname -a
Linux Opensuse 2.6.22.17-0.1-default #1 SMP 2008/02/10 20:01:04 UTC i686 i686 i386 GNU/Linux
Opensuse:~ # cat /etc/SuSE-release
openSUSE 10.3 (i586)
VERSION = 10.3

squid -v
Squid Cache: Version 2.6.STABLE14
configure options: '--prefix=/usr' '--sysconfdir=/etc/squid' '--bindir=/usr/sbin' '--sbindir=/usr/sbin' '--localstatedir=/var' '--libexecdir=/usr/sbin' '--datadir=/usr/share/squid' '--mandir=/usr/share/man' '--with-dl' '--with-maxfd=4096' '--with-valgrind-debug' '--enable-snmp' '--enable-carp' '--enable-auth=basic digest negotiate ntlm' '--enable-basic-auth-helpers=LDAP MSNT NCSA PAM SMB YP getpwnam multi-domain-NTLM' '--enable-ntlm-auth-helpers=SMB fakeauth no_check' '--enable-digest-auth-helpers=ldap password' '--enable-external-acl-helpers=ip_user ldap_group session unix_group wbinfo_group' '--enable-ntlm-fail-open' '--enable-arp-acl' '--enable-htcp' '--enable-underscores' '--enable-stacktraces' '--enable-delay-pools' '--enable-useragent-log' '--enable-referer-log' '--enable-forward-log' '--enable-multicast-miss' '--enable-ssl' '--enable-cache-digests' '--enable-auth-on-acceleration' '--enable-storeio=aufs,coss,diskd,null,ufs' '--enable-linux-netfilter' '--enable-removal-policies=heap,lru' '--enable-icmp' '--with-samba-sources=/usr/include/samba' '--enable-large-cache-files' '--enable-x-accelerator-vary' '--enable-follow-x-forwarded-for' 'CFLAGS=-O2 -march=i586 -mtune=i686 -fmessage-length=0 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector -g -fPIE -DLDAP_DEPRECATED -fno-strict-aliasing' 'LDFLAGS=-pie'


squid.conf:

http_port 3128
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
access_log /var/log/squid/access.log squid
auth_param ntlm program /usr/sbin/ntlm_auth -d WIN2003R2\\w2k3r2
auth_param ntlm children 5
auth_param ntlm keep_alive on
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern .               0       20%     4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 8333
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
acl authenticated proxy_auth REQUIRED
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access allow authenticated
http_access deny all
icp_access allow all
coredump_dir /var/cache/squid

cache.log

ntlm_auth[8452](ntlm_auth.c:284): managing request
ntlm_auth[8452](ntlm_auth.c:290): ntlm authenticator. Got 'YR TlRMTVNTUAABAAAAB7IIogkACQAtAAAABQAFACgAAAAFASgKAAAAD1dJTlhQV0lOMjAwM1Iy' from Squid ntlm_auth[8452](ntlm_auth.c:239): obtain_challenge: selecting WIN2003R2\W2K3R2 (attempt #1)
ntlm_auth[8452](ntlm_auth.c:251): attempting challenge retrieval
ntlm_auth[8452](libntlmssp.c:119): Connecting to server W2K3R2 domain WIN2003R2
ntlm_auth[8452](ntlm_auth.c:253): make_challenge retuned 0x8000ef60
ntlm_auth[8452](ntlm_auth.c:255): Got it
ntlm_auth[8452](ntlm_auth.c:437): sending 'TT TlRMTVNTUAACAAAACQAJACgAAACCgkEAyigxBxKJUqQAAAAAAAAAAFdJTjIwMDNSMg==' to squid


Wireshark capture:

GET http://www.bbc.co.uk/ HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Accept-Language: en-us
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727) Proxy-Authorization: NTLM TlRMTVNTUAABAAAAB7IIogkACQAtAAAABQAFACgAAAAFASgKAAAAD1dJTlhQV0lOMjAwM1Iy
Proxy-Connection: Keep-Alive
Host: www.bbc.co.uk

HTTP/1.0 407 Proxy Authentication Required
Server: squid/2.6.STABLE14
Date: Sat, 14 Jun 2008 18:55:14 GMT
Content-Type: text/html
Content-Length: 1310
Expires: Sat, 14 Jun 2008 18:55:14 GMT
X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
Proxy-Authenticate: NTLM TlRMTVNTUAACAAAACQAJACgAAACCgkEAiqcyv4MUME0AAAAAAAAAAFdJTjIwMDNSMg==
X-Cache: MISS from opensuse.suse.home
X-Cache-Lookup: NONE from opensuse.suse.home:3128
Via: 1.0 opensuse.suse.home:3128 (squid/2.6.STABLE14)
Proxy-Connection: keep-alive

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd";> <HTML><HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<TITLE>ERROR: Cache Access Denied</TITLE>
<STYLE type="text/css"><!--BODY{background-color:#ffffff;font-family:verdana,sans-serif}PRE{font-family:sans-serif}--></STYLE>
</HEAD>
<BODY>
<H1>ERROR</H1>
<H2>Cache Access Denied</H2>
<HR noshade size="1px">
<P>
While trying to retrieve the URL:
<A HREF="http://www.bbc.co.uk/";>http://www.bbc.co.uk/</A>
<P>
The following error was encountered:
<UL>
<LI>
<STRONG>
Cache Access Denied.
</STRONG>
</UL>
</P>

<P>Sorry, you are not currently allowed to request:
<PRE>    http://www.bbc.co.uk/</PRE>
from this cache until you have authenticated yourself.
</P>

<P>
You need to use Netscape version 2.0 or greater, or Microsoft Internet
Explorer 3.0, or an HTTP/1.1 compliant browser for this to work.  Please
contact the <A HREF="mailto:webmaster";>cache administrator</a> if you have
difficulties authenticating yourself or
<A HREF="http://opensuse.suse.home/cgi-bin/chpasswd.cgi";>change</a> your default password.
</P>

<BR clear="all">
<HR noshade size="1px">
<ADDRESS>
Generated Sat, 14 Jun 2008 18:55:14 GMT by opensuse.suse.home (squid/2.6.STABLE14)
</ADDRESS>

squid server is part of domain (e.g. wbinfo -g works fine)

wbinfo -g
WIN2003R2\iis_wpg
WIN2003R2\session directory computers
WIN2003R2\domain computers
WIN2003R2\domain controllers
WIN2003R2\schema admins
WIN2003R2\enterprise admins
WIN2003R2\cert publishers
WIN2003R2\domain admins
WIN2003R2\domain users
WIN2003R2\domain guests
WIN2003R2\group policy creator owners
WIN2003R2\ras and ias servers
WIN2003R2\dnsadmins
WIN2003R2\dnsupdateproxy
WIN2003R2\certsvc_dcom_access
WIN2003R2\win2003r2users
WIN2003R2\sqlserver2005sqlbrowseruser$w2k3r2
WIN2003R2\sqlserver2005mssqlserveradhelperuser$w2k3r2
WIN2003R2\sqlserver2005mssqluser$w2k3r2$sqlexpress
WIN2003R2\solarisgroup
WIN2003R2\susegroup
WIN2003R2\squid_allow







[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux