Search squid archive

RE: Authentication Issue with Squid and mixed BASIC/NTLM auth

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This has all been on a test machine that has access to OWA and the
internal network, nothing production was touched :) I work with a very
large network so I have a lot of resources to at my disposal. 

The config (it's been sanitized for confidentiality reasons): 

https_port 10.212.134.117:443 vhost protocol=http
cert=/etc/squid/certs/mail.bar.com.san.pem
https_port 10.212.134.119:443 vhost defaultsite=mail.foo.com
protocol=http cert=/etc/squid/certs/foo.pem
https_port 10.212.134.121:443 vhost protocol=http
cert=/etc/squid/certs/domain.domain.com.san.pem
https_port 10.212.134.123:443 vhost defaultsite=mail.domain2.com
protocol=http cert=/etc/squid/certs/mail.domain2.com.pem
https_port 10.212.134.123:8000 vhost defaultsite=domain3.domain3.com
protocol=http cert=/etc/squid/certs/domain3.domain.pem
https_port 10.212.134.125:443 vhost defaultsite=owa.domain4.com
protocol=http cert=/etc/squid/certs/owa.domain4.pem
cache_peer 10.212.133.52 parent 80 0 proxy-only no-query no-digest
originserver front-end-https=on login=PASS
cache_peer 10.212.133.102 parent 80 0 proxy-only no-query no-digest
originserver front-end-https=on login=PASS 
cache_peer 10.212.133.131 parent 80 0 proxy-only no-query no-digest
originserver front-end-https=on login=PASS 
cache_peer 10.212.133.56 parent 80 0 proxy-only no-query no-digest
originserver front-end-https=on login=PASS
cache_peer 192.168.12.44 parent 80 0 proxy-only no-query no-digest
originserver front-end-https=on login=PASS
cache_peer_domain 10.212.133.52 mail.bar.com
cache_peer_domain 10.212.133.102 mail.foo.com
cache_peer_domain 10.212.133.56 domain1.domain1.com domain2.domain2.com
domain3.domain3.com
cache_peer_domain 10.212.133.131 mail.domain5.com
autodiscover.domain5.com
cache_peer_domain 192.168.12.44 owa.domain4.com
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
access_log /var/log/squid/access.log squid
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern .               0       20%     4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
acl owa_access myport 80 443 8000
http_access allow all owa_access
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all
http_reply_access allow all
icp_access allow all
coredump_dir /var/spool/squid
extension_methods RPC_IN_DATA RPC_OUT_DATA

The fact that NTLM is supposed to always require domain is strange
indeed. I can confirm that it is negotiating NTLM too, we sync
ActiveSync phones off of the proxy, and they require NTLM for auth.

-Chris

-----Original Message-----
From: Amos Jeffries [mailto:squid3@xxxxxxxxxxxxx] 
Sent: Friday, October 17, 2008 10:31 PM
To: Chris Natter
Cc: squid-users@xxxxxxxxxxxxxxx
Subject: Re:  Authentication Issue with Squid and mixed
BASIC/NTLM auth


Um, something weird is going on. I'm a little scared by the double sets 
of bad news.
Can you confirm that your in-use systems are okay. I haven't led you to 
a point where anything serious is broken? (ie this is all isolated on a 
test machine where its okay to break?)


Chris Natter wrote:
> Hmmm, strange. I tested 2.7STABLE4, but it doesn't seem to be
stripping
> the DOMAIN, it will still accept only DOMAIN\USERNAME. Perhaps I'm
> missing something?

I've looked at it closer. And the patches which I saw earlier were for a

slightly different helper (mapping NTLM front-end auth to LDAP backend)

Henrik informs me that NTLM always needs the domain. Which makes me 
wonder why you didn't in 3.0.

> 
> I also tested squid-3.1-20081016, built with a spec file adopted from
a
> squid3.0STABLE7 Redhat package:
> 
> configure \
>    --exec_prefix=/usr \
>    --bindir=%{_sbindir} \
>    --libexecdir=%{_libdir}/squid \
>    --localstatedir=/var \
>    --datadir=%{_datadir} \
>    --sysconfdir=/etc/squid \
>    --disable-dependency-tracking \
>    --enable-arp-acl \
>    --enable-auth="basic,digest,ntlm,negotiate" \
>  
>
--enable-basic-auth-helpers="LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-do
> main-NTLM,SASL" \
>    --enable-cache-digests \
>    --enable-cachemgr-hostname=localhost \
>    --enable-delay-pools \
>    --enable-digest-auth-helpers="password" \
>    --enable-epoll \
>  
>
--enable-external-acl-helpers="ip_user,ldap_group,unix_group,wbinfo_grou
> p" \
>    --enable-icap-client \
>    --enable-ident-lookups \
>    --enable-linux-netfilter \
>    --enable-ntlm-auth-helpers="SMB,fakeauth" \
>    --enable-referer-log \
>    --enable-removal-policies="heap,lru" \
>    --enable-snmp \
>    --enable-ssl \
>    --enable-storeio="aufs,coss,diskd,,ufs" \
>    --enable-useragent-log \
>    --enable-wccpv2 \
>    --with-default-user="squid" \
>    --with-filedescriptors=16384 \
>    --with-dl \
>    --with-openssl=/usr/kerberos \
>    --with-pthreads
> 
> And it looks like NTLM could be broken (I don't want to make
> assumptions). I was unable to pass credentials in either the
> DOMAIN\USERNAME or USERNAME format to OWA through squid. It also
forced
> an NTLM prompt for Firefox that I had to escape out of before I could
> authenticate with BASIC auth.
> 
> I wasn't able to test spell-check as I couldn't authenticate to the
OWA
> server.

That is a worry for us. Thanks for testing and finding the issue.
This is the first bug report on connection pinning.
for our info: did you have the "login=PASS" on the cache_peer line? and 
woudld you mind sharing the config?

Amos


> 
> Thanks!
> -Chris
> -----Original Message-----
> From: Amos Jeffries [mailto:squid3@xxxxxxxxxxxxx] 
> Sent: Thursday, October 16, 2008 5:37 AM
> To: Chris Natter
> Cc: squid-users@xxxxxxxxxxxxxxx
> Subject: Re:  Authentication Issue with Squid and mixed
> BASIC/NTLM auth
> 
> Chris Natter wrote:
>> We were having issues with spell-check in 3.0, I haven't tried any of
>> the development builds to see if it was resolved though in a later
>> release. 
>  >
>> OWA spell-check just seems to hang when you attempt to spell-check an
>> email, or gives the "try again later" prompt. I saw some previous
>> postings on the archive of the mailing list, but most of them are
very
>> outdated.
>>
>> I'll have to build an RPM of squid 2.7 and check to see if that
solves
>> both issues.
> 
> Ah, now that you mention it I vaguely recall the topic as it flew past
a
> 
> while back.
> 
> Yes, 2.7 is likely the most dependable to have both combos of fixes
you 
> need.
> 
> Without knowing the cause the spellcheck issue _may_ have been
resolved 
> in 3.1.  Both of the MS workarounds and 'unknown method' support are
now
> 
> present. If you have a spare moment and are inclined to test it please

> let us know the result. If you still hit bad news for 3.1, its 
> definitely a bug that needs looking into at some point.
> 
> Amos
> 
>> Thanks for the help.
>>
>> -----Original Message-----
>> From: Amos Jeffries [mailto:squid3@xxxxxxxxxxxxx] 
>> Sent: Wednesday, October 15, 2008 6:46 PM
>> To: Chris Natter
>> Cc: squid-users@xxxxxxxxxxxxxxx
>> Subject: Re:  Authentication Issue with Squid and mixed
>> BASIC/NTLM auth
>>
>>> Hey all,
>>>
>>>
>>>
>>> I've got a tough situation I'm hoping someone can help me with.
>>>
>>>
>>>
>>> We 'downgraded' from an old 3.0PRE build that a predecessor had
setup
>> on a
>>> reverse proxy, to squid 2.6.STABLE20. The proxy runs your standard
> OWA
>>> over Reverse Proxy setup, with login=PASS to an OWA backend running
>> with
>>> BASIC/NTLM auth. We have to have the NTLM for phones that sync with
>>> ActiveSync.
>>>
>>>
>>>
>>> It seems like something fundamental has changed in the way squid
>> handles
>>> auth from 3.0 to squid 2.6. Using firefox on 2.6, I can auth with
> just
>>> 'USERNAME', with IE on 2.6 we have to type "DOMAINUSERNAME" or
>>> "USER@DOMAIN" now. Previously, with squid 3.0, just 'USERNAME' would
>> work
>>> for auth.
>>>
>>>
>>>
>>> While this seems trivial, anything harder than just 'USERNAME'
> boggles
>> a
>>> lot of users. I'm assuming this has something to do with 'attempting
>> NTLM'
>>> negotiation? Is there a way around it in squid 2.6?
>>>
>> The cleaner @DOMAIN handling was only added to Squid 2.7+ and 3.0+.
> You
>> will need an upgrade again to one of those versions at least.
>>
>> What caused you to downgrade though? perhapse its been fixed now in
> 3.1?
>> Amos
> 
> 


-- 
Please use Squid 2.7.STABLE4 or 3.0.STABLE9


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux