Re: proxy-auth NTLM stop working

[Amos Jeffries <squid3@xxxxxxxxxxxxx>]

On 11/05/11 05:44, Ricardo Nuno wrote:
> Hi,
>
> I had a working setup with Ubuntu 10.04 LTS x64 with the following versions:
>
> squid 3.0.STABLE19-1ubuntu0.1
> samba 2:3.4.7~dfsg-1ubuntu3.5
>
> We have a AD domain with around 50 clients using Windows 7 and joined
> in the domain.
> For this clients we user squid with kerberos and it's working fine
> with no issues.
>
> We had a second auth method (NTLM basic,ntlmssp) for clients that were
> not joined in the domain.
> For this clients normally a pop-up auth appear in the browser witch
> then the user should provide AD
> credentials in the following manner:
>
> User: MYDOMAIN\user
> Pass: password
>
> Since last week NTLM seams to stop working, but from all the tests i
> run from the proxy shell it seams ok
> Here is what i already did to debug the issue:
>
> root@proxy:/# net ads testjoin
> Join is OK
>
> root@proxy:/# wbinfo -t
> checking the trust secret via RPC calls succeeded
>
> root@proxy:/# wbinfo -a lsquintella%lsquintella
> plaintext password authentication succeeded
> challenge/response password authentication succeeded
>
> wbinfo -u and wbinfo -g both work and list users and groups without the domain.
> I'm using ntml binary from the samba:
>
> root@proxy:/# /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
> mydomain+lsquintella lsquintella
> OK
>
> Im running out of ideas to solve this im missing something here?

Okay to Basic auth protocol works. Now what about the other two? you 
have Negotiate configured as first option and NTLM configured as second.
 It is *entirely* up to the browser which of the three options it picks 
to use.
 - IE is known only to pick the first it can use and not failover.
 - Recent windows OS will not respond to NTLM by default.

Or it could be a simpler failure in the helpers looking up the other 
protocols tokens.

> Can someone please point me to the right direction.

You can test the other protocols by cut-n-pasting the HTTP header value 
received from the logs and pasting it to the helper. Squid just tacks a 
"TT " onto the beginning and passes the header line on unchanged to the 
helper hoping for an "AF" (success) or "BH" (fail) result.


> /etc/squid3/squid.conf
>
> visible_hostname proxy1.mydomain.lan
> http_port 3128
>
> hierarchy_stoplist cgi-bin ?
>
> cache_mem 1024 MB
> maximum_object_size 8096 KB
>
> cache_dir aufs /var/spool/squid3 50000 16 256
> cache_access_log  /var/log/squid3/access.log
> cache_log  /var/log/squid3/cache.log squid
> cache_store_log none
>
> #Suggested default:
> refresh_pattern ^ftp:           1440    20%     10080
> refresh_pattern ^gopher:        1440    0%      1440
> refresh_pattern .                       0               20%     4320
> refresh_pattern -i (cgi-bin|\?)                         0
>   0%              0
> refresh_pattern -i \.index.(html|htm)$          0               40%
>        10080
> refresh_pattern -i \.(html|htm|css|js)$         1440    40%             40320
>
> auth_param negotiate program /usr/lib/squid3/squid_kerb_auth -s
> HTTP/ldapbind@xxxxxxxxxxxx
> auth_param negotiate children 20
> auth_param negotiate keep_alive on
>
> auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 10
> auth_param ntlm keep_alive on
>
> auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
> auth_param basic children 10
> auth_param basic realm Mydomain Log
> auth_param basic credentialsttl 2 hours
> auth_param basic casesensitive off
>
> external_acl_type FaGroup ttl=900 %LOGIN
> /usr/lib/squid3/squid_ldap_group -R -b "dc=mydomain,dc=lan" -D
> "cn=ldapbind,cn=users,dc=mydomain,dc=lan" -W "/etc$
>
> authenticate_ttl 1 hour
> authenticate_cache_garbage_interval 1 hour
>
> acl manager proto cache_object
> acl localhost src 127.0.0.1
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443 563 8443         # https
>
> acl Safe_ports port 80                  # http
> acl Safe_ports port 21                  # ftp
> acl Safe_ports port 443 563             # https
> acl Safe_ports port 70                  # gopher
> acl Safe_ports port 210                 # wais
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280                 # http-mgmt
> acl Safe_ports port 488                 # gss-http
> acl Safe_ports port 591                 # filemaker
> acl Safe_ports port 777                 # multiling http
> acl Safe_ports port 631                 # cups
> acl Safe_ports port 873                 # rsync
> acl Safe_ports port 901                 # SWAT
> acl purge method PURGE
> acl CONNECT method CONNECT
>
> http_access allow manager localhost
> http_access deny manager
> http_access allow purge localhost
> http_access deny purge
>
>
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
>
> acl rede_interna src 192.168.20.0/24
> acl rede_servidores src 192.168.10.0/24
> acl h_trabalho_manha time MTWHF 09:00-13:00
> acl h_trabalho_tarde time MTWHF 14:30-18:00
> acl FullAccess external FaGroup InetFA
>
> acl sites_internos_nocache dst 192.168.10.0/24
> cache deny sites_internos_nocache
>
> acl Publicidade url_regex "/etc/squid3/list/publicidade.acl"
> acl BlockFiles urlpath_regex -i "/etc/squid3/list/block-files.acl"
> acl BlockSites dstdomain "/etc/squid3/list/block-sites.acl"
> acl TimeBasedSites dstdomain "/etc/squid3/list/timebased-sites.acl"
> acl DenyFun dstdomain "/etc/squid3/list/block-sites-fun.acl"
> deny_info ERR_MYDOMAIN_TBSITES_DENY TimeBasedSites
> deny_info ERR_MYDOMAIN_FUN_DENY DenyFun
>
> acl windowsupdate dstdomain windowsupdate.microsoft.com
> acl windowsupdate dstdomain .update.microsoft.com
> acl windowsupdate dstdomain download.windowsupdate.com
> acl windowsupdate dstdomain redir.metaservices.microsoft.com
> acl windowsupdate dstdomain images.metaservices.microsoft.com
> acl windowsupdate dstdomain c.microsoft.com
> acl windowsupdate dstdomain www.download.windowsupdate.com
> acl windowsupdate dstdomain wustat.windows.com
> acl windowsupdate dstdomain crl.microsoft.com
> acl windowsupdate dstdomain sls.microsoft.com
> acl windowsupdate dstdomain productactivation.one.microsoft.com
> acl windowsupdate dstdomain ntservicepack.microsoft.com
>
> acl CONNECT method CONNECT
> acl wuCONNECT dstdomain www.update.microsoft.com
> acl wuCONNECT dstdomain sls.microsoft.com
> acl wuCONNECT dstdomain .dropbox.com
>
> http_access allow CONNECT wuCONNECT rede_interna
> http_access allow CONNECT wuCONNECT localhost
> http_access allow windowsupdate rede_interna
> http_access allow windowsupdate localhost
>
> acl msn url_regex -i gateway.dll
> acl msnd dstdomain messenger.msn.com gateway.messenger.hotmail.com
> acl msn1 req_mime_type ^application/x-msn-messenger$
>
> http_access deny msnd
> http_access deny msn
> http_access deny msn1
>
> http_access deny !FullAccess Publicidade

"FullAccess" requires auth to be known in order to use.... these lines 
all contradict "http_access allow all NoAuthNeeded" below.


> http_access deny !FullAccess BlockFiles
> http_access deny !FullAccess BlockSites
> http_access deny !FullAccess DenyFun
> http_access deny rede_interna h_trabalho_manha !FullAccess TimeBasedSites
> http_access deny rede_interna h_trabalho_tarde !FullAccess TimeBasedSites
>
> acl NoAuthNeeded dstdomain .avg.com backup.avg.cz .dropbox.com
> .google.com .openoffice.org
> http_access allow all NoAuthNeeded
>
> acl AuthorizedUsers proxy_auth REQUIRED
> http_access allow AuthorizedUsers
>
> # And finally deny all other access to this proxy
> http_access deny all
> http_reply_access allow all
>
> cache_mgr sys@xxxxxxxxxxxx
> logfile_rotate 10
> error_directory /etc/squid3/error
> coredump_dir /var/spool/squid3
>
> --
> Ricardo Nuno

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.12
  Beta testers wanted for 3.2.0.7 and 3.1.12.1