Hi ! Thanks for the reply Amos ! For some reason, i get the squid mailing list emails with a delay... While i wasn't getting any response (thank you for your response) i dig a bit myself and i found in the squid wiki a page about CentOS 5.5 (i'm using 6.2 but is different than the page about CentOS) http://wiki.squid-cache.org/ConfigExamples/Authenticate/NtlmCentOS5 some notes about ntlm authentication. I didn't need samba or nmb running, so i shutdown those services and kept winbind running. Removed the basic authentication from squid.conf (i've already tried in Firefox 3 and Firefox 2 in a Ubuntu 7.10 - The oldest Linux i'm running around here) and the authentication page appears, the user types it's credentials and everything is fine. I've also changed a line in my squid.conf : From: http_access allow ntlmAuth to: http_access allow HomeNetworks ntlmAuth and it just start working - no authentication in windows... Thank you all ! ----- Original Message ----- From: "Amos Jeffries" <squid3@xxxxxxxxxxxxx> To: squid-users@xxxxxxxxxxxxxxx Sent: Friday, 6 July, 2012 2:08:19 PM Subject: Re: Authentication problems with NTLM On 6/07/2012 11:42 p.m., Bruno Santos wrote: > Hi ! > > > I've configure squid 3.1.10-1 (latest available for CentOS 6.2) with NTLM authentication, but squid keeps asking for username and password. And sometimes more than once... > > > Users are authenticated in the domain, using IE6/7/9, but squid keeps asking for username/password. > > > Those with other browsers and Linux it's normal, but in windows no. I don't know if Firefox in windows is supposed to ask for password or not, but it asks. For machines logged into the domain being logged into a proxy which uses the domain credentials - the browser should never ask. This is a strong sign that the proxy is using different credentials than the ones used to log into the machine, or is loosing them somehow.. > > > I have everything working with samba and winbind. > > > Samba recognizes the user and winbind too. > > > Wbinfo authentication: > > > > wbinfo -a teste%12345 > plaintext password authentication succeeded > challenge/response password authentication succeeded > > > Squid ntlm_auth also is working ok > > > > /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic > teste 12345 > OK How much delay is the next thing to look for: I suspect 0.2sec? > > I notice something in the logs that are also a lots of TCP_DENIED before TCP_MISS (and squid din't ask for password) > An example of access a website: > > > > 111.111.11.11 TCP_DENIED/407 4758 GET http://www.venezuelatuya.com/tour/minitour.JPG - NONE/- text/html > 1341573268.467 8 111.111.11.11 TCP_DENIED/407 4778 GET http://www.venezuelatuya.com/tour/minioccidente.jpg - NONE/- text/html > 1341573268.469 9 111.111.11.11 TCP_DENIED/407 4766 GET http://www.venezuelatuya.com/tour/minicentro.jpg - NONE/- text/html > 1341573268.472 11 111.111.11.11 TCP_DENIED/407 4778 GET http://www.venezuelatuya.com/tour/minilosroques.jpg - NONE/- text/html > 1341573268.472 11 111.111.11.11 TCP_DENIED/407 4774 GET http://www.venezuelatuya.com/tour/minimorrocoy.jpg - NONE/- text/html > 1341573268.474 10 111.111.11.11 TCP_DENIED/407 4770 GET http://www.venezuelatuya.com/tour/minicaracas.jpg - NONE/- text/html > 1341573268.474 10 111.111.11.11 TCP_DENIED/407 4762 GET http://www.venezuelatuya.com/tour/miniandes.jpg - NONE/- text/html > 1341573268.474 10 111.111.11.11 TCP_DENIED/407 4778 GET http://www.venezuelatuya.com/tour/minimargarita.jpg - NONE/- text/html > 1341573268.549 275 111.111.11.11 TCP_MISS/200 2186 GET http://www.venezuelatuya.com/scripts/mapapaginaprincipal.js teste DIRECT/207.58.139.197 applicat > ion/javascript > 1341573268.576 139 111.111.11.11 TCP_MISS/200 444 GET http://www.venezuelatuya.com/principal.css teste DIRECT/207.58.139.197 text/css This appears to be normal. * Over the course of 7ms the client delivers 8 requests. * squid responds with auth-needed challenge as required by NTLM to each of these. This might be connections opened in parallel, or requests pipelined at once before the first response comes back. 8 is a suspicious number, that is the default browser config value for maximum number of connections to open for any one website. I highly suspect this is 8 new connections being opened and performing NTLM handshake. 50ms later there are more denies. Which looks like the connections earlier authenticated (partially?) got closed and new ones needed authenticating. > 1341573268.602 1 111.111.11.11 TCP_DENIED/407 4467 GET http://www.venezuelatuya.com/tour/minioriente.jpg - NONE/- text/html > 1341573268.606 1 111.111.11.11 TCP_DENIED/407 4770 GET http://www.venezuelatuya.com/tour/minioriente.jpg - NONE/- text/html > 1341573268.608 1 111.111.11.11 TCP_DENIED/407 4907 GET http://googleads.g.doubleclick.net/pagead/ads ? - NONE/- text/html > 1341573268.617 1 111.111.11.11 TCP_DENIED/407 5186 GET http://googleads.g.doubleclick.net/pagead/ads ? - NONE/- text/html > 1341573268.699 399 111.111.11.11 TCP_MISS/200 3817 GET http://www.venezuelatuya.com/scripts/barrabusqueda.js teste DIRECT/207.58.139.197 application/ja > vascript About 200ms after the earlier bunch of DENIED/407 responses an identical bunch pass through successfully. Exactly like the auth challenge was being responded to with correct credentials. > 1341573268.741 272 111.111.11.11 TCP_MISS/200 2801 GET http://www.venezuelatuya.com/tour/minioccidente.jpg teste DIRECT/207.58.139.197 image/jpeg > 1341573268.745 137 111.111.11.11 TCP_MISS/200 3520 GET http://www.venezuelatuya.com/tour/minioriente.jpg teste DIRECT/207.58.139.197 image/jpeg > 1341573268.753 274 111.111.11.11 TCP_MISS/200 2062 GET http://www.venezuelatuya.com/tour/minilosroques.jpg teste DIRECT/207.58.139.197 image/jpeg > 1341573268.755 276 111.111.11.11 TCP_MISS/200 2725 GET http://www.venezuelatuya.com/tour/miniandes.jpg teste DIRECT/207.58.139.197 image/jpeg > 1341573268.867 400 111.111.11.11 TCP_MISS/200 4137 GET http://www.venezuelatuya.com/tour/minitour.JPG teste DIRECT/207.58.139.197 image/jpeg > 1341573268.869 396 111.111.11.11 TCP_MISS/200 3447 GET http://www.venezuelatuya.com/tour/minicentro.jpg teste DIRECT/207.58.139.197 image/jpeg > 1341573268.877 400 111.111.11.11 TCP_MISS/200 3310 GET http://www.venezuelatuya.com/tour/minimorrocoy.jpg teste DIRECT/207.58.139.197 image/jpeg > 1341573268.880 403 111.111.11.11 TCP_MISS/200 3829 GET http://www.venezuelatuya.com/tour/minimargarita.jpg teste DIRECT/207.58.139.197 image/jpeg > 1341573268.882 404 111.111.11.11 TCP_MISS/200 3452 GET http://www.venezuelatuya.com/tour/minicaracas.jpg teste DIRECT/207.58.139.197 image/jpeg > You can test this theory by grabbing a TCP packet trace of the HTTP requests and responses between Squid and client. > ------------------------------------------------------------- > > > > > and my krb5.conf It would seem not relevant. You did not configure Negotiate/Kerberos in squid.conf. However, there is a strange lack of 407. NTLM specifies two DENIED/407 challenges for token exchange before anything is accepted (MISS/200). Kerberos on the other hand responds to the first 407 with a pre-calculated key (keytab entry) which skips straight to the MISS/200. > > Any clue why it's happening ? > > > squid is also a member of group wbpriv > > > > id squid > uid=23(squid) gid=23(squid) groups=88(wbpriv),23(squid) > > > > > I also have dansguardian listening in port 8080. Some other possibilities are: Is DG rejecting NTLM auth responses and only working when Basic are provided? or is DG doing part of the NTLM exchange itself (ie advertising NTLM can be used), which leaves Squid with only two request/response actions to complete the NTLM setup? Amos -- Use Open Source Software Human knowledge belongs to the world Bruno Santos bvsantos@xxxxxxxxxxxxxxxxxx http://www.twitter.com/feiticeir0 Tel: +351 962 753 053 Divisão de Informática informatica@xxxxxxxxxxxxxxxxxx Tel: +351 272 000 155 Fax: +351 272 000 257 Unidade Local de Saúde de Castelo Branco, E.P.E. geral@xxxxxxxxxxxxxxxxxx Tel: +351 272 000 272 Fax: +351 272 000 257 Linux registered user #349448 LPIC-1 Certification
