Hai all,
I have a Debian
Jessie setup with squid 3.4 , all debian packages.
Im using samba 4 AD
as domain controllers for my kerberos authentication.
I've a setup as
followed here :
I have my kerberos
auth working, so i dont type any password with a "domain joined computer"
when i want to internet.
I Have my Ldap auth
working, for my "Non windows, non domain joined" Devices.
Now, i need to
give users access to the internet, a non domain joined, windows
PC.
Im getting : (
with markus negotiate_wrapper 1.0.1 )
2015/08/17 16:31:51
kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH,
notes={message: NT_STATUS_UNSUCCESSFUL * NT_STATUS_UNSUCCESSFUL;
}
2015/08/17 16:32:03|
negotiate_wrapper: Got 'YR TlR.... =' from squid (length: 59).
2015/08/17 16:32:03| negotiate_wrapper:
Decode 'TlR... =' (decoded length:
40).
2015/08/17 16:32:03| negotiate_wrapper:
received type 1 NTLM token
2015/08/17 16:32:03| negotiate_wrapper: Return 'TT TlR...... AA= *
2015/08/17 16:32:03| negotiate_wrapper: Return 'TT TlR...... AA= *
2015/08/17 16:32:03|
negotiate_wrapper: Got 'KK TlR.... 8=' from squid (length:
711).
2015/08/17 16:32:03| negotiate_wrapper:
Decode 'TlR.....8=' (decoded length:
530).
2015/08/17 16:32:03|
negotiate_wrapper: received type 3 NTLM token
2015/08/17 16:32:03| negotiate_wrapper: Return 'BH NT_STATUS_UNSUCCESSFUL * NT_STATUS_UNSUCCESSFUL
2015/08/17 16:32:03| negotiate_wrapper: Return 'BH NT_STATUS_UNSUCCESSFUL * NT_STATUS_UNSUCCESSFUL
2015/08/17 16:32:03 kid1| ERROR: Negotiate
Authentication validating user. Result: {result=BH, notes={message:
NT_STATUS_UNSUCCESSFUL * NT_STATUS_UNSUCCESSFUL; }}
I know the
following : ( and correct me if im thinking wrong here.)
## 1) Pure Kerberos.
Passthrough auth for windows users with windows DOMAIN JOINED
pc's.
## Fallback to Ldap for NON WINDOWS NON DOMAIN JOINED Devices.
## NO NTLM. AKA, a windows pc, NOT JOINED in the domain, with end up in always user popup for auth.
## Which will always fail because of NTLM TYPE 1 and TYPE 2, authorisations.
## 2) NEGOTIATE AUTH, which will do all of above, but also authenticated Windows PC's Not domain Joined.
## Fallback to Ldap for NON WINDOWS NON DOMAIN JOINED Devices.
## NO NTLM. AKA, a windows pc, NOT JOINED in the domain, with end up in always user popup for auth.
## Which will always fail because of NTLM TYPE 1 and TYPE 2, authorisations.
## 2) NEGOTIATE AUTH, which will do all of above, but also authenticated Windows PC's Not domain Joined.
But i recieve a type
3 NTLM token...
This are the configs
have tested and these 2 work.
For kerberos auth
auth_param negotiate
program /usr/lib/squid3/negotiate_kerberos_auth -s HTTP/hostname.fqdn@REALM
for basic auth
auth_param basic program
/usr/lib/squid3/basic_ldap_auth -R \
-b "dc=internal,dc=domain,dc=tld" \
-D ldap-bind@internal.domain.tld -W /etc/squid3/private/ldap-bind \
-f (|(userPrincipalName=%s)(sAMAccountName=%s)) \
-h addc.internal.domain.tld
-b "dc=internal,dc=domain,dc=tld" \
-D ldap-bind@internal.domain.tld -W /etc/squid3/private/ldap-bind \
-f (|(userPrincipalName=%s)(sAMAccountName=%s)) \
-h addc.internal.domain.tld
These dont work.
auth_param negotiate
program /usr/lib/squid3/negotiate_wrapper_auth -d \
--ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=BAZRTD \
--kerberos /usr/lib/squid3/negotiate_kerberos_auth -d -s GSS_C_NO_NAME
--ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=BAZRTD \
--kerberos /usr/lib/squid3/negotiate_kerberos_auth -d -s GSS_C_NO_NAME
or
auth_param negotiate program
/usr/local/bin/negotiate_wrapper -d \
--ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=BAZRTD \
--kerberos /usr/lib/squid3/negotiate_kerberos_auth -d -s GSS_C_NO_NAME
--ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=BAZRTD \
--kerberos /usr/lib/squid3/negotiate_kerberos_auth -d -s GSS_C_NO_NAME
tried here the supplied wrapper with squid.: /usr/lib/squid3/negotiate_wrapper_auth
and i have
tried the negotiate_wrapper of Markus, as the wiki.squid-cache.org also
says here
http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory ( Install negotiate_wrapper )
the kerberos part
works but not the ntlm .
when i try with
only:
### pure ntlm
authentication
auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=EXAMPLE
auth_param ntlm children 10
auth_param ntlm keep_alive off
auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=EXAMPLE
auth_param ntlm children 10
auth_param ntlm keep_alive off
im also unable to
authenticat on the proxy.
all winbind test
work..
I googled a lot, but
i didnt find any solutions so im hoping someone here knows more.
so anyone any
hint where to look, i cant figure this out.
Greetz,
Louis
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users