Search squid archive

debian Jessie squid with auth (kerberos/ntlm/basic) ERROR type NTLM type 3

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hai all,
 
I have a Debian Jessie setup with squid 3.4 , all debian packages.
Im using samba 4 AD as domain controllers for my kerberos authentication.
 
I've a setup as followed here :
http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory 
 
I have my kerberos auth working, so i dont type any password with a "domain joined computer"  when i want to internet.
I Have my Ldap auth working, for my "Non windows, non domain joined" Devices.
 
Now, i need to give users access to the internet, a non domain joined, windows PC. 
 
Im getting :  ( with markus negotiate_wrapper 1.0.1  )
2015/08/17 16:31:51 kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: NT_STATUS_UNSUCCESSFUL * NT_STATUS_UNSUCCESSFUL; }
2015/08/17 16:32:03| negotiate_wrapper: Got 'YR TlR....   =' from squid (length: 59).
2015/08/17 16:32:03| negotiate_wrapper: Decode 'TlR... =' (decoded length: 40).
2015/08/17 16:32:03| negotiate_wrapper: received type 1 NTLM token
2015/08/17 16:32:03| negotiate_wrapper: Return 'TT TlR......  AA= *
2015/08/17 16:32:03| negotiate_wrapper: Got 'KK TlR....  8=' from squid (length: 711).
2015/08/17 16:32:03| negotiate_wrapper: Decode 'TlR.....8=' (decoded length: 530).
2015/08/17 16:32:03| negotiate_wrapper: received type 3 NTLM token
2015/08/17 16:32:03| negotiate_wrapper: Return 'BH NT_STATUS_UNSUCCESSFUL * NT_STATUS_UNSUCCESSFUL
2015/08/17 16:32:03 kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: NT_STATUS_UNSUCCESSFUL * NT_STATUS_UNSUCCESSFUL; }}
 
 
 
I know the following : ( and correct me if im thinking wrong here.)
## 1) Pure Kerberos. Passthrough auth for windows users with windows DOMAIN JOINED pc's.
##    Fallback to Ldap for NON WINDOWS NON DOMAIN JOINED Devices.
##    NO NTLM. AKA, a windows pc, NOT JOINED in the domain, with end up in always user popup for auth.
##    Which will always fail because of NTLM TYPE 1 and TYPE 2, authorisations.
## 2) NEGOTIATE AUTH, which will do all of above, but also authenticated Windows PC's Not domain Joined.
But i recieve a type 3 NTLM token... 
 
 
This are the configs have tested and these 2 work.
For kerberos auth
auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -s HTTP/hostname.fqdn@REALM   
 
for basic auth
auth_param basic program /usr/lib/squid3/basic_ldap_auth -R \
    -b "dc=internal,dc=domain,dc=tld" \
    -D
ldap-bind@internal.domain.tld -W /etc/squid3/private/ldap-bind \
    -f (|(userPrincipalName=%s)(sAMAccountName=%s)) \
    -h addc.internal.domain.tld 
These dont work.
 
auth_param negotiate program /usr/lib/squid3/negotiate_wrapper_auth -d \
    --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=BAZRTD \
    --kerberos /usr/lib/squid3/negotiate_kerberos_auth -d -s GSS_C_NO_NAME
or
auth_param negotiate program /usr/local/bin/negotiate_wrapper -d \
    --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=BAZRTD \
    --kerberos /usr/lib/squid3/negotiate_kerberos_auth -d -s GSS_C_NO_NAME

tried here the supplied wrapper with squid.:     /usr/lib/squid3/negotiate_wrapper_auth 
and i have tried the negotiate_wrapper of Markus, as the wiki.squid-cache.org also says  here
http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory   ( Install negotiate_wrapper ) 
 
the kerberos part works but not the ntlm .
 
when i try with only:
 
### pure ntlm authentication
auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=EXAMPLE
auth_param ntlm children 10
auth_param ntlm keep_alive off
 
im also unable to authenticat on the proxy.
 
all winbind test work.. 
 
I googled a lot, but i didnt find any solutions so im hoping someone here knows more.
 
so anyone any hint where to look, i cant figure this out.
 
 
Greetz,
 
Louis
 
 
 
 
 
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux