On 18/08/2015 3:06 a.m., L.P.H. van Belle wrote: > Hai all, > > I have a Debian Jessie setup with squid 3.4 , all debian packages. > Im using samba 4 AD as domain controllers for my kerberos authentication. > > I've a setup as followed here : > http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory > > I have my kerberos auth working, so i dont type any password with a "domain joined computer" when i want to internet. > I Have my Ldap auth working, for my "Non windows, non domain joined" Devices. > > Now, i need to give users access to the internet, a non domain joined, windows PC. > > Im getting : ( with markus negotiate_wrapper 1.0.1 ) > 2015/08/17 16:31:51 kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: NT_STATUS_UNSUCCESSFUL * NT_STATUS_UNSUCCESSFUL; } > 2015/08/17 16:32:03| negotiate_wrapper: Got 'YR TlR.... =' from squid (length: 59). > 2015/08/17 16:32:03| negotiate_wrapper: Decode 'TlR... =' (decoded length: 40). > 2015/08/17 16:32:03| negotiate_wrapper: received type 1 NTLM token Type 1 NTLM. > 2015/08/17 16:32:03| negotiate_wrapper: Return 'TT TlR...... AA= * > 2015/08/17 16:32:03| negotiate_wrapper: Got 'KK TlR.... 8=' from squid (length: 711). > 2015/08/17 16:32:03| negotiate_wrapper: Decode 'TlR.....8=' (decoded length: 530). > 2015/08/17 16:32:03| negotiate_wrapper: received type 3 NTLM token > 2015/08/17 16:32:03| negotiate_wrapper: Return 'BH NT_STATUS_UNSUCCESSFUL * NT_STATUS_UNSUCCESSFUL > 2015/08/17 16:32:03 kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: NT_STATUS_UNSUCCESSFUL * NT_STATUS_UNSUCCESSFUL; }} > > > > I know the following : ( and correct me if im thinking wrong here.) > ## 1) Pure Kerberos. Passthrough auth for windows users with windows DOMAIN JOINED pc's. > ## Fallback to Ldap for NON WINDOWS NON DOMAIN JOINED Devices. > ## NO NTLM. AKA, a windows pc, NOT JOINED in the domain, with end up in always user popup for auth. > ## Which will always fail because of NTLM TYPE 1 and TYPE 2, authorisations. > ## 2) NEGOTIATE AUTH, which will do all of above, but also authenticated Windows PC's Not domain Joined. Regarding (1): * "Pure kerberos" aka "Kerberos " auth scheme is not supported in Squid. Only Negotate/Kerberos. It was accepted by Squid-2 as an alias for Negotiate, but Squid-3 operates differently and it was dropped for now. * Rejecting NTLM (ie Negotiate/NTLM) is an artifact of the Squid kerberos-only helper rejecting NTLM tokens. Nothing more. You could reject the Negotiate/Kerberos tokens by configuring a NTLM-only helper in the "auth_param negotiate program". * off-domain machines only ever worked using Basic authentication or similar protocols called LanMan which sent passwords inside NTLM or Negotiate/NTLM tokens. But LanMan are so insecure they are no longer supported. NP: if you have a client that will only authenticate with LanMan (SMB LM) protocols you are better off security-wise not authenticating it at all. At least that stops it broadcasting the users password to the world. Regarding (2): * The machine still does need to be domain joined, at least recently enough to have a valid Kerberos token. What can be avoided is being connected "live" during the handshake itself. But that is a feature of the client software not related to Squid. So some clients support it, most actually dont. > > But i recieve a type 3 NTLM token... > You also received NTLM type 1 prior to it. I suspect a machine not joined to the domain is trying to use NTLM, which requires being on the domain. There is no problem with this *unless* the client machine is refusing to fallback to Negotiate/Kerberos or Basic auth after the failure. There is no reason a popup should occur unless all forms of Negotiate/Kerberos Negotiate/NTLM, NTLM, and Basic which are offered by the proxy have failed. > > This are the configs have tested and these 2 work. > For kerberos auth > auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -s HTTP/hostname.fqdn@REALM > > for basic auth > auth_param basic program /usr/lib/squid3/basic_ldap_auth -R \ > -b "dc=internal,dc=domain,dc=tld" \ > -D ldap-bind@xxxxxxxxxxxxxxxxxxx -W /etc/squid3/private/ldap-bind \ > -f (|(userPrincipalName=%s)(sAMAccountName=%s)) \ > -h addc.internal.domain.tld > > These dont work. I assume that by the positioning of your "these" statements you meant the above work, and the below dont. > > auth_param negotiate program /usr/lib/squid3/negotiate_wrapper_auth -d \ > --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=BAZRTD \ > --kerberos /usr/lib/squid3/negotiate_kerberos_auth -d -s GSS_C_NO_NAME > or > auth_param negotiate program /usr/local/bin/negotiate_wrapper -d \ > --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=BAZRTD \ > --kerberos /usr/lib/squid3/negotiate_kerberos_auth -d -s GSS_C_NO_NAME > > tried here the supplied wrapper with squid.: /usr/lib/squid3/negotiate_wrapper_auth > and i have tried the negotiate_wrapper of Markus, as the wiki.squid-cache.org also says here > http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory ( Install negotiate_wrapper ) > > the kerberos part works but not the ntlm . One puzzling thing is why Win7 client is trying to use NTLM in the first place. NTLM is disabled by default in Vista and later due to its lack of security. Try adding "auth_param negotiate keep_alive off" to close connections when Negotiate/NTLM is used and force the client to retry with other auth credentials on a clean connection. > > when i try with only: > > ### pure ntlm authentication > auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=EXAMPLE > auth_param ntlm children 10 > auth_param ntlm keep_alive off > > im also unable to authenticat on the proxy. NTLM will only work with current MS software if the client is joined to the domain, and if NTLM is explicitly re-enabled. The 1970-80's LanMan protocols are no longer supported since 2006 (WinXP SP3). The most secure of these can be decrypted in under 50 milliseconds - ie "live". Ironically that was exactly how Squid helpers used to work for off-domain clients all through the 2000's. LanMan passwords being decrypted in real-time allowed Basic auth APIs in AD to be used. Giving the appearance that off-domain machines were authenticating securely, when in fact they were just broadcasting their passwords about. Not a good situation. The old 1990's NTLM v1 and v2 are also on the way out since Vista. NTLM v1 can be decrypted in a few seconds, v2 in a few minutes. HTH Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
