Hai all,
I have a Debian
Jessie setup with squid 3.4 , all debian packages.
Im using samba 4
AD as domain controllers for my kerberos authentication.
I've a setup as
followed here :
I have my kerberos
auth working, so i dont type any password with a "domain joined
computer" when i want to internet.
I Have my Ldap
auth working, for my "Non windows, non domain joined" Devices.
Now, i need to
give users access to the internet, a non domain joined, windows PC.
Im getting :
( with markus negotiate_wrapper 1.0.1 )
2015/08/17
16:31:51 kid1| ERROR: Negotiate Authentication validating user. Result:
{result=BH, notes={message: NT_STATUS_UNSUCCESSFUL * NT_STATUS_UNSUCCESSFUL;
}
2015/08/17
16:32:03| negotiate_wrapper: Got 'YR TlR.... =' from squid
(length: 59).
2015/08/17 16:32:03| negotiate_wrapper:
Decode 'TlR... =' (decoded length:
40).
2015/08/17 16:32:03| negotiate_wrapper:
received type 1 NTLM token
2015/08/17 16:32:03| negotiate_wrapper: Return
'TT TlR...... AA= *
2015/08/17
16:32:03| negotiate_wrapper: Got 'KK TlR.... 8=' from squid (length:
711).
2015/08/17 16:32:03| negotiate_wrapper:
Decode 'TlR.....8=' (decoded length:
530).
2015/08/17
16:32:03| negotiate_wrapper: received type 3 NTLM token
2015/08/17
16:32:03| negotiate_wrapper: Return 'BH NT_STATUS_UNSUCCESSFUL *
NT_STATUS_UNSUCCESSFUL
2015/08/17 16:32:03 kid1| ERROR: Negotiate
Authentication validating user. Result: {result=BH, notes={message:
NT_STATUS_UNSUCCESSFUL * NT_STATUS_UNSUCCESSFUL; }}
I know the
following : ( and correct me if im thinking wrong here.)
## 1) Pure
Kerberos. Passthrough auth for windows users with windows DOMAIN JOINED
pc's.
## Fallback to Ldap for NON WINDOWS NON DOMAIN
JOINED Devices.
## NO NTLM. AKA, a windows pc, NOT JOINED
in the domain, with end up in always user popup for
auth.
## Which will always fail because of NTLM TYPE 1
and TYPE 2, authorisations.
## 2) NEGOTIATE AUTH, which will do all of
above, but also authenticated Windows PC's Not domain
Joined.
But i recieve a
type 3 NTLM token...
This are the
configs have tested and these 2 work.
For kerberos auth
for basic auth
auth_param basic program
/usr/lib/squid3/basic_ldap_auth -R \
-b "dc=internal,dc=domain,dc=tld" \
-D ldap-bind@internal.domain.tld -W /etc/squid3/private/ldap-bind
\
-f (|(userPrincipalName=%s)(sAMAccountName=%s))
\
-h addc.internal.domain.tld
These dont work.
auth_param
negotiate program /usr/lib/squid3/negotiate_wrapper_auth -d
\
--ntlm /usr/bin/ntlm_auth --diagnostics
--helper-protocol=squid-2.5-ntlmssp --domain=BAZRTD \
--kerberos /usr/lib/squid3/negotiate_kerberos_auth -d -s
GSS_C_NO_NAME
or
auth_param negotiate program
/usr/local/bin/negotiate_wrapper -d \
--ntlm
/usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp
--domain=BAZRTD \
--kerberos
/usr/lib/squid3/negotiate_kerberos_auth -d -s
GSS_C_NO_NAME
tried here the supplied wrapper
with squid.:
/usr/lib/squid3/negotiate_wrapper_auth
and i have
tried the negotiate_wrapper of Markus, as the wiki.squid-cache.org also
says here
the kerberos part
works but not the ntlm .
when i try with
only:
### pure ntlm
authentication
auth_param ntlm
program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp
--domain=EXAMPLE
auth_param ntlm
children 10
auth_param ntlm
keep_alive off
im also unable to
authenticat on the proxy.
all winbind test
work..
I googled a lot,
but i didnt find any solutions so im hoping someone here knows more.
so anyone
any hint where to look, i cant figure this out.
Greetz,
Louis
