On 20/10/2015 4:04 p.m., Ilias Clifton wrote: > Hi All, > I've been following the guide at this location for Active Directory integration > http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Proxy > > First, some versions for sanity.. > Ubuntu : 14.04.3 LTS > Squid : 3.3.8 (from ubuntu repositories) > Samba : 4.1.6-Ubuntu > DC : Windows Server 2012 R2 > > I am currently testing the authentication, negotiate kerberos and basic ldap are > both working correctly. However ntlm is not and I don't seem to making any > progress on debugging further. There are several problems involved here. 1) NTLM is a proprietary protocol deprecated by its corporate creator in 2006 and officially has not been part of any MS products created after that year. With some trouble it can be enabled. But now, 9 years later, it is off by default almost everywhere, or literally not existing in the new products code. 2) NTLM has *never* worked properly over HTTP, particularly in the presence of proxies. Most of HTTP performance and optimization features have to be actively disabled the instant NTLM auth is identified as happening. 3) off-domain clients have *never* been able to authenticate with NTLM protocol. Previously Squid helpers were performing a MITM downgrade attack on the client software to cause it to use LanManager auth over "NTLM" tokens then decrypting the user:pass credentials in real time and using the Basic auth login to AD to authenticate. (sounds nasty? it is). LanMan protocols are even more deprecated (since 1996) and non-existent in modern MS software than NTLM. - NTLMv1 can still be MITM'd but takes longer. I think the older Samba helpers maybe do that. But no guarantees. - NTLMv2 and v2 with security extensions are not able to be MITM'd. So they wont work through Squid unless the client is "on-domain". 4) support for NTLM sub-protocol inside the "Negotiate" auth scheme is a relatively new feature and still not working quite right. Partially because of the above problems and deprecated nature of NTLM meaning it is a low priority to fix. Partially because NTLM is also not matching the behaviour requirements of Negotiate protocol itself. 5) The cache_effective_user or cache_effective_group directives are not compatible with WinBind helpers. see <http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm?highlight=%28winbindd_priv%29#SMBD_and_Machine_Trust_Accounts> for details on what to do there. 6) if you self-compiled Samba or Winbind tools on Ubuntu systems there may also be a /var/lib/samba/winbindd_privileged directory created by the winbind and ntlm_auth tools with root ownership. The group of that folder needs to be changed to match the /var/run/samba/winbindd_privileged location. Your version of Squid has big problems with (4) and some with (2), and your DC server version has big problems with (1) and (3). Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
