Hello Amos,
auth_param ntlm keep_alive off
unfortunately does not solve the problem.
I did more investigation about the problem and i found informations.
Every time a user get the browser popup requesting credentials, i found on squid log this event:
Login for user [DOMAIN]\[user]@[PC_XXXX] failed due to [Access denied]
NTLMSSP BH: NT_STATUS_ACCESS_DENIED
2016/09/02 16:56:13 kid1| ERROR: NTLM Authentication validating user. Result: {result=BH, notes={message: NT_STATUS_ACCESS_DENIED; }}
NTLMSSP BH: NT_STATUS_ACCESS_DENIED
2016/09/02 16:56:13 kid1| ERROR: NTLM Authentication validating user. Result: {result=BH, notes={message: NT_STATUS_ACCESS_DENIED; }}
It's not easy to do more debug because i have 9000 concurrent connections, but if you think that can help me, i try to set debug_option to something like 29,5
Sometimes users left the office letting the browser open.
After 1 hour (more or less), they return to the pc and popup show as soos as mouse point to a new link on the open browser.
It's probably because something cached expire, but i cannot demostrate it so easily beceuse, as you said, ntlm never cache.
On my samba/winbind logs i see many
rpccli_netlogon_sam_network_logon: credentials chain check failed
So it's very strange to understand if some problem occur beetween squid and browser or samba and Active Directory.
What do you think about?
Thanks.
Giulius.
On 1/09/2016 12:37 a.m., akn ab wrote:
> Dear all,
> i'm facing a strange problem using squid 3.5.20 with ntlm transparent
> authentication.
> I cannot use kerberos auth because i need to pass DOMAIN\user to my parent proxy
> with x-authenticated-user header, and the form USERNAME@DOMAIN is not supported.
> Users can surf the web without problems but, sometimes, they receive request
> credential popup from browser (explorer, edge, mozilla and chrome it does not
> matter).
> auth_param ntlm program /usr/local/samba/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 300 startup=200 idle=10 concurrency=0
> auth_param ntlm keep_alive on
> auth_param basic program /usr/local/samba/bin/ntlm_auth
> --helper-protocol=squid-2.5-basic
> auth_param basic children 25 startup=15 idle=5 concurrency=0
> auth_param basic realm PROXY AUTHORIZATION REQUIRED
> auth_param basic credentialsttl 30 minutes
> authenticate_cache_garbage_interval 1 hours
> authenticate_ttl 30 minutes
> authenticate_ip_ttl 30 minutes
>
> I migrated from squid 2.6.x and, with similar configuration, the required
> credentials was displayed only when the password was expired.
> In this situation, users must click on abort button many times to restore a
> good situation, but i cannot understand why the request popup suddenly.
> Is this a credentials cache timeout problm (authenticate_ttl 30 minutes)?
Maybe. If so its not an NTLM problem since NTLM credentials are "cached"
by being tied to the TCP connection state, not stored in a regular cache
like Basic auth credentials.
I suggest trying:
auth_param ntlm keep_alive off
Squid-3 is now HTTP/1.1 which behaves a bit differently with persistent
connectiosn than HTTP/1.0 did. Which affects the pile of nasty hacks
needed to make NTLM work over HTTP.
> Is this a problem in the browser?
Yes, at least partially. The popup only occurs when the browser thinks
none of its credentials are valid to send to the proxy. Why it thinks
that might be a browser bug or a Squid bug. Or just the way NTLM behaves
in some HTTP message circumstances.
> Is this a comunication problem with squind and Active Directory?
Unlikely. It's more probably between Squid and browser. Squid only
interacts with AD at the start of a new TCP connection, or when NTLM is
started on an existing connection.
It could be browser sending unacceptible credentials (eg. the users
machine's account instead of the users own account) then deciding NTLM
is unusable.
It could be the browser failing to send the right NTLM token for Squid
to check against the existing known credentials tied to the connection.
> I would like to undestrand why, so i need advices to start debug and find a
> solution.
<http://wiki.squid-cache.org/KnowledgeBase/DebugSections>
Section 29 is the various authenticators. You will also need the ACL
processing section and results.
Amos
On 1/09/2016 12:37 a.m., akn ab wrote:
> Dear all,
> i'm facing a strange problem using squid 3.5.20 with ntlm transparent
> authentication.
> I cannot use kerberos auth because i need to pass DOMAIN\user to my parent proxy
> with x-authenticated-user header, and the form USERNAME@DOMAIN is not supported.
> Users can surf the web without problems but, sometimes, they receive request
> credential popup from browser (explorer, edge, mozilla and chrome it does not
> matter).
> auth_param ntlm program /usr/local/samba/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 300 startup=200 idle=10 concurrency=0
> auth_param ntlm keep_alive on
> auth_param basic program /usr/local/samba/bin/ntlm_auth
> --helper-protocol=squid-2.5-basic
> auth_param basic children 25 startup=15 idle=5 concurrency=0
> auth_param basic realm PROXY AUTHORIZATION REQUIRED
> auth_param basic credentialsttl 30 minutes
> authenticate_cache_garbage_interval 1 hours
> authenticate_ttl 30 minutes
> authenticate_ip_ttl 30 minutes
>
> I migrated from squid 2.6.x and, with similar configuration, the required
> credentials was displayed only when the password was expired.
> In this situation, users must click on abort button many times to restore a
> good situation, but i cannot understand why the request popup suddenly.
> Is this a credentials cache timeout problm (authenticate_ttl 30 minutes)?
Maybe. If so its not an NTLM problem since NTLM credentials are "cached"
by being tied to the TCP connection state, not stored in a regular cache
like Basic auth credentials.
I suggest trying:
auth_param ntlm keep_alive off
Squid-3 is now HTTP/1.1 which behaves a bit differently with persistent
connectiosn than HTTP/1.0 did. Which affects the pile of nasty hacks
needed to make NTLM work over HTTP.
> Is this a problem in the browser?
Yes, at least partially. The popup only occurs when the browser thinks
none of its credentials are valid to send to the proxy. Why it thinks
that might be a browser bug or a Squid bug. Or just the way NTLM behaves
in some HTTP message circumstances.
> Is this a comunication problem with squind and Active Directory?
Unlikely. It's more probably between Squid and browser. Squid only
interacts with AD at the start of a new TCP connection, or when NTLM is
started on an existing connection.
It could be browser sending unacceptible credentials (eg. the users
machine's account instead of the users own account) then deciding NTLM
is unusable.
It could be the browser failing to send the right NTLM token for Squid
to check against the existing known credentials tied to the connection.
> I would like to undestrand why, so i need advices to start debug and find a
> solution.
<http://wiki.squid-cache.org/KnowledgeBase/DebugSections>
Section 29 is the various authenticators. You will also need the ACL
processing section and results.
Amos
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
