Re: Squid - using NTLM for SSO

[Dijxie <dijxie@xxxxxxxxx>]

Hello list,

I need your help with a Squid-Proxy (3.5) NTLM Auth, the aim is to use SSO for my windows clients.

My Windows-Clients are using Active-Directory running on a Samba4-PDC.

I set up ldap basic auth in a developer environment, now I want to achieve SSO. (using NTLM?)

The Documentation on http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm doesn't really help me enough (on my knowledge about squid and forms of authentication/samba).

Tests:

-> testing Kerberos

I'm able to obtain (kinit) tickets and list them (klist)

root@xxx-testproxy01:~# kinit Administrator
Password for Administrator@X-XXX.LOCAL:
root@xxx-testproxy01:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@X-XXX.LOCAL

Valid starting       Expires              Service principal
2017-05-09 08:43:25  2017-05-09 18:43:25  krbtgt/X-XXX.LOCAL@X-XXX.LOCAL
    renew until 2017-05-10 08:43:21

-> testing Samba:
I joined my domain X-XXX.
Test support for ntlm:

root@xxx-testproxy01:~# wbinfo -a testuser%xxxxxxxxxxx
plaintext password authentication succeeded
challenge/response password authentication succeeded

root@xxx-testproxy01:~# wbinfo -a testuser%xxxxxxxxxxx
plaintext password authentication succeeded
challenge/response password authentication succeeded
root@xxx-testproxy01:~# wbinfo -t
checking the trust secret for domain X-XXX via RPC calls succeeded
root@xxx-testproxy01:~# wbinfo -g
X-XXX\cert publishers
...negotiate_wrapper
X-XXX\webusers

-> Testing NTLM-helper:

Now here's my problem.

root@xxx-testproxy01:~# /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --username=testuser --password=xxxxxxxxxxx
x-xxx\testuser xxxxxxxxxxx
SPNEGO request [testuser xxxxxxxxxxx] invalid prefix
BH SPNEGO request invalid prefix

root@xxx-testproxy01:~# /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic --username=testuser --password=xxxxxxxxxxx
x-xxx\testuser xxxxxxxxxxx
OK

What is ntlmssp? I read both helpers on tutorials. If I need both, why do I need both?
My squid is starting how it should, logs are looking normal, PopUp for authentication appears aswell, but I can't log in. I shoudn't need to authenticate in the first place because it should use SSO.
What is missing/faulty?
The rest of squid is basic stuff:mail/u/0/

auth_param ntlm program /usr/bin/ntlm_auth –helper-protocol=squid-2.5-ntlmssp --username=testuser --password=Passme123
auth_param ntlm children 10
auth_param basic program /usr/bin/ntlm_auth –helper-protocol=squid-2.5-basic --username=testuser --password=Passme123
auth_param basic children 5
auth_param basic realm Proxy Server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
authenticate_cache_garbage_interval 10 seconds

...

acl auth proxy_auth REQUIRED

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
...

http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localnet
http_access allow localhost manager
http_access deny !auth
http_access allow auth

http_access deny all

...

url_rewrite_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf
url_rewrite_children 5

Does anyone know further? Thanks in advance.
- Kevin

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

Hi,

1. There is no point in testing kerberos (kinit) when you're going to use ntlm_auth helper; squid has it's spnego helper, 'negotiate_wrapper ', which is capable doing negotiation between kerberos and NTLM.  Just look for squid-helpers package for your OS; if it's not in OS repo, check http://ngtech.co.il/repo/ - Eliezer is doing really good job here.

If kerberos is working in your environment, I would use negotiate_wrapper or negotiate_kerberos_auth.  Good thing about negotiate_wrapper is -d switch, which is giving you a good portion of debug info in cache.log

Really, NTLM is bitchy and it is not primary protocol even in MS systems since 2003/XP. If you can fulfill kerberos' requirements in your environment,  I would go into kerberos, not NTLM.

2. My guess is that you have problem with access to windbind_priviledged pipe; can you perform usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --username=testuser --password=...et cetera witch ptrace? There is still a mess with winbind's pipe location; /var/run/samba vs /var/lib/samba, perharps you need some symlinking, ptrace can give you a clue.

3. Sometimes - just sometimes - passing --domain=DOMAIN_NAME to /usr/bin/ntlm_auth resolves cosmic issues. Sometimes it's DOMAIN\username vs just username in --username.

Last thing is error message: "BH SPNEGO request invalid prefix".  It is strange, at least for me. SPNEGO reply is rather kerberos or negotiate reply; not ntlm_auth. What distro are you using?

-- 
Dijx

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users