Re: Squid - using NTLM for SSO

[Amos Jeffries <squid3@xxxxxxxxxxxxx>]

On 10/05/17 12:16, Dijxie wrote:
> > Hello list,
> >
> >
> > I need your help with a Squid-Proxy (3.5) NTLM Auth, the aim is to 
> > use SSO for my windows clients.
> >
> > My Windows-Clients are using Active-Directory running on a Samba4-PDC.
> >
> > I set up ldap basic auth in a developer environment, now I want to 
> > achieve SSO. (using NTLM?)
> >
> > The Documentation on 
> > http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm doesn't 
> > really help me enough (on my knowledge about squid and forms of 
> > authentication/samba).
> >
> >
> > Tests:
> >
> > -> testing Kerberos
> >
> > I'm able to obtain (kinit) tickets and list them (klist)
> >
> >
> > root@xxx-testproxy01:~# kinit Administrator
> > Password for Administrator@X-XXX.LOCAL:
> > root@xxx-testproxy01:~# klist
> > Ticket cache: FILE:/tmp/krb5cc_0
> > Default principal: Administrator@X-XXX.LOCAL
> >
> > Valid starting       Expires              Service principal
> > 2017-05-09 08:43:25  2017-05-09 18:43:25 krbtgt/X-XXX.LOCAL@X-XXX.LOCAL
> >     renew until 2017-05-10 08:43:21
> >
> > -> testing Samba:
> > I joined my domain X-XXX.
> > Test support for ntlm:
> > root@xxx-testproxy01:~# wbinfo -a testuser%xxxxxxxxxxx
> > plaintext password authentication succeeded
> > challenge/response password authentication succeeded
> >
> > root@xxx-testproxy01:~# wbinfo -a testuser%xxxxxxxxxxx
> > plaintext password authentication succeeded
> > challenge/response password authentication succeeded
> > root@xxx-testproxy01:~# wbinfo -t
> > checking the trust secret for domain X-XXX via RPC calls succeeded
> > root@xxx-testproxy01:~# wbinfo -g
> > X-XXX\cert publishers
> > ...negotiate_wrapper
> > X-XXX\webusers
> >
> > -> Testing NTLM-helper:
> > Now here's my problem.
> >
> > root@xxx-testproxy01:~# /usr/bin/ntlm_auth 
> > --helper-protocol=squid-2.5-ntlmssp --username=testuser 
> > --password=xxxxxxxxxxx
> > x-xxx\testuserxxxxxxxxxxx
> > SPNEGO request [testuser xxxxxxxxxxx] invalid prefix
> > BH SPNEGO request invalid prefix
> >
> > root@xxx-testproxy01:~# /usr/bin/ntlm_auth 
> > --helper-protocol=squid-2.5-basic --username=testuser 
> > --password=xxxxxxxxxxx
> > x-xxx\testuser xxxxxxxxxxx
> > OK
> >
> > What is ntlmssp? I read both helpers on tutorials. If I need both, 
> > why do I need both?
> > My squid is starting how it should, logs are looking normal, PopUp 
> > for authentication appears aswell, but I can't log in. I shoudn't 
> > need to authenticate in the first place because it should use SSO.
> > What is missing/faulty?
> > The rest of squid is basic stuff:mail/u/0/
> > auth_param ntlm program /usr/bin/ntlm_auth 
> > –helper-protocol=squid-2.5-ntlmssp --username=testuser 
> > --password=Passme123
> > auth_param ntlm children 10
> > auth_param basic program /usr/bin/ntlm_auth 
> > –helper-protocol=squid-2.5-basic --username=testuser --password=Passme123
> > auth_param basic children 5
> > auth_param basic realm Proxy Server
> > auth_param basic credentialsttl 2 hours
> > auth_param basic casesensitive off
> > authenticate_cache_garbage_interval 10 seconds
> > ...
> > acl auth proxy_auth REQUIRED
> > acl SSL_ports port 443
> > acl Safe_ports port 80          # http
> > acl Safe_ports port 21          # ftp
> > acl Safe_ports port 443         # https
> > acl Safe_ports port 70          # gopher
> > acl Safe_ports port 210         # wais
> > acl Safe_ports port 1025-65535  # unregistered ports
> > acl Safe_ports port 280         # http-mgmt
> > acl Safe_ports port 488         # gss-http
> > acl Safe_ports port 591         # filemaker
> > acl Safe_ports port 777         # multiling http
> > acl CONNECT method CONNECT
> > ...
> > http_access deny !Safe_ports
> >
> > # Deny CONNECT to other than secure SSL ports
> > http_access deny CONNECT !SSL_ports
> >
> > # Only allow cachemgr access from localhost
> > http_access allow localnet
> > http_access allow localhost manager
> > http_access deny !auth
> > http_access allow auth
> > http_access deny all
> > ...
> > url_rewrite_program /usr/bin/squidGuard -c 
> > /etc/squidguard/squidGuard.conf
> > url_rewrite_children 5
> >
> > Does anyone know further? Thanks in advance.
> > - Kevin
> >
> >
> > _______________________________________________
> > squid-users mailing list
> > squid-users@xxxxxxxxxxxxxxxxxxxxx
> > http://lists.squid-cache.org/listinfo/squid-users
>
> Hi,
>
>
> 1. There is no point in testing kerberos (kinit) when you're going to 
> use ntlm_auth helper; squid has it's spnego helper, 'negotiate_wrapper 
> ', which is capable doing negotiation between kerberos and NTLM.  Just 
> look for squid-helpers package for your OS; if it's not in OS repo, 
> check http://ngtech.co.il/repo/ - Eliezer is doing really good job here.
>
> If kerberos is working in your environment, I would use 
> negotiate_wrapper or negotiate_kerberos_auth.  Good thing about 
> negotiate_wrapper is -d switch, which is giving you a good portion of 
> debug info in cache.log
>
> Really, NTLM is bitchy and it is not primary protocol even in MS 
> systems since 2003/XP. If you can fulfill kerberos' requirements in 
> your environment,  I would go into kerberos, not NTLM.
>
>
> 2. My guess is that you have problem with access to 
> windbind_priviledged pipe; can you perform usr/bin/ntlm_auth 
> --helper-protocol=squid-2.5-ntlmssp --username=testuser 
> --password=...et cetera witch ptrace? There is still a mess with 
> winbind's pipe location; /var/run/samba vs /var/lib/samba, perharps 
> you need some symlinking, ptrace can give you a clue.

The *full* setup related to Squid and winbind permissions is detailed at 
<http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm#winbind_privileged_pipe_permissions> 
- pay particular attention to the three notes. Do ONLY what is 
specifically mentioned there, any other permissions fiddling done will 
only screw things up.


> 3. Sometimes - just sometimes - passing --domain=DOMAIN_NAME to 
> /usr/bin/ntlm_auth resolves cosmic issues. Sometimes it's 
> DOMAIN\username vs just username in --username.
>
>
> Last thing is error message: "BH SPNEGO request invalid prefix".  It 
> is strange, at least for me. SPNEGO reply is rather kerberos or 
> negotiate reply; not ntlm_auth. What distro are you using?

That output happened because Kevin passed the clear text (Basic auth) 
username/password to the helper when it was running in NTLM mode.  As 
you may notice the exact same input works fine when the helper is run in 
Basic mode.

When the helper is run with --helper-protocol=squid-2.5-ntlmssp the 
input it is expecting is the base64 encoded NTLMSSP object as found in 
the HTTP request headers. Squid does *not* decode the received header 
before sending it to the helper. The helper will respond with the crypto 
hunk to be sent to the client.

Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users