RE: [squid-users] NTLM & Domain Membership Issue

Hi Guido,

I don't think this is the problem.

Preliminary testing is pointing to incorrect security policies being
deployed to the client workstations with LAN Authentication set to "NTLM
Responses only" rather than "LM & NTLM Responses".

I am still proving this in the development environment and scheduled to go
back out onsite tomorrow to test if this resolves the issue in the
production environment.

I'll inform the list of my results.

Thanks
Jay

> -----Original Message-----
> From: Serassio Guido [mailto:guido.serassio@acmeconsulting.it]
> Sent: Thursday, 31 July 2003 3:53 AM
> To: jturner@bsis.com.au; Serassio Guido
> Cc: squid-users@squid-cache.org
> Subject: RE: [squid-users] NTLM & Domain Membership Issue
>
>
> Hi Jay,
>
> Sorry for the delayed response, but now I'm very busy.
>
> At 07.16 27/07/2003, Jay Turner wrote:
>
>
>
> > > -----Original Message-----
> > > From: Serassio Guido [mailto:guido.serassio@acmeconsulting.it]
> > > Sent: Saturday, 26 July 2003 3:20 PM
> > > To: jturner@bsis.com.au
> > > Cc: squid-users@squid-cache.org
> > > Subject: Re: [squid-users] NTLM & Domain Membership Issue
> > >
> > >
> > > Hi,
> > >
> > > At 08.05 26/07/2003, Jay Turner wrote:
> > >
> > > >Hi All,
> > > >
> > > >I am experiencing an unusual problem with NTLM and Domain
> Membership..
> > > >
> > > >Environment:
> > > >Red Hat 7.3
> > > >Squid2.5-STABLE2
> > > >Samba 2.2.7-3.7.3 (Red Hat)
> > > >Windows 2000 AD server (Native Mode with Pre-2000 compatibility)
> > > >WinXP SP1, IE6 SP1 + all current patches applied
> > > >
> > > >Background:
> > > >I have deployed Squid and NTLM a number of times now so I
> have a bit of
> > > >experience installing & trouble shooting it.
> > > >Winbindd is working correctly from the command line with
> wbinfo -t, -u,
> > > >-g, -r and -a all performing correctly.
> > > >wb_auth from the command line also works correctly and so
> does wb_group
> > > >So from what I can see Winbindd is working fine.
> > > >
> > > >If have a client computer (Win2000 or WinXP) that is on the
> network, but
> > > >not a member of the domain and I access the
> > > >proxy, I receive an authentication window. This is correct
> as NTLM will
> > > >fail as it is not a member of the domain and fall
> > > >back to Basic. I can enter a valid username/password/domain and then
> > > >access the proxy correctly. Cache and access.log all report
> the correct
> > > >behaviour as I expect.
> > > >
> > > >As soon as I add this client computer to become a member of
> the domain,
> > > >everything stops working.
> > > >NTLM authentication does not work, and neither does Basic
> > > authentication.
> > > >The browser sits there for a second then displays
> > > >the standard IE 'Page cannot be found'.
> > > >
> > > >I have increased debugging on Authentication in squid.conf and run
> > > >winbindd in debug mode (winbindd -i -d 3) to try and establish the
> > > >problem. When a client on the domain requests a page
> cache.log reports
> > > >"authenticateValidateUser: Validating Auth_user request '0x8413238'"
> > > >"authenticateValidateUser: Validated Auth_user request '0x8413238'"
> > > >"User not fully authenticated"
> > > >
> > > >But nothing is being recorded by Winbindd (as opposed to
> when it works).
> > > >
> > > >This message could hold the key, but I'm not entirely sure where
> > > I should
> > > >look next for this.
> > > >
> > > >
> > > >
> > > >I have reams of log files with debugging turned right up which I
> > > can post
> > > >specific sections of if required, but I'm not going to post
> all of them
> > > >now for people to wade through.
> > > >
> > > >I commented out wb_ntlmauth in squid.conf and tried using just
> > > wb_auth to
> > > >see if I could get the basic auth to work and that did the
> same thing..
> > > >
> > > >The interesting thing is that I brought this server back to my
> > > office and
> > > >changed it's IP address and made it a member of our Windows NT4
> > > domain and
> > > >then using the same Win XP client from the other network
> (it's a laptop)
> > > >it works perfectly!!
> > > >
> > > >This leads me to believe that there must be something in the way
> > > their AD
> > > >is setup that might be causing this problem??
> > > >
> > > >Any advice will be greatly appreciated.
> > >
> > > Some tips:
> > >
> > > - Do You have restarted Squid after disabling NTLM authentication ?
> > > - an AD replication problem ? Samba should use always the DC
> that acts as
> > > PDC emulator
> > > - some strange behaviour of DNS caching
> > >
> > > Hoping to help you
> > >
> > > Regards
> > >
> > > Guido
> >
> >Hi Guido,
> >
> >1)I don't specifically remember restarting Squid, but I would have
> >definately issued a 'squid -k reconfigure'.
> >Is it necessary when dealing with winbind to actually issue
> 'service squid
> >restart'?
>
> If I'm not wrong, when the authentication schema are changed,
> squid should
> be restarted.
>
> >2)I'm not a Windows 2000 admin (which makes this harder) so while I
> >understand what you are saying, I'm not sure how
> > it might affect me and this install. I believe there is only
> one AD server
> >that authenticates user logins in this network
> > but I will follow that up
> >
> >3) It's funny you mention DNS caching because I did notice some
> strange DNS
> >behaviour onsite.
>
> It's not so funny, AD domains are DNS based and Microsoft DNS
> sometimes is
> very strange ....
>
> >While trying to isolate the problem I noticed by using netstat that
> >connections were being opened from the Squid server webcache port to the
> >netbios name of the computer that *wasn't* a member of the
> domain without a
> >problem. It was correctly identifying it's netbios name and it returing
> >responses.
> >
> >When the other computer *was* a member of the domain (at this point I had
> >one 2000 machine that *wasn't* a member of the domain working, in
> >conjunction with another computer that was WinXP and *was* on
> the domain and
> >not working) netstat was showing connections being opened from the Squid
> >webcache port to a computer with a netbios name that doesn't even exist
> >anymore.
> >The Win2000 admin removed this old entry from the DNS cache but it didn't
> >seem to make a difference. Perhaps we didn't allow enough time for it to
> >replicate? The strange thing was that from the Squid server
> command line you
> >could not ping the netbios named computer because it said it could not
> >resolve the host name, yet Squid was still trying to establish
> connections
> >to it. (the connection netstat status was TIME_WAIT from memory).
> >
> >In an attempt to combat a possible DNS issue I statically assigned the IP
> >address of the working Win2000 machine to the not working domain member
> >WinXP machine, but still no good. I also changed the IP address
> of the Squid
> >server as the IP address it had originally was an old IP address
> that still
> >had a DNS entry for the server that used to have this addresses name.
>
> Do You use WINS too on your network ? And if the answer is Yes,
> do You have
> WINS lookup enabled in your DNS ?
>
> If the WINS database is consistent, see Netbios Domain Name object 1Ch,
> Samba can use it, see smb,conf.
>
> Regards
>
> Guido
>
>
>
> -
> ========================================================
> Guido Serassio
> Acme Consulting S.r.l.
> Via Gorizia, 69 10136 - Torino - ITALY
> Tel. : +39.011.3249426 Fax. : +39.011.3293665
> Email: guido.serassio@acmeconsulting.it
> WWW: http://www.acmeconsulting.it/
>
Received on Wed Jul 30 2003 - 19:36:46 MDT