[squid-users] NTLM auth not doing what it should..help!

From: P D <sarcasmo2005@dont-contact.us>
Date: Thu, 26 Jan 2006 16:52:56 +0000

Greetings all,
For the past week I've been trying going demented trying to figure out
how to get squid working with AD groups, and despite everything I've
tried I can't get any joy. At this point I'm not sure if this is a
squid problem or a samba problem. I think it's a problem with
wb_group.pl but I'm not sure. :-/
I'd be grateful if someone could lend a hand and help me track the
root of this problem. I recon its something very minor that I'm
missing, if I can get this working I'll gladly provide the HOWTO doc
which I'm writing up on this. I think it would be of vaule to people
looking to build a box like this from scratch.

I'm using RHEL4, and using stable source code releases of
samba(3.0.21a) and squid(2.5Stable12). I've attached the squidconfig,
and samples of the cachelog and accesslog.

To verify that samba is talking to AD I have tried the following:
"wbinfo -a pauld%squidpassword" responds with "challenge/response
password authentication succeeded"
"wbinfo -u |grep pauld" it responds with my useridfrom the AD network "pauld"

I have a group setup on AD called "InternetAllowed", doing "wbinfo -g
|grep InternetAllowed" returns the group "InternetAllowed"
"wbinfo -t" responds with "checking the trust secret via RPC calls succeeded"

I have set a userid , using wbinfo
--set-auth-user=squid%squidpassword, to retreive the userid
information from AD.
This is verified from the command "wbinfo --get-auth-user" which
correctly returns "MYDOMAIN/squid%squidpassword"

My userid is a member of the AD group "InternetAllowed", but when I
try the command "/usr/libexec/wbinfo_group.pl",
and enter "MYDOMAIN/pauld InternetAllowed" the reponse from the
wbinfo_group.pl script is "ERR" I'm not sure why this is responding
with an error??

If I try: "ntlm_auth --username=pauld --domain=FINEOS
--require-membership-of=MYDOMAIN/InternetAllowed" I get the response
"NT_STATUS_OK: Success (0x0)" when I have entered my password in
correctly.

On the squid side of things: If I start squid, with a basic acl in the
config of including the following:
  acl allowedUsers external ad_group InternetAllowed
  acl Authenticated proxy_auth REQUIRED
  http_access allow allowedUsers Authenticated

It seems like squid is not getting the NTLM authentication request
correctly, so instead decides that access should be denied instead.
I then try to look up something like http://www.google.com The
cache.log returns at the end of the log,amongst the following:
  aclCheck: checking 'http_access allow allowedUsers Authenticated'
  aclMatchAclList: checking allowedUsers
  aclMatchAcl: checking 'acl allowedUsers external ad_group InternetAllowed'
  authenticateAuthenticate: header NTLM
TlRMTVNTUAADAAAAGAAYAFoAAAAYABgAcgAAAAYABgBIAAAABgAGAE4AAAAGAAYAVAAAAAAAAACKAAAABgIAAgUBKAoAAAAPRklORU9TREVBU1lQSUVMMDAx0XnDVgB37W1tBsACJ62zOgFS3/19xEwSSaLbNJCe4yZ5qjQKBcG2LElrnci6FF0w.
  authenticateAuthenticate: This is a new checklist test on FD:44
  aclMatchAcl: returning 0 sending credentials to helper.
  aclMatchAclList: no match, returning 0
  aclCheck: checking password via authenticator
  aclCheck: checking 'http_access allow allowedUsers Authenticated'
  aclMatchAclList: checking allowedUsers
  aclMatchAcl: checking 'acl allowedUsers external ad_group InternetAllowed'
  authenticateAuthenticate: header NTLM
TlRMTVNTUAADAAAAGAAYAFoAAAAYABgAcgAAAAYABgBIAAAABgAGAE4AAAAGAAYAVAAAAAAAAACKAAAABgIAAgUBKAoAAAAPRklORU9TREVBU1lQSUVMMDAx0XnDVgB37W1tBsACJ62zOgFS3/19xEwSSaLbNJCe4yZ5qjQKBcG2LElrnci6FF0w.
  aclMatchAclList: no match, returning 0
  aclCheck: checking 'http_access allow allowedUsers Authenticated'
  aclMatchAclList: checking allowedUsers
  aclMatchAcl: checking 'acl allowedUsers external ad_group InternetAllowed'
  aclMatchAclList: no match, returning 0
  aclCheck: checking 'http_access deny all'
  aclMatchAclList: checking all
  aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'
  aclMatchIp: '192.168.125.44' found
  aclMatchAclList: returning 1
  aclCheck: match found, returning 0
  aclCheckCallback: answer=0
  The request GET http://www.google.com/ is DENIED, because it matched 'all'
(see the attached squidconf for further reference)

I'm thinking the wbinfo_group.pl script is not passing the call correctly.
I have PATH statements set correctly for wbinfo(i.e PATH includes
/usr/local/bin).
I have explicitly set the call to wbinfo in wbinfo_group.pl to point
to /usr/local/bin/wbinfo
I have also set the LANG variable to C rather than the UTF-8 value.

But it seems everything I try is failing to produce the desired
result. If anyone can shed some light it would be most appreciated.
As I mentioned if I get this working I'll provide the HOWTO doc that
I've drawn up, from my many rebuilds and days spent on this.

The box was built scratch, minimal RHEL4 install with only the
developer tools installed (from CDs)
- Built NTP source, and configured it to ensure that time was in synch
with the AD controllers.
- Next built samba using the following configure command:
./configure --prefix=/usr --localstatedir=/var
--with-configdir=/etc/samba --with-privatedir=/etc/samba \
        --with-fhs --with-quotas --with-msdfs --with-smbmount --with-ads
--with-pam --with-pam_smbpass \
        --with-syslog --with-utmp
--with-sambabook=/usr/share/swat/using_samba
--with-swatdir=/usr/share/swat \
        --with-libsmbclient --with-winbind --with-winbind-auth-challenge

- Configured Squid using the following command:
./configure --prefix=/usr --datadir=/usr/share --localstatedir=/var
--sysconfdir=/etc/squid \
           --infodir=/usr/share/info --mandir=/usr/share/man --enable-snmp
--enable-ssl --enable-auth=ntlm,basic \
        --enable-external-acl-helpers=wbinfo_group

- verified kerberos was working with the box (kinit, etc)
- joined the box to the domain
- began trying the squid configuration.
- now stuck :)

Received on Thu Jan 26 2006 - 09:52:58 MST

This archive was generated by hypermail pre-2.1.9 : Wed Feb 01 2006 - 12:00:01 MST