Re: [squid-users] NTLM authentication testing

On 2/19/08, Guido Serassio <guido.serassio@acmeconsulting.it> wrote:
> At 14:40 19/02/2008, Richard Wall wrote:
> >First problem is that you have to reinterpret the Squid reported hit
> >ratios when using NTLM auth. Only half of these are hits, the other
> >half being TCP_DENIED/407 that form part of the NTLM auth negotiation.
> This is caused by the NTLM over HTTP authentication sequence, look
> here for details:
> http://davenport.sourceforge.net/ntlm.html

Guido,

Yep, I've looked at it, but have not completely absorbed it yet :)

> >Second problem is that the majority of requests seem to result in auth
> >requests to the DC. There is an article describing Win2003 performance
> >counters showing Number of auth requests / sec, but those counters
> >don't seem to exist on my copy.
> > * http://support.microsoft.com/kb/928576
> Correct, you should request the hotfix to Microsoft.

Thanks will search it out.

> What Samba version do you are using ?
> I remember that in Samba 3.0.25 there was big changes into winbindd
> regarding off-line logon support, but I don't know if this could help.

# /usr/upgrade/samba/sbin/winbindd --version
Version 3.0.24

So I guess I'll try compiling the latest version. Thanks for th tip.

> Another question, what type of NTLM authentication is supported by curl ?
> Lan manager/NTLMv1 or full NTLMv2 ? (See the previous link for details)

I'm not sure, but in full debug mode, curl will show the various
headers it exchanges with the server.
It seems to correspond to:
 * http://devel.squid-cache.org/ntlm/client_proxy_protocol.html

...but of course we're starting at point 4 which means that in real
life, there'd be even more squid requests I guess.

Anyway, here's the output from curl. Does this give enough information
to work out which type is being used?

{{{

* About to connect() to proxy 10.0.0.12 port 800 (#0)
* Trying 10.0.0.12... connected
* Connected to 10.0.0.12 (10.0.0.12) port 800 (#0)
* Proxy auth using NTLM with user 'COVENTRYOFFICE\stafftest'
> GET http://www.squid-cache.org/Images/img4.jpg HTTP/1.1
> Proxy-Authorization: NTLM TlRMTVNTUAABAAAABoIIAAAAAAAAAAAAAAAAAAAAAAA=
> User-Agent: curl/7.16.4 (i486-pc-linux-gnu) libcurl/7.16.4 OpenSSL/0.9.8e zlib/1.2.3.3 libidn/1.0
> Host: www.squid-cache.org
> Accept: */*
> Proxy-Connection: Keep-Alive
>
* HTTP 1.0, assume close after body
< HTTP/1.0 407 Proxy Authentication Required
< Server: squid/2.6.STABLE17
< Date: Tue, 19 Feb 2008 15:03:05 GMT
< Content-Type: text/html
< Content-Length: 1371
< Expires: Tue, 19 Feb 2008 15:03:05 GMT
< X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
< Proxy-Authenticate: NTLM
TlRMTVNTUAACAAAADgAOADAAAAAGgokAN+ZK+JnmUOEAAAAAAAAAAIoAigA+AAAAQ09WRU5UUllPRkZJQ0UCABwAQwBPAFYARQBOAFQAUgBZAE8ARgBGAEkAQwBFAAEAEABBAFAALQBUAEUAUwBUADIABAAcAGMAYQBjAGgAZQAuAGUAMgBiAG4ALgBvAHIAZwADAC4AYQBwAC0AdABlAHMAdAAyAC4AYwBhAGMAaABlAC4AZQAyAGIAbgAuAG8AcgBnAAAAAAA=
< X-Cache: MISS from ntlmsquidbox.test
< X-Cache-Lookup: NONE from ntlmsquidbox.test:800
< Via: 1.0 ntlmsquidbox.test:800 (squid/2.6.STABLE17)
* HTTP/1.0 proxy connection set to keep alive!
< Proxy-Connection: keep-alive
<
* Ignoring the response-body
{ [data not shown]
* Connection #0 to host 10.0.0.12 left intact
* Issue another request to this URL:
'http://www.squid-cache.org/Images/img4.jpg'
* Re-using existing connection! (#0) with host 10.0.0.12
* Connected to 10.0.0.12 (10.0.0.12) port 800 (#0)
* Proxy auth using NTLM with user 'COVENTRYOFFICE\stafftest'
> GET http://www.squid-cache.org/Images/img4.jpg HTTP/1.1
> Proxy-Authorization: NTLM TlRMTVNTUAADAAAAGAAYAEAAAAAYABgAWAAAAA4ADgBwAAAACQAJAH4AAAAIAAgAhwAAAAAAAAAAAAAABoKJAFb2ATKsj8TWAAAAAAAAAAAAAAAAAAAAAA6YY1ymLs5AgU5/lxbNCYtJnhdC67O5c0NPVkVOVFJZT0ZGSUNFc3RhZmZ0ZXN0cG9seXNydjE=
> User-Agent: curl/7.16.4 (i486-pc-linux-gnu) libcurl/7.16.4 OpenSSL/0.9.8e zlib/1.2.3.3 libidn/1.0
> Host: www.squid-cache.org
> Accept: */*
> Proxy-Connection: Keep-Alive
>
* HTTP 1.0, assume close after body
< HTTP/1.0 200 OK
< Date: Tue, 19 Feb 2008 15:00:26 GMT
< Server: Apache/2.2.6 (FreeBSD) mod_ssl/2.2.6 OpenSSL/0.9.7e-p1 DAV/2
PHP/5.2.5 with Suhosin-Patch
< Last-Modified: Mon, 22 Jan 2007 10:51:58 GMT
< ETag: "6daaa8-7083-d9b9ef80"
< Accept-Ranges: bytes
< Content-Length: 28803
< Content-Type: image/jpeg
< Age: 159
< X-Cache: HIT from ntlmsquidbox.test
HTTP/1.0 407 Proxy Authentication Required
Server: squid/2.6.STABLE17
Date: Tue, 19 Feb 2008 15:03:05 GMT
Content-Type: text/html
Content-Length: 1371
Expires: Tue, 19 Feb 2008 15:03:05 GMT
X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
Proxy-Authenticate: NTLM
TlRMTVNTUAACAAAADgAOADAAAAAGgokAN+ZK+JnmUOEAAAAAAAAAAIoAigA+AAAAQ09WRU5UUllPRkZJQ0UCABwAQwBPAFYARQBOAFQAUgBZAE8ARgBGAEkAQwBFAAEAEABBAFAALQBUAEUAUwBUADIABAAcAGMAYQBjAGgAZQAuAGUAMgBiAG4ALgBvAHIAZwADAC4AYQBwAC0AdABlAHMAdAAyAC4AYwBhAGMAaABlAC4AZQAyAGIAbgAuAG8AcgBnAAAAAAA=
X-Cache: MISS from ntlmsquidbox.test
X-Cache-Lookup: NONE from ntlmsquidbox.test:800
Via: 1.0 ntlmsquidbox.test:800 (squid/2.6.STABLE17)
Proxy-Connection: keep-alive

HTTP/1.0 200 OK
Date: Tue, 19 Feb 2008 15:00:26 GMT
Server: Apache/2.2.6 (FreeBSD) mod_ssl/2.2.6 OpenSSL/0.9.7e-p1 DAV/2
PHP/5.2.5 with Suhosin-Patch
Last-Modified: Mon, 22 Jan 2007 10:51:58 GMT
ETag: "6daaa8-7083-d9b9ef80"
Accept-Ranges: bytes
Content-Length: 28803
Content-Type: image/jpeg
Age: 159
X-Cache: < X-Cache-Lookup: HIT from ntlmsquidbox.test:800
< Via: 1.0 ntlmsquidbox.test:800 (squid/2.6.STABLE17)
* HTTP/1.0 proxy connection set to keep alive!
< Proxy-Connection: keep-alive
<
{ [data not shown]
HIT from ntlmsquidbox.test
X-Cache-Lookup: HIT from ntlmsquidbox.test:800
Via: 1.0 ntlmsquidbox.test:800 (squid/2.6.STABLE17)
Proxy-Connection: keep-alive

> There are big difference between the security level and on the
> performance impact, and currently all browsers automatically use
> always the NTLMv2 type.

Doesn't the --helper-protocol=squid-2.5-ntlmssp in squid.conf
determine that NLTMv2 will be used? Looking at the man page for
ntlm_auth suggests that lanman auth would require different
parameters:

 * http://us1.samba.org/samba/docs/man/manpages-3/ntlm_auth.1.html

This may seem like a stupid question, and my vague understanding of
kerberos may be way off, but aren't there better alternatives to NTLM
proxy auth if you're authenticating only against Active Directory
servers?

Doesn't Kerberos provide a time limited token to the authenticated
windows domain client that can be passed to other machines in the
domain as proof that the client is authenticated; and which can be
used to lookup what services the client has acces to.

In a perfect world shouldn't Internet Explorer just pass this token
along with all requests to other machines in the same domain.

My aims are:
 * to have a proxy that is only available to authenticated windows domain users.
 * that Internet Explorer should not prompt the user for their
username and password if they have already logged onto the domain.
 * that squid should be able to record usernames alongside requests in its logs.
 * That dans guardian should be able to identify the username of the client.

Is there some way I can get all this without paying the penalty of NTLM auth?

Dear lazyweb can anyone can offer me alternatives. ;)

-RichardW
Received on Tue Feb 19 2008 - 08:36:41 MST