[squid-users] Re: ntlm_auth question/problem

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Sun, 22 Jun 2008 18:42:05 +0100

Does nobody use ntlm_auth ?

Markus

"Markus Moeller" <huaraz_at_moeller.plus.com> wrote in message
news:g317rp$9v7$1_at_ger.gmane.org...
>I am trying to authenticate users with ntlm_auth but fail and don't find
>the reason. I see the initial NTLM challenge, but then the Browser doesn't
>continue the next NTLM step ( at least that is what I think happens)
>
> Any idea what I did wrong ?
>
> Thank you
> Markus
>
> uname -a
> Linux Opensuse 2.6.22.17-0.1-default #1 SMP 2008/02/10 20:01:04 UTC i686
> i686 i386 GNU/Linux
> Opensuse:~ # cat /etc/SuSE-release
> openSUSE 10.3 (i586)
> VERSION = 10.3
>
> squid -v
> Squid Cache: Version 2.6.STABLE14
> configure options: '--prefix=/usr' '--sysconfdir=/etc/squid'
> '--bindir=/usr/sbin' '--sbindir=/usr/sbin' '--localstatedir=/var'
> '--libexecdir=/usr/sbin' '--datadir=/usr/share/squid'
> '--mandir=/usr/share/man' '--with-dl' '--with-maxfd=4096'
> '--with-valgrind-debug' '--enable-snmp' '--enable-carp'
> '--enable-auth=basic digest negotiate ntlm'
> '--enable-basic-auth-helpers=LDAP MSNT NCSA PAM SMB YP getpwnam
> multi-domain-NTLM' '--enable-ntlm-auth-helpers=SMB fakeauth no_check'
> '--enable-digest-auth-helpers=ldap password'
> '--enable-external-acl-helpers=ip_user ldap_group session unix_group
> wbinfo_group' '--enable-ntlm-fail-open' '--enable-arp-acl' '--enable-htcp'
> '--enable-underscores' '--enable-stacktraces' '--enable-delay-pools'
> '--enable-useragent-log' '--enable-referer-log' '--enable-forward-log'
> '--enable-multicast-miss' '--enable-ssl' '--enable-cache-digests'
> '--enable-auth-on-acceleration'
> '--enable-storeio=aufs,coss,diskd,null,ufs' '--enable-linux-netfilter'
> '--enable-removal-policies=heap,lru' '--enable-icmp'
> '--with-samba-sources=/usr/include/samba' '--enable-large-cache-files'
> '--enable-x-accelerator-vary' '--enable-follow-x-forwarded-for'
> 'CFLAGS=-O2 -march=i586 -mtune=i686 -fmessage-length=0 -Wall -D_FORTIFY_SOURCE=2
> -fstack-protector -g -fPIE -DLDAP_DEPRECATED -fno-strict-aliasing'
> 'LDFLAGS=-pie'
>
>
> squid.conf:
>
> http_port 3128
> hierarchy_stoplist cgi-bin ?
> acl QUERY urlpath_regex cgi-bin \?
> cache deny QUERY
> acl apache rep_header Server ^Apache
> broken_vary_encoding allow apache
> access_log /var/log/squid/access.log squid
> auth_param ntlm program /usr/sbin/ntlm_auth -d WIN2003R2\\w2k3r2
> auth_param ntlm children 5
> auth_param ntlm keep_alive on
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern . 0 20% 4320
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443 8333
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> acl authenticated proxy_auth REQUIRED
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost
> http_access allow authenticated
> http_access deny all
> icp_access allow all
> coredump_dir /var/cache/squid
>
> cache.log
>
> ntlm_auth[8452](ntlm_auth.c:284): managing request
> ntlm_auth[8452](ntlm_auth.c:290): ntlm authenticator. Got 'YR
> TlRMTVNTUAABAAAAB7IIogkACQAtAAAABQAFACgAAAAFASgKAAAAD1dJTlhQV0lOMjAwM1Iy'
> from Squid
> ntlm_auth[8452](ntlm_auth.c:239): obtain_challenge: selecting
> WIN2003R2\W2K3R2 (attempt #1)
> ntlm_auth[8452](ntlm_auth.c:251): attempting challenge retrieval
> ntlm_auth[8452](libntlmssp.c:119): Connecting to server W2K3R2 domain
> WIN2003R2
> ntlm_auth[8452](ntlm_auth.c:253): make_challenge retuned 0x8000ef60
> ntlm_auth[8452](ntlm_auth.c:255): Got it
> ntlm_auth[8452](ntlm_auth.c:437): sending 'TT
> TlRMTVNTUAACAAAACQAJACgAAACCgkEAyigxBxKJUqQAAAAAAAAAAFdJTjIwMDNSMg==' to
> squid
>
>
> Wireshark capture:
>
> GET http://www.bbc.co.uk/ HTTP/1.1
> Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
> application/x-shockwave-flash, */*
> Accept-Language: en-us
> UA-CPU: x86
> Accept-Encoding: gzip, deflate
> User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR
> 2.0.50727)
> Proxy-Authorization: NTLM
> TlRMTVNTUAABAAAAB7IIogkACQAtAAAABQAFACgAAAAFASgKAAAAD1dJTlhQV0lOMjAwM1Iy
> Proxy-Connection: Keep-Alive
> Host: www.bbc.co.uk
>
> HTTP/1.0 407 Proxy Authentication Required
> Server: squid/2.6.STABLE14
> Date: Sat, 14 Jun 2008 18:55:14 GMT
> Content-Type: text/html
> Content-Length: 1310
> Expires: Sat, 14 Jun 2008 18:55:14 GMT
> X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
> Proxy-Authenticate: NTLM
> TlRMTVNTUAACAAAACQAJACgAAACCgkEAiqcyv4MUME0AAAAAAAAAAFdJTjIwMDNSMg==
> X-Cache: MISS from opensuse.suse.home
> X-Cache-Lookup: NONE from opensuse.suse.home:3128
> Via: 1.0 opensuse.suse.home:3128 (squid/2.6.STABLE14)
> Proxy-Connection: keep-alive
>
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
> "http://www.w3.org/TR/html4/loose.dtd">
> <HTML><HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html;
> charset=iso-8859-1">
> <TITLE>ERROR: Cache Access Denied</TITLE>
> <STYLE
> type="text/css"><!--BODY{background-color:#ffffff;font-family:verdana,sans-serif}PRE{font-family:sans-serif}--></STYLE>
> </HEAD>
> <BODY>
> <H1>ERROR</H1>
> <H2>Cache Access Denied</H2>
> <HR noshade size="1px">
> <P>
> While trying to retrieve the URL:
> http://www.bbc.co.uk/
> <P>
> The following error was encountered:
> <UL>
> <LI>
> <STRONG>
> Cache Access Denied.
> </STRONG>
> </UL>
> </P>
>
> <P>Sorry, you are not currently allowed to request:
> <PRE> http://www.bbc.co.uk/</PRE>
> from this cache until you have authenticated yourself.
> </P>
>
> <P>
> You need to use Netscape version 2.0 or greater, or Microsoft Internet
> Explorer 3.0, or an HTTP/1.1 compliant browser for this to work. Please
> contact the <A HREF="mailto:webmaster">cache administrator</a> if you have
> difficulties authenticating yourself or
> change your
> default password.
> </P>
>
> <BR clear="all">
> <HR noshade size="1px">
> <ADDRESS>
> Generated Sat, 14 Jun 2008 18:55:14 GMT by opensuse.suse.home
> (squid/2.6.STABLE14)
> </ADDRESS>
>
> squid server is part of domain (e.g. wbinfo -g works fine)
>
> wbinfo -g
> WIN2003R2\iis_wpg
> WIN2003R2\session directory computers
> WIN2003R2\domain computers
> WIN2003R2\domain controllers
> WIN2003R2\schema admins
> WIN2003R2\enterprise admins
> WIN2003R2\cert publishers
> WIN2003R2\domain admins
> WIN2003R2\domain users
> WIN2003R2\domain guests
> WIN2003R2\group policy creator owners
> WIN2003R2\ras and ias servers
> WIN2003R2\dnsadmins
> WIN2003R2\dnsupdateproxy
> WIN2003R2\certsvc_dcom_access
> WIN2003R2\win2003r2users
> WIN2003R2\sqlserver2005sqlbrowseruser$w2k3r2
> WIN2003R2\sqlserver2005mssqlserveradhelperuser$w2k3r2
> WIN2003R2\sqlserver2005mssqluser$w2k3r2$sqlexpress
> WIN2003R2\solarisgroup
> WIN2003R2\susegroup
> WIN2003R2\squid_allow
>
>
>
>
Received on Sun Jun 22 2008 - 17:42:22 MDT

This archive was generated by hypermail 2.2.0 : Mon Jun 23 2008 - 12:00:05 MDT