Re: [squid-users] Authentication Issue with Squid and mixed BASIC/NTLM auth

Um, something weird is going on. I'm a little scared by the double sets
of bad news.
Can you confirm that your in-use systems are okay. I haven't led you to
a point where anything serious is broken? (ie this is all isolated on a
test machine where its okay to break?)

Chris Natter wrote:
> Hmmm, strange. I tested 2.7STABLE4, but it doesn't seem to be stripping
> the DOMAIN, it will still accept only DOMAIN\USERNAME. Perhaps I'm
> missing something?

I've looked at it closer. And the patches which I saw earlier were for a
slightly different helper (mapping NTLM front-end auth to LDAP backend)

Henrik informs me that NTLM always needs the domain. Which makes me
wonder why you didn't in 3.0.

>
> I also tested squid-3.1-20081016, built with a spec file adopted from a
> squid3.0STABLE7 Redhat package:
>
> configure \
> --exec_prefix=/usr \
> --bindir=%{_sbindir} \
> --libexecdir=%{_libdir}/squid \
> --localstatedir=/var \
> --datadir=%{_datadir} \
> --sysconfdir=/etc/squid \
> --disable-dependency-tracking \
> --enable-arp-acl \
> --enable-auth="basic,digest,ntlm,negotiate" \
>
> --enable-basic-auth-helpers="LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-do
> main-NTLM,SASL" \
> --enable-cache-digests \
> --enable-cachemgr-hostname=localhost \
> --enable-delay-pools \
> --enable-digest-auth-helpers="password" \
> --enable-epoll \
>
> --enable-external-acl-helpers="ip_user,ldap_group,unix_group,wbinfo_grou
> p" \
> --enable-icap-client \
> --enable-ident-lookups \
> --enable-linux-netfilter \
> --enable-ntlm-auth-helpers="SMB,fakeauth" \
> --enable-referer-log \
> --enable-removal-policies="heap,lru" \
> --enable-snmp \
> --enable-ssl \
> --enable-storeio="aufs,coss,diskd,,ufs" \
> --enable-useragent-log \
> --enable-wccpv2 \
> --with-default-user="squid" \
> --with-filedescriptors=16384 \
> --with-dl \
> --with-openssl=/usr/kerberos \
> --with-pthreads
>
> And it looks like NTLM could be broken (I don't want to make
> assumptions). I was unable to pass credentials in either the
> DOMAIN\USERNAME or USERNAME format to OWA through squid. It also forced
> an NTLM prompt for Firefox that I had to escape out of before I could
> authenticate with BASIC auth.
>
> I wasn't able to test spell-check as I couldn't authenticate to the OWA
> server.

That is a worry for us. Thanks for testing and finding the issue.
This is the first bug report on connection pinning.
for our info: did you have the "login=PASS" on the cache_peer line? and
woudld you mind sharing the config?

Amos

>
> Thanks!
> -Chris
> -----Original Message-----
> From: Amos Jeffries [mailto:squid3_at_treenet.co.nz]
> Sent: Thursday, October 16, 2008 5:37 AM
> To: Chris Natter
> Cc: squid-users_at_squid-cache.org
> Subject: Re: [squid-users] Authentication Issue with Squid and mixed
> BASIC/NTLM auth
>
> Chris Natter wrote:
>> We were having issues with spell-check in 3.0, I haven't tried any of
>> the development builds to see if it was resolved though in a later
>> release.
> >
>> OWA spell-check just seems to hang when you attempt to spell-check an
>> email, or gives the "try again later" prompt. I saw some previous
>> postings on the archive of the mailing list, but most of them are very
>> outdated.
>>
>> I'll have to build an RPM of squid 2.7 and check to see if that solves
>> both issues.
>
> Ah, now that you mention it I vaguely recall the topic as it flew past a
>
> while back.
>
> Yes, 2.7 is likely the most dependable to have both combos of fixes you
> need.
>
> Without knowing the cause the spellcheck issue _may_ have been resolved
> in 3.1. Both of the MS workarounds and 'unknown method' support are now
>
> present. If you have a spare moment and are inclined to test it please
> let us know the result. If you still hit bad news for 3.1, its
> definitely a bug that needs looking into at some point.
>
> Amos
>
>> Thanks for the help.
>>
>> -----Original Message-----
>> From: Amos Jeffries [mailto:squid3_at_treenet.co.nz]
>> Sent: Wednesday, October 15, 2008 6:46 PM
>> To: Chris Natter
>> Cc: squid-users_at_squid-cache.org
>> Subject: Re: [squid-users] Authentication Issue with Squid and mixed
>> BASIC/NTLM auth
>>
>>> Hey all,
>>>
>>>
>>>
>>> I've got a tough situation I'm hoping someone can help me with.
>>>
>>>
>>>
>>> We 'downgraded' from an old 3.0PRE build that a predecessor had setup
>> on a
>>> reverse proxy, to squid 2.6.STABLE20. The proxy runs your standard
> OWA
>>> over Reverse Proxy setup, with login=PASS to an OWA backend running
>> with
>>> BASIC/NTLM auth. We have to have the NTLM for phones that sync with
>>> ActiveSync.
>>>
>>>
>>>
>>> It seems like something fundamental has changed in the way squid
>> handles
>>> auth from 3.0 to squid 2.6. Using firefox on 2.6, I can auth with
> just
>>> 'USERNAME', with IE on 2.6 we have to type "DOMAINUSERNAME" or
>>> "USER_at_DOMAIN" now. Previously, with squid 3.0, just 'USERNAME' would
>> work
>>> for auth.
>>>
>>>
>>>
>>> While this seems trivial, anything harder than just 'USERNAME'
> boggles
>> a
>>> lot of users. I'm assuming this has something to do with 'attempting
>> NTLM'
>>> negotiation? Is there a way around it in squid 2.6?
>>>
>> The cleaner @DOMAIN handling was only added to Squid 2.7+ and 3.0+.
> You
>> will need an upgrade again to one of those versions at least.
>>
>> What caused you to downgrade though? perhapse its been fixed now in
> 3.1?
>> Amos
>
>

-- 
Please use Squid 2.7.STABLE4 or 3.0.STABLE9