Re: [squid-users] ntlm_auth problem with file of users

On 8/02/2012 2:15 a.m., CyberSoul wrote:
> Hi all,
> could anyone give any suggestion for solve next problem:
>
> I have been configured squid with Single Sign-On (kerberos+samba+ntlm)
> So,commands wbinfo -t,wbinfo -p, wbinfo -u, wbinfo -g is working well (domain is KNG, realm kng.local), examples:
> $wbinfo -u
> KNG\ldapreader
> KNG\testproxyad1
> KNG\testproxyad2
>
> $wbinfo -a kng\\ldapreader%12345678
> plaintext password authentication succeeded
> challenge/response password authentication succeeded
>
> squid.conf
> ....
> auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 10
> auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
> auth_param basic children 5
> auth_param basic realm Proxy_AD
> auth_param basic credentialsttl 2 hours
> auth_param basic casesensitive off
> authenticate_cache_garbage_interval 10 seconds
> authenticate_ttl 0 seconds
> ...
>
> So, when acl& http_access is next, it works:
> acl users proxy_auth REQUIRED
> ...
> http_access allow users
>
> But, i need to give access in the internet by lists of users, so i re-edit squid config& create list:
> file /etc/squid/users.acl, it contain user names:
> ldapreader
> testproxyad1
> testproxyad2
>
> squid.conf
> ...
> acl users proxy_auth "/etc/squid/users.acl"
> ...
> http_access allow users
>
> After that, in browser squid says that "access denied",
> access.log:
> bla-bla-bla<IP-user> TCP_DENIED/407 1874 GET<bla-bla-bla> KNG\ldapreader NONE/- text/html
>
> Changing file with names users.acl as this:
> KNG\ldapreader
> KNG\testproxyad1
> KNG\testproxyad2
>
> No result, "access denied".
>
> Add options in smb.conf [global]
> winbind separator = \
>
> No result, "access denied".
>
> Checking ntlm_auth (basic), well done:
> $/usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
> kng\ldapreader 12345678
> OK
>
> Checking ntlm_auth (ntlmssp), well done:
> $/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
> YR
> TT TlRMTVNTUAACAAAAAAAAADAAAAACAgAA7TEzPz/FpREAAAAAAAAAAAAAAAAwAAAA

This is the NTLM helper producing a challenge token to be sent to the
client for use in encoding the credentials it will send later.

The KK step validing the credentials token sent by the client is what
determines between valid and invalid login. The token can be found in
the Proxy-Authenticate: NTLM header.

>
> What's wrong? Why squid don't want to work with list of users?
> Maybe I do not correct edit squid.conf in acl tag (acl users proxy_auth "/etc/squid/users.acl")?
> Or maybe get ntlm_auth from samba source, not from squid?

You already are. --helper-protocol= is one of the command line
arguments of the Samba helper. The squid one has no arguments and does
not respond OK to Basic auth credentials.

Amos
Received on Fri Feb 10 2012 - 02:42:43 MST