Re: [squid-users] NTLM not working

On 11/04/2012 19:52, Wladner Klimach wrote:
> Here is what I got from wbinfo:
>
> wbinfo -t
> checking the trust secret via RPC calls succeeded
>
> And I can list all the groups with wbinfo -g.
>
> Here is ntlm_auth run:
>
> /usr/bin/ntlm_auth --username=P_7501
> password:
> NT_STATUS_OK: Success (0x0)

That looks like you have all the winbind-related bits working!

> Look what I've got from cache.log with degub_options 29,9 actived:
>
> 2012/04/11 15:46:49.629| authenticateValidateUser: Validating
> Auth_user request '0'.
> 2012/04/11 15:46:49.629| authenticateValidateUser: Auth_user_request was NULL!
> 2012/04/11 15:46:49.629| authenticateAuthenticate: broken auth or no
> proxy_auth header. Requesting auth header.
> 2012/04/11 15:46:49.629| authenticateFixHeader: headertype:38 authuser:0
> 2012/04/11 15:46:49.629| basic/auth_basic.cc(217) fixHeader: Sending
> type:38 header: 'Basic realm="Squid proxy-caching web server"'
> 2012/04/11 15:46:49.629| authenticateFixHeader: Configured scheme ntlm
> not Active
>
> Looks like ntlm is not an option to squid. Could it be the lack of the
> compilation option --with-winbind-auth-challenge??

That does look like squid may not have the right compile-time options. I
am afraid that isn't an area I am overly-familiar with, but I think
there are quite a few options you need to configure. The options we use
(which I think are relevant) are:

--enable-auth="basic,digest,ntlm,negotiate"

--enable-basic-auth-helpers="LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SASL,DB,POP3,squid_radius_auth"

--enable-ntlm-auth-helpers="smb_lm,no_check,fakeauth"

--enable-external-acl-helpers="ip_user,ldap_group,session,unix_group,wbinfo_group"

As I say, it's not really my area, but it would be worth checking that
you have similar options. --with-winbind-auth-challenge isn't used in my
setup.

Harry

> 2012/4/11 Harry Mills<harry_at_mad-cat.co.uk>:
>> On 11/04/2012 17:56, Wladner Klimach wrote:
>>>
>>> Hi people,
>>>
>>> I'm having some problem to implement NTLM at my squid box. I've
>>> followed the documentation guides but for some unknown reason isn't
>>> still working. Here is my squid.conf ( authentication portion only):
>>>
>>>
>>> auth_param negotiate program
>>> /squid-3.2.0.16/helpers/negotiate_auth/wrapper/negotiate_wrapper_auth
>>> -d --ntlm /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
>>> --kerberos
>>> /usr/src/redhat/BUILD/squid-3.1.18/helpers/negotiate_auth/squid_kerb_auth/squid_kerb_auth
>>> -s HTTP/grazina2.redecamara.camara.gov.br
>>> auth_param negotiate children 30 startup=10 idle=10
>>> auth_param negotiate keep_alive on
>>>
>>>
>>> As you can see I'm using the wrapper helper offered by squid-3.2, but
>>> my squid box is the squid-3.1. The Kerberos scheme works just fine. So
>>> how can I debug it? I really need NTLM too in order to authenticate
>>> users that access some old sites that don't handle kerberos. I really
>>> hope you guys can help me overtaking this issue.
>>>
>>> Regards,
>>>
>>> Wladner
>>
>>
>> Hi Wladner,
>>
>> It may be useful to get the plain ntlm auth helper working on its own first.
>> Once that is working, you can then re-enable the negotiate wrapper.
>>
>> I am not sure how much of the NTLM auth tests you have done. Have you tested
>> that winbind is running and communicating with the domain? You can test that
>> the basics are in place with wbinfo -t to check the shared secret, or wbinfo
>> -u which should return a list of all your domain users.
>>
>> What happens if you run ntlm auth directly:
>>
>> ntlm_auth --username=<your username>
>>
>> Is there anything in your debug log which might give a little more
>> information about what isn't working?
>>
>> Regards,
>>
>> Harry
Received on Wed Apr 11 2012 - 19:37:16 MDT