Fwd: [squid-users] NTLM not working

On 11/04/2012 21:15, Wladner Klimach wrote:
>
> That's the options I pointed for authetincation:
>
> '--enable-auth=basic,digest,ntlm,negotiate'
>  '--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SASL,DB,POP3,squid_radius_auth'
> '--enable-ntlm-auth-helpers=smb_lm,no_check,fakeauth'
>  '--enable-digest-auth-helpers=password,ldap,eDirectory'
>  '--enable-negotiate-auth-helpers=squid_kerb_auth'
>  '--enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_group'
>
> What am I missing?

From a compilation perspective you don't appear to be missing
anything, but as I said I am not really familiar with that area -
perhaps someone else with more knowledge can confirm?

I presume the squid process has permissions to read from
winbindd_privileged (in /var/lib/samba/ on my setup). I would expect
to see other errors in your logs if there was a permission problem
though.

Have you tried just a plain ntlm_auth authenticator to see if that works?:

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 3
auth_param ntlm keep_alive on

Can you post your entire squid.conf?

Harry

> 2012/4/11 Harry Mills<harry_at_mad-cat.co.uk>:
>>
>> On 11/04/2012 19:52, Wladner Klimach wrote:
>>>
>>>
>>> Here is what I got from wbinfo:
>>>
>>> wbinfo -t
>>> checking the trust secret via RPC calls succeeded
>>>
>>> And I can list all the groups with wbinfo -g.
>>>
>>> Here is ntlm_auth run:
>>>
>>> /usr/bin/ntlm_auth --username=P_7501
>>> password:
>>> NT_STATUS_OK: Success (0x0)
>>
>>
>>
>> That looks like you have all the winbind-related bits working!
>>
>>
>>> Look what I've got from cache.log with degub_options 29,9 actived:
>>>
>>> 2012/04/11 15:46:49.629| authenticateValidateUser: Validating
>>> Auth_user request '0'.
>>> 2012/04/11 15:46:49.629| authenticateValidateUser: Auth_user_request was
>>> NULL!
>>> 2012/04/11 15:46:49.629| authenticateAuthenticate: broken auth or no
>>> proxy_auth header. Requesting auth header.
>>> 2012/04/11 15:46:49.629| authenticateFixHeader: headertype:38 authuser:0
>>> 2012/04/11 15:46:49.629| basic/auth_basic.cc(217) fixHeader: Sending
>>> type:38 header: 'Basic realm="Squid proxy-caching web server"'
>>> 2012/04/11 15:46:49.629| authenticateFixHeader: Configured scheme ntlm
>>> not Active
>>>
>>> Looks like ntlm is not an option to squid. Could it be the lack of the
>>> compilation option --with-winbind-auth-challenge??
>>
>>
>>
>> That does look like squid may not have the right compile-time options. I am
>> afraid that isn't an area I am overly-familiar with, but I think there are
>> quite a few options you need to configure. The options we use (which I think
>> are relevant) are:
>>
>> --enable-auth="basic,digest,ntlm,negotiate"
>>
>> --enable-basic-auth-helpers="LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SASL,DB,POP3,squid_radius_auth"
>>
>> --enable-ntlm-auth-helpers="smb_lm,no_check,fakeauth"
>>
>> --enable-external-acl-helpers="ip_user,ldap_group,session,unix_group,wbinfo_group"
>>
>> As I say, it's not really my area, but it would be worth checking that you
>> have similar options. --with-winbind-auth-challenge isn't used in my setup.
>>
>>
>> Harry
>>
>>
>>> 2012/4/11 Harry Mills<harry_at_mad-cat.co.uk>:
>>>>
>>>>
>>>> On 11/04/2012 17:56, Wladner Klimach wrote:
>>>>>
>>>>>
>>>>>
>>>>> Hi people,
>>>>>
>>>>> I'm having some problem to implement NTLM at my squid box. I've
>>>>> followed the documentation guides but for some unknown reason isn't
>>>>> still working. Here is my squid.conf ( authentication portion only):
>>>>>
>>>>>
>>>>> auth_param negotiate program
>>>>> /squid-3.2.0.16/helpers/negotiate_auth/wrapper/negotiate_wrapper_auth
>>>>> -d --ntlm /usr/bin/ntlm_auth  --helper-protocol=squid-2.5-ntlmssp
>>>>> --kerberos
>>>>>
>>>>> /usr/src/redhat/BUILD/squid-3.1.18/helpers/negotiate_auth/squid_kerb_auth/squid_kerb_auth
>>>>>  -s HTTP/grazina2.redecamara.camara.gov.br
>>>>> auth_param negotiate children 30 startup=10 idle=10
>>>>> auth_param negotiate keep_alive on
>>>>>
>>>>>
>>>>> As you can see I'm using the wrapper helper offered by squid-3.2, but
>>>>> my squid box is the squid-3.1. The Kerberos scheme works just fine. So
>>>>> how can I debug it? I really need NTLM too in order to authenticate
>>>>> users that access some old sites that don't handle kerberos. I really
>>>>> hope you guys can help me overtaking this issue.
>>>>>
>>>>> Regards,
>>>>>
>>>>> Wladner
>>>>
>>>>
>>>>
>>>>
>>>> Hi Wladner,
>>>>
>>>> It may be useful to get the plain ntlm auth helper working on its own
>>>> first.
>>>> Once that is working, you can then re-enable the negotiate wrapper.
>>>>
>>>> I am not sure how much of the NTLM auth tests you have done. Have you
>>>> tested
>>>> that winbind is running and communicating with the domain? You can test
>>>> that
>>>> the basics are in place with wbinfo -t to check the shared secret, or
>>>> wbinfo
>>>> -u which should return a list of all your domain users.
>>>>
>>>> What happens if you run ntlm auth directly:
>>>>
>>>> ntlm_auth  --username=<your username>
>>>>
>>>> Is there anything in your debug log which might give a little more
>>>> information about what isn't working?
>>>>
>>>> Regards,
>>>>
>>>> Harry
>>
>>
>>
Received on Wed Apr 11 2012 - 22:17:07 MDT