[squid-users] Authentication problems with NTLM

From: Bruno Santos <bvsantos_at_ulscb.min-saude.pt>
Date: Fri, 06 Jul 2012 12:42:06 +0100 (WEST)

Hi !

I've configure squid 3.1.10-1 (latest available for CentOS 6.2) with NTLM authentication, but squid keeps asking for username and password. And sometimes more than once...

Users are authenticated in the domain, using IE6/7/9, but squid keeps asking for username/password.

Those with other browsers and Linux it's normal, but in windows no. I don't know if Firefox in windows is supposed to ask for password or not, but it asks.

I have everything working with samba and winbind.

Samba recognizes the user and winbind too.

Wbinfo authentication:

wbinfo -a teste%12345
plaintext password authentication succeeded
challenge/response password authentication succeeded

Squid ntlm_auth also is working ok

/usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
teste 12345
OK

I notice something in the logs that are also a lots of TCP_DENIED before TCP_MISS (and squid din't ask for password)
An example of access a website:

111.111.11.11 TCP_DENIED/407 4758 GET http://www.venezuelatuya.com/tour/minitour.JPG - NONE/- text/html
1341573268.467 8 111.111.11.11 TCP_DENIED/407 4778 GET http://www.venezuelatuya.com/tour/minioccidente.jpg - NONE/- text/html
1341573268.469 9 111.111.11.11 TCP_DENIED/407 4766 GET http://www.venezuelatuya.com/tour/minicentro.jpg - NONE/- text/html
1341573268.472 11 111.111.11.11 TCP_DENIED/407 4778 GET http://www.venezuelatuya.com/tour/minilosroques.jpg - NONE/- text/html
1341573268.472 11 111.111.11.11 TCP_DENIED/407 4774 GET http://www.venezuelatuya.com/tour/minimorrocoy.jpg - NONE/- text/html
1341573268.474 10 111.111.11.11 TCP_DENIED/407 4770 GET http://www.venezuelatuya.com/tour/minicaracas.jpg - NONE/- text/html
1341573268.474 10 111.111.11.11 TCP_DENIED/407 4762 GET http://www.venezuelatuya.com/tour/miniandes.jpg - NONE/- text/html
1341573268.474 10 111.111.11.11 TCP_DENIED/407 4778 GET http://www.venezuelatuya.com/tour/minimargarita.jpg - NONE/- text/html
1341573268.549 275 111.111.11.11 TCP_MISS/200 2186 GET http://www.venezuelatuya.com/scripts/mapapaginaprincipal.js teste DIRECT/207.58.139.197 applicat
ion/javascript
1341573268.576 139 111.111.11.11 TCP_MISS/200 444 GET http://www.venezuelatuya.com/principal.css teste DIRECT/207.58.139.197 text/css
1341573268.602 1 111.111.11.11 TCP_DENIED/407 4467 GET http://www.venezuelatuya.com/tour/minioriente.jpg - NONE/- text/html
1341573268.606 1 111.111.11.11 TCP_DENIED/407 4770 GET http://www.venezuelatuya.com/tour/minioriente.jpg - NONE/- text/html
1341573268.608 1 111.111.11.11 TCP_DENIED/407 4907 GET http://googleads.g.doubleclick.net/pagead/ads ? - NONE/- text/html
1341573268.617 1 111.111.11.11 TCP_DENIED/407 5186 GET http://googleads.g.doubleclick.net/pagead/ads ? - NONE/- text/html
1341573268.699 399 111.111.11.11 TCP_MISS/200 3817 GET http://www.venezuelatuya.com/scripts/barrabusqueda.js teste DIRECT/207.58.139.197 application/ja
vascript
1341573268.741 272 111.111.11.11 TCP_MISS/200 2801 GET http://www.venezuelatuya.com/tour/minioccidente.jpg teste DIRECT/207.58.139.197 image/jpeg
1341573268.745 137 111.111.11.11 TCP_MISS/200 3520 GET http://www.venezuelatuya.com/tour/minioriente.jpg teste DIRECT/207.58.139.197 image/jpeg
1341573268.753 274 111.111.11.11 TCP_MISS/200 2062 GET http://www.venezuelatuya.com/tour/minilosroques.jpg teste DIRECT/207.58.139.197 image/jpeg
1341573268.755 276 111.111.11.11 TCP_MISS/200 2725 GET http://www.venezuelatuya.com/tour/miniandes.jpg teste DIRECT/207.58.139.197 image/jpeg
1341573268.867 400 111.111.11.11 TCP_MISS/200 4137 GET http://www.venezuelatuya.com/tour/minitour.JPG teste DIRECT/207.58.139.197 image/jpeg
1341573268.869 396 111.111.11.11 TCP_MISS/200 3447 GET http://www.venezuelatuya.com/tour/minicentro.jpg teste DIRECT/207.58.139.197 image/jpeg
1341573268.877 400 111.111.11.11 TCP_MISS/200 3310 GET http://www.venezuelatuya.com/tour/minimorrocoy.jpg teste DIRECT/207.58.139.197 image/jpeg
1341573268.880 403 111.111.11.11 TCP_MISS/200 3829 GET http://www.venezuelatuya.com/tour/minimargarita.jpg teste DIRECT/207.58.139.197 image/jpeg
1341573268.882 404 111.111.11.11 TCP_MISS/200 3452 GET http://www.venezuelatuya.com/tour/minicaracas.jpg teste DIRECT/207.58.139.197 image/jpeg

Here is my samba config:
-------------------------------------------------------------

[global]

workgroup = <workgroup>
server string = Squid Server Version %v

netbios name = Dakota

hosts allow = 127. <list_of_ips_allowed>

log file = /var/log/samba/log.%m
max log size = 50

security = domain
realm = HAL.MIN-SAUDE.PT

password server = dc.domain.com dc1.domain.com
acl compatibility = win2k
unix extensions = no
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
allow trusted domains = yes

-------------------------------------------------------------

And here is my squid config:

-------------------------------------------------------------
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

acl HomeNetworks src "/etc/squid/Networks.squid"

acl OtherNetworks src "/etc/squid/OtherNetworks.squid"

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 20
auth_param ntlm keep_alive on

auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Por favor autentique-se!
auth_param basic credentialsttl 2 hours

acl ntlmAuth proxy_auth REQUIRED

acl SSL_ports port 443
acl SSL_ports port 631

acl CONNECT method CONNECT
acl POST method POST

acl AutorizedSites dstdomain "/etc/squid/AutorizedSitesGlobal.squid"

acl Nonet src "/etc/squid/Nonet.squid"

acl Bypass src "/etc/squid/Bypass.squid"

acl Deny dstdom_regex "/etc/squid/Deny.squid"

acl DenyUsers proxy_auth -i src "/etc/squid/DenyUsers.squid"

http_access allow manager localhost
http_access deny manager

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access deny !HomeNetworks
http_access allow localhost

http_access deny Nonet

http_access allow AutorizedSites

http_access allow Bypass

http_access deny DenyUsers

http_access allow OtherNetworks

http_access allow ntlmAuth

http_access deny all

http_port 127.0.0.1:3128

hierarchy_stoplist cgi-bin ?

follow_x_forwarded_for allow localhost

cache_dir aufs /cache 96000 16 256

cache_mem 1276 MB

maximum_object_size 4096 KB

coredump_dir /var/spool/squid

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

maximum_object_size 4096 KB

access_log /var/log/squid/access.log squid

cache_mgr squid_at_domain.com

mail_from squid_at_domain.com

cache_effective_user squid

visible_hostname proxy.domain.com

error_directory /usr/share/squid/errors/pt-pt

dns_nameservers dnsip1 dnsip2

-------------------------------------------------------------

and my krb5.conf

-------------------------------------------------------------

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = DOMAIN.COM
#default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
#default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des-cbc-md5; or des-cbc-crc
default_tkt_enctypes = des-cbc-md5; or des-cbc-crc
dns_lookup_realm = true
dns_lookup_kdc = true
allow_weak_crypto = yes
#ticket_lifetime = 24h
ticket_lifetime = 24000
clock_skew = 300
renew_lifetime = 7d
forwardable = true

[realms]
DOMAIN.COM = {
kdc = dc1.domain.com:88
admin_server = dc1.domain.com:88
default_domain = domain.com
kdc = dc1
kdc = dc2
}

[domain_realm]
.domain.com = DOMAIN.COM
domain.com = DOMAIN.COM
.kerberos.server = DOMAIN.COM

DOMAIN.COM = {
}

[kdc]
profile = /etc/krb5kdc/kdc.conf

-------------------------------------------------------------

Any clue why it's happening ?

squid is also a member of group wbpriv

id squid
uid=23(squid) gid=23(squid) groups=88(wbpriv),23(squid)

I also have dansguardian listening in port 8080.

Thank you all !

-- 
-- 
	Use Open Source Software 
Human knowledge belongs to the world 
	Bruno Santos 
bvsantos_at_ulscb.min-saude.pt 
http://www.twitter.com/feiticeir0 
Tel: +351 962 753 053 
	Divisão de Informática 
informatica_at_ulscb.min-saude.pt 
Tel: +351 272 000 155 
Fax: +351 272 000 257 
	Unidade Local de Saúde de Castelo Branco, E.P.E. 
geral_at_ulscb.min-saude.pt 
Tel: +351 272 000 272 
Fax: +351 272 000 257 
	
Linux registered user #349448
	
LPIC-1 Certification
Received on Fri Jul 06 2012 - 11:42:23 MDT

This archive was generated by hypermail 2.2.0 : Fri Jul 06 2012 - 12:00:01 MDT