Re: [squid-users] Authentication problems with NTLM from Amos Jeffries on 2012-07-06 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sat, 07 Jul 2012 01:08:19 +1200

On 6/07/2012 11:42 p.m., Bruno Santos wrote:
> Hi !
>
>
> I've configure squid 3.1.10-1 (latest available for CentOS 6.2) with NTLM authentication, but squid keeps asking for username and password. And sometimes more than once...
>
>
> Users are authenticated in the domain, using IE6/7/9, but squid keeps asking for username/password.
>
>
> Those with other browsers and Linux it's normal, but in windows no. I don't know if Firefox in windows is supposed to ask for password or not, but it asks.

For machines logged into the domain being logged into a proxy which uses
the domain credentials - the browser should never ask. This is a strong
sign that the proxy is using different credentials than the ones used to
log into the machine, or is loosing them somehow..

>
>
> I have everything working with samba and winbind.
>
>
> Samba recognizes the user and winbind too.
>
>
> Wbinfo authentication:
>
>
>
> wbinfo -a teste%12345
> plaintext password authentication succeeded
> challenge/response password authentication succeeded
>
>
> Squid ntlm_auth also is working ok
>
>
>
> /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
> teste 12345
> OK

How much delay is the next thing to look for: I suspect 0.2sec?

>
> I notice something in the logs that are also a lots of TCP_DENIED before TCP_MISS (and squid din't ask for password)
> An example of access a website:
>
>
>
> 111.111.11.11 TCP_DENIED/407 4758 GET http://www.venezuelatuya.com/tour/minitour.JPG - NONE/- text/html
> 1341573268.467 8 111.111.11.11 TCP_DENIED/407 4778 GET http://www.venezuelatuya.com/tour/minioccidente.jpg - NONE/- text/html
> 1341573268.469 9 111.111.11.11 TCP_DENIED/407 4766 GET http://www.venezuelatuya.com/tour/minicentro.jpg - NONE/- text/html
> 1341573268.472 11 111.111.11.11 TCP_DENIED/407 4778 GET http://www.venezuelatuya.com/tour/minilosroques.jpg - NONE/- text/html
> 1341573268.472 11 111.111.11.11 TCP_DENIED/407 4774 GET http://www.venezuelatuya.com/tour/minimorrocoy.jpg - NONE/- text/html
> 1341573268.474 10 111.111.11.11 TCP_DENIED/407 4770 GET http://www.venezuelatuya.com/tour/minicaracas.jpg - NONE/- text/html
> 1341573268.474 10 111.111.11.11 TCP_DENIED/407 4762 GET http://www.venezuelatuya.com/tour/miniandes.jpg - NONE/- text/html
> 1341573268.474 10 111.111.11.11 TCP_DENIED/407 4778 GET http://www.venezuelatuya.com/tour/minimargarita.jpg - NONE/- text/html
> 1341573268.549 275 111.111.11.11 TCP_MISS/200 2186 GET http://www.venezuelatuya.com/scripts/mapapaginaprincipal.js teste DIRECT/207.58.139.197 applicat
> ion/javascript
> 1341573268.576 139 111.111.11.11 TCP_MISS/200 444 GET http://www.venezuelatuya.com/principal.css teste DIRECT/207.58.139.197 text/css

This appears to be normal.
* Over the course of 7ms the client delivers 8 requests.
* squid responds with auth-needed challenge as required by NTLM to
each of these.

This might be connections opened in parallel, or requests pipelined at
once before the first response comes back. 8 is a suspicious number,
that is the default browser config value for maximum number of
connections to open for any one website. I highly suspect this is 8 new
connections being opened and performing NTLM handshake.

50ms later there are more denies. Which looks like the connections
earlier authenticated (partially?) got closed and new ones needed
authenticating.

> 1341573268.602 1 111.111.11.11 TCP_DENIED/407 4467 GET http://www.venezuelatuya.com/tour/minioriente.jpg - NONE/- text/html
> 1341573268.606 1 111.111.11.11 TCP_DENIED/407 4770 GET http://www.venezuelatuya.com/tour/minioriente.jpg - NONE/- text/html
> 1341573268.608 1 111.111.11.11 TCP_DENIED/407 4907 GET http://googleads.g.doubleclick.net/pagead/ads ? - NONE/- text/html
> 1341573268.617 1 111.111.11.11 TCP_DENIED/407 5186 GET http://googleads.g.doubleclick.net/pagead/ads ? - NONE/- text/html
> 1341573268.699 399 111.111.11.11 TCP_MISS/200 3817 GET http://www.venezuelatuya.com/scripts/barrabusqueda.js teste DIRECT/207.58.139.197 application/ja
> vascript

About 200ms after the earlier bunch of DENIED/407 responses an identical
bunch pass through successfully. Exactly like the auth challenge was
being responded to with correct credentials.

> 1341573268.741 272 111.111.11.11 TCP_MISS/200 2801 GET http://www.venezuelatuya.com/tour/minioccidente.jpg teste DIRECT/207.58.139.197 image/jpeg
> 1341573268.745 137 111.111.11.11 TCP_MISS/200 3520 GET http://www.venezuelatuya.com/tour/minioriente.jpg teste DIRECT/207.58.139.197 image/jpeg
> 1341573268.753 274 111.111.11.11 TCP_MISS/200 2062 GET http://www.venezuelatuya.com/tour/minilosroques.jpg teste DIRECT/207.58.139.197 image/jpeg
> 1341573268.755 276 111.111.11.11 TCP_MISS/200 2725 GET http://www.venezuelatuya.com/tour/miniandes.jpg teste DIRECT/207.58.139.197 image/jpeg
> 1341573268.867 400 111.111.11.11 TCP_MISS/200 4137 GET http://www.venezuelatuya.com/tour/minitour.JPG teste DIRECT/207.58.139.197 image/jpeg
> 1341573268.869 396 111.111.11.11 TCP_MISS/200 3447 GET http://www.venezuelatuya.com/tour/minicentro.jpg teste DIRECT/207.58.139.197 image/jpeg
> 1341573268.877 400 111.111.11.11 TCP_MISS/200 3310 GET http://www.venezuelatuya.com/tour/minimorrocoy.jpg teste DIRECT/207.58.139.197 image/jpeg
> 1341573268.880 403 111.111.11.11 TCP_MISS/200 3829 GET http://www.venezuelatuya.com/tour/minimargarita.jpg teste DIRECT/207.58.139.197 image/jpeg
> 1341573268.882 404 111.111.11.11 TCP_MISS/200 3452 GET http://www.venezuelatuya.com/tour/minicaracas.jpg teste DIRECT/207.58.139.197 image/jpeg
>

You can test this theory by grabbing a TCP packet trace of the HTTP
requests and responses between Squid and client.

> -------------------------------------------------------------
>
>
>
>
> and my krb5.conf
It would seem not relevant. You did not configure Negotiate/Kerberos in
squid.conf.
However, there is a strange lack of 407. NTLM specifies two DENIED/407
challenges for token exchange before anything is accepted (MISS/200).
Kerberos on the other hand responds to the first 407 with a
pre-calculated key (keytab entry) which skips straight to the MISS/200.

>
> Any clue why it's happening ?
>
>
> squid is also a member of group wbpriv
>
>
>
> id squid
> uid=23(squid) gid=23(squid) groups=88(wbpriv),23(squid)
>
>
>
>
> I also have dansguardian listening in port 8080.

Some other possibilities are:

Is DG rejecting NTLM auth responses and only working when Basic are
provided? or is DG doing part of the NTLM exchange itself (ie
advertising NTLM can be used), which leaves Squid with only two
request/response actions to complete the NTLM setup?

Amos
Received on Fri Jul 06 2012 - 13:08:32 MDT

This archive was generated by hypermail 2.2.0 : Fri Jul 06 2012 - 12:00:01 MDT