Hi !
Thanks for the reply Amos !
For some reason, i get the squid mailing list emails with a delay...
While i wasn't getting any response (thank you for your response) i dig a bit myself and i found in the squid wiki a page about CentOS 5.5 (i'm using 6.2 but is different than the page about CentOS)
http://wiki.squid-cache.org/ConfigExamples/Authenticate/NtlmCentOS5
some notes about ntlm authentication.
I didn't need samba or nmb running, so i shutdown those services and kept winbind running.
Removed the basic authentication from squid.conf (i've already tried in Firefox 3 and Firefox 2 in a Ubuntu 7.10 - The oldest Linux i'm running around here) and the authentication page appears, the user types it's credentials and everything is fine.
I've also changed a line in my squid.conf :
From:
http_access allow ntlmAuth
to:
http_access allow HomeNetworks ntlmAuth
and it just start working - no authentication in windows...
Thank you all !
----- Original Message -----
From: "Amos Jeffries" <squid3_at_treenet.co.nz>
To: squid-users_at_squid-cache.org
Sent: Friday, 6 July, 2012 2:08:19 PM
Subject: Re: [squid-users] Authentication problems with NTLM
On 6/07/2012 11:42 p.m., Bruno Santos wrote:
> Hi !
>
>
> I've configure squid 3.1.10-1 (latest available for CentOS 6.2) with NTLM authentication, but squid keeps asking for username and password. And sometimes more than once...
>
>
> Users are authenticated in the domain, using IE6/7/9, but squid keeps asking for username/password.
>
>
> Those with other browsers and Linux it's normal, but in windows no. I don't know if Firefox in windows is supposed to ask for password or not, but it asks.
For machines logged into the domain being logged into a proxy which uses
the domain credentials - the browser should never ask. This is a strong
sign that the proxy is using different credentials than the ones used to
log into the machine, or is loosing them somehow..
>
>
> I have everything working with samba and winbind.
>
>
> Samba recognizes the user and winbind too.
>
>
> Wbinfo authentication:
>
>
>
> wbinfo -a teste%12345
> plaintext password authentication succeeded
> challenge/response password authentication succeeded
>
>
> Squid ntlm_auth also is working ok
>
>
>
> /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
> teste 12345
> OK
How much delay is the next thing to look for: I suspect 0.2sec?
>
> I notice something in the logs that are also a lots of TCP_DENIED before TCP_MISS (and squid din't ask for password)
> An example of access a website:
>
>
>
> 111.111.11.11 TCP_DENIED/407 4758 GET http://www.venezuelatuya.com/tour/minitour.JPG - NONE/- text/html
> 1341573268.467 8 111.111.11.11 TCP_DENIED/407 4778 GET http://www.venezuelatuya.com/tour/minioccidente.jpg - NONE/- text/html
> 1341573268.469 9 111.111.11.11 TCP_DENIED/407 4766 GET http://www.venezuelatuya.com/tour/minicentro.jpg - NONE/- text/html
> 1341573268.472 11 111.111.11.11 TCP_DENIED/407 4778 GET http://www.venezuelatuya.com/tour/minilosroques.jpg - NONE/- text/html
> 1341573268.472 11 111.111.11.11 TCP_DENIED/407 4774 GET http://www.venezuelatuya.com/tour/minimorrocoy.jpg - NONE/- text/html
> 1341573268.474 10 111.111.11.11 TCP_DENIED/407 4770 GET http://www.venezuelatuya.com/tour/minicaracas.jpg - NONE/- text/html
> 1341573268.474 10 111.111.11.11 TCP_DENIED/407 4762 GET http://www.venezuelatuya.com/tour/miniandes.jpg - NONE/- text/html
> 1341573268.474 10 111.111.11.11 TCP_DENIED/407 4778 GET http://www.venezuelatuya.com/tour/minimargarita.jpg - NONE/- text/html
> 1341573268.549 275 111.111.11.11 TCP_MISS/200 2186 GET http://www.venezuelatuya.com/scripts/mapapaginaprincipal.js teste DIRECT/207.58.139.197 applicat
> ion/javascript
> 1341573268.576 139 111.111.11.11 TCP_MISS/200 444 GET http://www.venezuelatuya.com/principal.css teste DIRECT/207.58.139.197 text/css
This appears to be normal.
* Over the course of 7ms the client delivers 8 requests.
* squid responds with auth-needed challenge as required by NTLM to
each of these.
This might be connections opened in parallel, or requests pipelined at
once before the first response comes back. 8 is a suspicious number,
that is the default browser config value for maximum number of
connections to open for any one website. I highly suspect this is 8 new
connections being opened and performing NTLM handshake.
50ms later there are more denies. Which looks like the connections
earlier authenticated (partially?) got closed and new ones needed
authenticating.
> 1341573268.602 1 111.111.11.11 TCP_DENIED/407 4467 GET http://www.venezuelatuya.com/tour/minioriente.jpg - NONE/- text/html
> 1341573268.606 1 111.111.11.11 TCP_DENIED/407 4770 GET http://www.venezuelatuya.com/tour/minioriente.jpg - NONE/- text/html
> 1341573268.608 1 111.111.11.11 TCP_DENIED/407 4907 GET http://googleads.g.doubleclick.net/pagead/ads ? - NONE/- text/html
> 1341573268.617 1 111.111.11.11 TCP_DENIED/407 5186 GET http://googleads.g.doubleclick.net/pagead/ads ? - NONE/- text/html
> 1341573268.699 399 111.111.11.11 TCP_MISS/200 3817 GET http://www.venezuelatuya.com/scripts/barrabusqueda.js teste DIRECT/207.58.139.197 application/ja
> vascript
About 200ms after the earlier bunch of DENIED/407 responses an identical
bunch pass through successfully. Exactly like the auth challenge was
being responded to with correct credentials.
> 1341573268.741 272 111.111.11.11 TCP_MISS/200 2801 GET http://www.venezuelatuya.com/tour/minioccidente.jpg teste DIRECT/207.58.139.197 image/jpeg
> 1341573268.745 137 111.111.11.11 TCP_MISS/200 3520 GET http://www.venezuelatuya.com/tour/minioriente.jpg teste DIRECT/207.58.139.197 image/jpeg
> 1341573268.753 274 111.111.11.11 TCP_MISS/200 2062 GET http://www.venezuelatuya.com/tour/minilosroques.jpg teste DIRECT/207.58.139.197 image/jpeg
> 1341573268.755 276 111.111.11.11 TCP_MISS/200 2725 GET http://www.venezuelatuya.com/tour/miniandes.jpg teste DIRECT/207.58.139.197 image/jpeg
> 1341573268.867 400 111.111.11.11 TCP_MISS/200 4137 GET http://www.venezuelatuya.com/tour/minitour.JPG teste DIRECT/207.58.139.197 image/jpeg
> 1341573268.869 396 111.111.11.11 TCP_MISS/200 3447 GET http://www.venezuelatuya.com/tour/minicentro.jpg teste DIRECT/207.58.139.197 image/jpeg
> 1341573268.877 400 111.111.11.11 TCP_MISS/200 3310 GET http://www.venezuelatuya.com/tour/minimorrocoy.jpg teste DIRECT/207.58.139.197 image/jpeg
> 1341573268.880 403 111.111.11.11 TCP_MISS/200 3829 GET http://www.venezuelatuya.com/tour/minimargarita.jpg teste DIRECT/207.58.139.197 image/jpeg
> 1341573268.882 404 111.111.11.11 TCP_MISS/200 3452 GET http://www.venezuelatuya.com/tour/minicaracas.jpg teste DIRECT/207.58.139.197 image/jpeg
>
You can test this theory by grabbing a TCP packet trace of the HTTP
requests and responses between Squid and client.
> -------------------------------------------------------------
>
>
>
>
> and my krb5.conf
It would seem not relevant. You did not configure Negotiate/Kerberos in
squid.conf.
However, there is a strange lack of 407. NTLM specifies two DENIED/407
challenges for token exchange before anything is accepted (MISS/200).
Kerberos on the other hand responds to the first 407 with a
pre-calculated key (keytab entry) which skips straight to the MISS/200.
>
> Any clue why it's happening ?
>
>
> squid is also a member of group wbpriv
>
>
>
> id squid
> uid=23(squid) gid=23(squid) groups=88(wbpriv),23(squid)
>
>
>
>
> I also have dansguardian listening in port 8080.
Some other possibilities are:
Is DG rejecting NTLM auth responses and only working when Basic are
provided? or is DG doing part of the NTLM exchange itself (ie
advertising NTLM can be used), which leaves Squid with only two
request/response actions to complete the NTLM setup?
Amos
-- Use Open Source Software Human knowledge belongs to the world Bruno Santos bvsantos_at_ulscb.min-saude.pt http://www.twitter.com/feiticeir0 Tel: +351 962 753 053 Divisão de Informática informatica_at_ulscb.min-saude.pt Tel: +351 272 000 155 Fax: +351 272 000 257 Unidade Local de Saúde de Castelo Branco, E.P.E. geral_at_ulscb.min-saude.pt Tel: +351 272 000 272 Fax: +351 272 000 257 Linux registered user #349448 LPIC-1 CertificationReceived on Fri Jul 06 2012 - 14:19:03 MDT
This archive was generated by hypermail 2.2.0 : Fri Jul 06 2012 - 12:00:01 MDT
