Re: [squid-users] Fwd: NTLM auth fails, Authentication pop-up keeps showing up but also fails

From: <miguelmclara_at_gmail.com>
Date: Sun, 15 Jul 2012 10:15:09 +0000


I already have samba and winbind setup just need to change the squid conf for kerberus, but thats no the hard part, i have a working setup on centos, squid config is pretty much the Same.


But i would still like to find out why isn't ntlm working for this clients, could be useful if someone ends up with the same problem, I was confident the reg key was the problem to be honest.

Thanks for the reply Amos

Sent from my BlackBerry® smartphone
www.blackberry.com

-----Original Message-----
From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sun, 15 Jul 2012 21:38:13
To: <squid-users_at_squid-cache.org>
Subject: Re: [squid-users] Fwd: NTLM auth fails, Authentication pop-up keeps
 showing up but also fails
On 15/07/2012 9:13 p.m., Mike wrote:
> Hi all,
>
> Has the subject says, I'm having problems with NTLM in *some* users.
>
> At first I tough this was related to a problem in some Windows 7 Laptops
> that don't have the reg key:
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa - DWORD
> LmCompatibilityLevel -> set to 1 to use LM NTLM and NTLMv2.
>
> The key was missing in the 2 laptops giving me the problem, but adding
> it and rebooting didn't solve the problem
>
> In general all works, most users don't complain, and indeed the ones with the problem were missing this key in the registry.
> When the user opens IE/site (ntlm auth) I see this on cache.log:
>
> NTLMSSP challenge
> 2012/07/13 11:23:11.043| ConnStateData::swanSong: FD 33
> Got 'YR
> TlRMTVNTUAADAAAAGAAYAJQAAAAYABgArAAAAAoACgBYAAAAGgAaAGIAAAAYABgAfAAAAAAAAADEAAAABYKIogYBsR0AAAAPHKcl6C2DGcPhZg1gFNMQqUMAQQBMAEUATQBDAGEAcgBsAGEAQwBhAHIAdgBhAGwAaABvAFcARABMAEgAUAA2ADMAMABOAEwAMAAyAJ3X1msrdlsCAAAAAAAAAAAAAAAAAAAAAL0k3O/g5/bRhTcU9HDH3PpqgbCc4abP4w=='
> from squid (length: 267).
> got NTLMSSP packet:
> got NTLMSSP command 3, expected 1
> NTLMSSP NT_STATUS_INVALID_PARAMETER
> 2012/07/13 11:23:11.256| ConnStateData::swanSong: FD 33

Client is sending a Kerberos ticket ("command 3") to Squid ....

Kerberos is the default authentication system for Windows 7 and later.
NTLM was deprecated in Vista.

> This is when I send the "basic auth"
> Got 'YR TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==' from
> squid (length: 59).
> got NTLMSSP packet:
> Got NTLMSSP neg_flags=0xa2088207
> NTLMSSP_NEGOTIATE_UNICODE
> NTLMSSP_NEGOTIATE_OEM
> NTLMSSP_REQUEST_TARGET
> NTLMSSP_NEGOTIATE_NTLM
> NTLMSSP_NEGOTIATE_ALWAYS_SIGN
> NTLMSSP_NEGOTIATE_NTLM2

Client is sending a NTLMv2 response to Squid.

> NTLMSSP_NEGOTIATE_VERSION
> NTLMSSP_NEGOTIATE_128
> NTLMSSP_NEGOTIATE_56
> NTLMSSP challenge
> 2012/07/13 11:23:33.226| ConnStateData::swanSong: FD 13
> Got 'YR
> TlRMTVNTUAADAAAAGAAYAJQAAAAYABgArAAAAAoACgBYAAAAGgAaAGIAAAAYABgAfAAAAAAAAADEAAAABYKIogYBsR0AAAAP0dxfDL0xcw63QgT5XihRs0MAQQBMAEUATQBDAGEAcgBsAGEAQwBhAHIAdgBhAGwAaABvAFcARABMAEgAUAA2ADMAMABOAEwAMAAyAHncwjOdiQMNAAAAAAAAAAAAAAAAAAAAAGh+wPIBTsJQcYCTWvqvSQWmEPgrgyxOnw=='
> from squid (length: 267).
> got NTLMSSP packet:
> got NTLMSSP command 3, expected 1
> NTLMSSP NT_STATUS_INVALID_PARAMETER
> 2012/07/13 11:23:39.436| ConnStateData::swanSong: FD 13
> 2012/07/13 11:23:40.451| ConnStateData::swanSong: FD 13
>
> More info about my setup:
>
> squid -v
> Squid Cache: Version 3.1.19
> configure options: '--sysconfdir=/usr/pkg/etc/squid'
> '--localstatedir=/var/squid' '--datarootdir=/usr/pkg/share/squid'
> '--enable-auth=basic,digest,ntlm' '--enable-cachemgr-hostname=localhost'
> '--enable-delay-pools' '--enable-icmp'
> '--enable-removal-policies=lru,heap' '--enable-poll'
> '--enable-storeio=ufs diskd' '--with-aio'
> '--disable-strict-error-checking' '--enable-icap-client'
> '--with-default-user=squid' '--with-pidfile=/var/run/squid.pid'
> '--enable-ipf-transparent' '--enable-carp' '--enable-snmp'
> '--enable-ssl' '--with-openssl=/usr'
> '--enable-basic-auth-helpers=getpwnam MSNT NCSA YP PAM'
> '--enable-digest-auth-helpers=password'
> '--enable-ntlm-auth-helpers=fakeauth'
> '--enable-external-acl-helpers=ip_user unix_group' '--prefix=/usr/pkg'
> '--build=x86_64--netbsd' '--host=x86_64--netbsd' '--mandir=/usr/pkg/man'
> 'build_alias=x86_64--netbsd' 'host_alias=x86_64--netbsd' 'CC=gcc'
> 'CFLAGS=-O2 -I/usr/include' 'LDFLAGS=-L/usr/lib -Wl,-R/usr/lib
> -Wl,-R/usr/pkg/lib' 'LIBS=' 'CPPFLAGS=-I/usr/include' 'CXX=c++'
> 'CXXFLAGS=-O2 -I/usr/include'
> --with-squid=/scratch/www/squid31/work/squid-3.1.19
> --enable-ltdl-convenience
>
> Samba Version 3.6.5
>
> OS: netbsd-6, samba and squid installed from pkgsrc
>
>
> At this moment I'm not sure if I missed something installing squid/samba or if its indeed a problem with this particular windows client.
>
> Thanks
>
>
> Note: I do not have kerbuerus auth set up, because this is no easy task
> on netbsd, I still need to research on this.

Time to start. :)

NetBSD apparently ships with a system implementation:
http://www.netbsd.org/docs/network/#kerberos

Samba, Winbind, and a few other FOSS tools also support Kerberos management.

Amos
Received on Sun Jul 15 2012 - 10:15:27 MDT

This archive was generated by hypermail 2.2.0 : Sun Jul 15 2012 - 12:00:02 MDT