[squid-users] Squid 3.1.19 and NTLM ? from Noc Phibee Telecom on 2012-12-23 (squid-users)

From: Noc Phibee Telecom <noc_at_phibee-telecom.net>
Date: Sun, 23 Dec 2012 09:43:49 +0100

we have updated our Squid Proxy to the version 3.1.19 and we have a
problems:

All times, the NTLM or Basic authentification faild.

My config:

auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 50
auth_param ntlm keep_alive on
auth_param basic program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic
auth_param basic children 50
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
external_acl_type AD_Group children=15 concurrency=25 ttl=3600
negative_ttl=900 %LOGIN /usr/lib64/squid/wbinfo_group.pl

wbinfo -t is Ok

[root_at_gw squid-ntlm]# /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
mylogin mypass
OK

[root_at_gw squid-ntlm]# sudo -u squid /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic
ophelys Sodiaal123
OK

The same config work on 3.1.4

Compil:ersion:
[root_at_gw squid-ntlm]# /usr/sbin/squid -v
Squid Cache: Version 3.1.19
configure options: '--build=x86_64-mandriva-linux-gnu' '--prefix=/usr'
'--exec-prefix=/usr' '--bindir=/usr/sbin' '--sbindir=/usr/sbin'
'--sysconfdir=/etc/squid' '--datadir=/usr/share/squid'
'--includedir=/usr/include' '--libdir=/usr/lib64'
'--libexecdir=/usr/lib64/squid' '--localstatedir=/var'
'--sharedstatedir=/usr/com' '--mandir=/usr/share/man'
'--infodir=/usr/share/info' '--x-includes=/usr/include'
'--x-libraries=/usr/lib64' '--disable-strict-error-checking'
'--enable-shared=yes' '--enable-static=no' '--enable-xmalloc-statistics'
'--enable-carp' '--enable-async-io' '--enable-storeio=aufs,diskd,ufs'
'--enable-removal-policies=heap,lru' '--enable-icmp'
'--enable-delay-pools' '--disable-esi' '--enable-icap-client'
'--enable-ecap' '--enable-useragent-log' '--enable-referer-log'
'--enable-wccp' '--enable-wccpv2' '--disable-kill-parent-hack'
'--enable-snmp' '--enable-cachemgr-hostname=localhost'
'--enable-arp-acl' '--enable-htcp' '--enable-ssl' '--enable-forw-via-db'
'--enable-follow-x-forwarded-for' '--enable-cache-digests'
'--disable-poll' '--enable-epoll' '--enable-linux-netfilter'
'--disable-ident-lookups' '--enable-default-hostsfile=/etc/hosts'
'--enable-auth=basic,digest,negotiate,ntlm'
'--enable-basic-auth-helpers=getpwnam,LDAP,MSNT,multi-domain-NTLM,NCSA,PAM,SMB,YP,SASL,POP3,DB,squid_radius_auth'
'--enable-ntlm-auth-helpers=fakeauth,no_check,smb_lm'
'--enable-negotiate-auth-helpers=squid_kerb_auth'
'--enable-digest-auth-helpers=password,ldap,eDirectory'
'--enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_group'
'--with-default-user=squid' '--with-pthreads' '--with-dl'
'--with-openssl=/usr' '--with-large-files'
'--with-build-environment=default' '--enable-mit=/usr'
'--with-logdir=/var/log/squid' '--enable-http-violations'
'--enable-zph-qos' '--with-filedescriptors=8192'
'build_alias=x86_64-mandriva-linux-gnu' 'CFLAGS=-O2 -g
-frecord-gcc-switches -Wstrict-aliasing=2 -pipe -Wformat
-Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fstack-protector
--param=ssp-buffer-size=4 -fstack-protector-all -fPIC
-I/usr/include/db51 -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64'
'LDFLAGS= -Wl,--as-needed -Wl,--no-undefined -Wl,-z,relro -Wl,-O1
-Wl,--build-id -Wl,--enable-new-dtags' 'CPPFLAGS=-I/usr/include/openssl
-I/usr/include/db51 -O2 -g -frecord-gcc-switches -Wstrict-aliasing=2
-pipe -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2
-fstack-protector --param=ssp-buffer-size=4 -fstack-protector-all -fPIC
' 'CXXFLAGS=-O2 -g -frecord-gcc-switches -Wstrict-aliasing=2 -pipe
-Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2
-fstack-protector --param=ssp-buffer-size=4 -fstack-protector-all -fPIC
-D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64'
--with-squid=/root/rpmbuild/BUILD/squid-3.1.19

Old version:
[root_at_gw /]# /usr/sbin/squid -v
Squid Cache: Version 3.1.4
configure options: '--build=i586-mandriva-linux-gnu' '--prefix=/usr'
'--exec-prefix=/usr' '--bindir=/usr/sbin' '--sbindir=/usr/sbin'
'--sysconfdir=/etc/squid' '--datadir=/usr/share/squid'
'--includedir=/usr/include' '--libdir=/usr/lib'
'--libexecdir=/usr/lib/squid' '--localstatedir=/var'
'--sharedstatedir=/usr/com' '--mandir=/usr/share/man'
'--infodir=/usr/share/info' '--x-includes=/usr/include'
'--x-libraries=/usr/lib' '--enable-shared=yes' '--enable-static=no'
'--enable-xmalloc-statistics' '--enable-carp' '--enable-async-io'
'--enable-storeio=aufs,diskd,ufs' '--enable-removal-policies=heap,lru'
'--enable-icmp' '--enable-delay-pools' '--disable-esi'
'--enable-icap-client' '--enable-ecap' '--enable-useragent-log'
'--enable-referer-log' '--enable-wccp' '--enable-wccpv2'
'--disable-kill-parent-hack' '--enable-snmp'
'--enable-cachemgr-hostname=localhost' '--enable-arp-acl'
'--enable-htcp' '--enable-ssl' '--enable-forw-via-db'
'--enable-follow-x-forwarded-for' '--enable-cache-digests'
'--disable-poll' '--enable-epoll' '--enable-linux-netfilter'
'--disable-ident-lookups' '--enable-default-hostsfile=/etc/hosts'
'--enable-auth=basic,digest,negotiate,ntlm'
'--enable-basic-auth-helpers=getpwnam,LDAP,MSNT,multi-domain-NTLM,NCSA,PAM,SMB,YP,SASL,POP3,DB,squid_radius_auth'
'--enable-ntlm-auth-helpers=fakeauth,no_check,smb_lm'
'--enable-negotiate-auth-helpers=squid_kerb_auth'
'--enable-digest-auth-helpers=password,ldap,eDirectory'
'--enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_group'
'--with-default-user=squid' '--with-pthreads' '--with-dl'
'--with-openssl=/usr' '--with-large-files'
'--with-build-environment=default' '--enable-mit=/usr'
'--with-logdir=/var/log/squid' '--enable-http-violations'
'--enable-zph-qos' '--with-filedescriptors=8192'
'build_alias=i586-mandriva-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wformat
-Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fstack-protector
--param=ssp-buffer-size=4 -fstack-protector-all -fomit-frame-pointer
-march=i586 -mtune=generic -fasynchronous-unwind-tables
-D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64' 'LDFLAGS= -Wl,--as-needed
-Wl,--no-undefined -Wl,-z,relro -Wl,-O1 -Wl,--build-id'
'CPPFLAGS=-I/usr/include/openssl ' 'CXXFLAGS=-O2 -g -pipe -Wformat
-Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fstack-protector
--param=ssp-buffer-size=4 -fstack-protector-all -fomit-frame-pointer
-march=i586 -mtune=generic -fasynchronous-unwind-tables
-D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64'
--with-squid=/home/qateam/rpm/BUILD/squid-3.1.4 --enable-ltdl-convenience
[root_at_gw /]#

Into logs of Winbind, we have:
[2012/12/23 09:17:42.125070, 2]
winbindd/winbindd_pam.c:1781(winbindd_dual_pam_auth)
   Plain-text authentication for user NTDOMAIN/none returned
NT_STATUS_NO_SUCH_USER (PAM: 10)
[2012/12/23 09:17:42.224588, 2]
winbindd/winbindd_pam.c:1781(winbindd_dual_pam_auth)
   Plain-text authentication for user NTDOMAIN/none returned
NT_STATUS_NO_SUCH_USER (PAM: 10)
[2012/12/23 09:17:42.239454, 2]
winbindd/winbindd_pam.c:2099(winbindd_dual_pam_auth_crap)
   NTLM CRAP authentication for user [U17330]\[timecard] returned
NT_STATUS_NO_SUCH_USER (PAM: 10)
[2012/12/23 09:18:40.586285, 2]
libsmb/cliconnect.c:795(cli_session_setup_kerberos)
   Doing kerberos session setup

Anyone have a idea ?

Thanks
Jerome
Received on Sun Dec 23 2012 - 08:43:54 MST

This archive was generated by hypermail 2.2.0 : Wed Dec 26 2012 - 12:00:04 MST