Re: [squid-users] Squid 3.1.19 and NTLM ?

On 27/12/2012 10:42 p.m., David Touzeau wrote:
>
>
> -----Original Message----- From: Noc Phibee Telecom
> Sent: Wednesday, December 26, 2012 10:08 AM
> To: squid-users_at_squid-cache.org
> Subject: Re: [squid-users] Squid 3.1.19 and NTLM ?
>
>
> Anyone have a answer ?
>
>
>
>
>
> Le 23/12/2012 09:43, Noc Phibee Telecom a écrit :
>> Hi
>>
>> we have updated our Squid Proxy to the version 3.1.19 and we have a
>> problems:
>>
>> All times, the NTLM or Basic authentification faild.
>>
>> My config:
>>
>> auth_param ntlm program /usr/bin/ntlm_auth
>> --helper-protocol=squid-2.5-ntlmssp
>> auth_param ntlm children 50
>> auth_param ntlm keep_alive on
>> auth_param basic program /usr/bin/ntlm_auth
>> --helper-protocol=squid-2.5-basic
>> auth_param basic children 50
>> auth_param basic realm Squid proxy-caching web server
>> auth_param basic credentialsttl 2 hours
>> external_acl_type AD_Group children=15 concurrency=25 ttl=3600
>> negative_ttl=900 %LOGIN /usr/lib64/squid/wbinfo_group.pl
>>
>> wbinfo -t is Ok
>>
>> [root_at_gw squid-ntlm]# /usr/bin/ntlm_auth
>> --helper-protocol=squid-2.5-basic
>> mylogin mypass
>> OK
>>
>> [root_at_gw squid-ntlm]# sudo -u squid /usr/bin/ntlm_auth
>> --helper-protocol=squid-2.5-basic
>> ophelys Sodiaal123
>> OK
>>
>> The same config work on 3.1.4
>>
>> Compil:ersion:
>> [root_at_gw squid-ntlm]# /usr/sbin/squid -v
>> Squid Cache: Version 3.1.19
>> configure options: '--build=x86_64-mandriva-linux-gnu'
>> '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/sbin'
>> '--sbindir=/usr/sbin' '--sysconfdir=/etc/squid'
>> '--datadir=/usr/share/squid' '--includedir=/usr/include'
>> '--libdir=/usr/lib64' '--libexecdir=/usr/lib64/squid'
>> '--localstatedir=/var' '--sharedstatedir=/usr/com'
>> '--mandir=/usr/share/man' '--infodir=/usr/share/info'
>> '--x-includes=/usr/include' '--x-libraries=/usr/lib64'
>> '--disable-strict-error-checking' '--enable-shared=yes'
>> '--enable-static=no' '--enable-xmalloc-statistics' '--enable-carp'
>> '--enable-async-io' '--enable-storeio=aufs,diskd,ufs'
>> '--enable-removal-policies=heap,lru' '--enable-icmp'
>> '--enable-delay-pools' '--disable-esi' '--enable-icap-client'
>> '--enable-ecap' '--enable-useragent-log' '--enable-referer-log'
>> '--enable-wccp' '--enable-wccpv2' '--disable-kill-parent-hack'
>> '--enable-snmp' '--enable-cachemgr-hostname=localhost'
>> '--enable-arp-acl' '--enable-htcp' '--enable-ssl'
>> '--enable-forw-via-db' '--enable-follow-x-forwarded-for'
>> '--enable-cache-digests' '--disable-poll' '--enable-epoll'
>> '--enable-linux-netfilter' '--disable-ident-lookups'
>> '--enable-default-hostsfile=/etc/hosts'
>> '--enable-auth=basic,digest,negotiate,ntlm'
>> '--enable-basic-auth-helpers=getpwnam,LDAP,MSNT,multi-domain-NTLM,NCSA,PAM,SMB,YP,SASL,POP3,DB,squid_radius_auth'
>> '--enable-ntlm-auth-helpers=fakeauth,no_check,smb_lm'
>> '--enable-negotiate-auth-helpers=squid_kerb_auth'
>> '--enable-digest-auth-helpers=password,ldap,eDirectory'
>> '--enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_group'
>> '--with-default-user=squid' '--with-pthreads' '--with-dl'
>> '--with-openssl=/usr' '--with-large-files'
>> '--with-build-environment=default' '--enable-mit=/usr'
>> '--with-logdir=/var/log/squid' '--enable-http-violations'
>> '--enable-zph-qos' '--with-filedescriptors=8192'
>> 'build_alias=x86_64-mandriva-linux-gnu' 'CFLAGS=-O2 -g
>> -frecord-gcc-switches -Wstrict-aliasing=2 -pipe -Wformat
>> -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fstack-protector
>> --param=ssp-buffer-size=4 -fstack-protector-all -fPIC
>> -I/usr/include/db51 -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64'
>> 'LDFLAGS= -Wl,--as-needed -Wl,--no-undefined -Wl,-z,relro -Wl,-O1
>> -Wl,--build-id -Wl,--enable-new-dtags'
>> 'CPPFLAGS=-I/usr/include/openssl -I/usr/include/db51 -O2 -g
>> -frecord-gcc-switches -Wstrict-aliasing=2 -pipe -Wformat
>> -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fstack-protector
>> --param=ssp-buffer-size=4 -fstack-protector-all -fPIC ' 'CXXFLAGS=-O2
>> -g -frecord-gcc-switches -Wstrict-aliasing=2 -pipe -Wformat
>> -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fstack-protector
>> --param=ssp-buffer-size=4 -fstack-protector-all -fPIC
>> -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64'
>> --with-squid=/root/rpmbuild/BUILD/squid-3.1.19
>>
>> Old version:
>> [root_at_gw /]# /usr/sbin/squid -v
>> Squid Cache: Version 3.1.4
>> configure options: '--build=i586-mandriva-linux-gnu' '--prefix=/usr'
>> '--exec-prefix=/usr' '--bindir=/usr/sbin' '--sbindir=/usr/sbin'
>> '--sysconfdir=/etc/squid' '--datadir=/usr/share/squid'
>> '--includedir=/usr/include' '--libdir=/usr/lib'
>> '--libexecdir=/usr/lib/squid' '--localstatedir=/var'
>> '--sharedstatedir=/usr/com' '--mandir=/usr/share/man'
>> '--infodir=/usr/share/info' '--x-includes=/usr/include'
>> '--x-libraries=/usr/lib' '--enable-shared=yes' '--enable-static=no'
>> '--enable-xmalloc-statistics' '--enable-carp' '--enable-async-io'
>> '--enable-storeio=aufs,diskd,ufs'
>> '--enable-removal-policies=heap,lru' '--enable-icmp'
>> '--enable-delay-pools' '--disable-esi' '--enable-icap-client'
>> '--enable-ecap' '--enable-useragent-log' '--enable-referer-log'
>> '--enable-wccp' '--enable-wccpv2' '--disable-kill-parent-hack'
>> '--enable-snmp' '--enable-cachemgr-hostname=localhost'
>> '--enable-arp-acl' '--enable-htcp' '--enable-ssl'
>> '--enable-forw-via-db' '--enable-follow-x-forwarded-for'
>> '--enable-cache-digests' '--disable-poll' '--enable-epoll'
>> '--enable-linux-netfilter' '--disable-ident-lookups'
>> '--enable-default-hostsfile=/etc/hosts'
>> '--enable-auth=basic,digest,negotiate,ntlm'
>> '--enable-basic-auth-helpers=getpwnam,LDAP,MSNT,multi-domain-NTLM,NCSA,PAM,SMB,YP,SASL,POP3,DB,squid_radius_auth'
>> '--enable-ntlm-auth-helpers=fakeauth,no_check,smb_lm'
>> '--enable-negotiate-auth-helpers=squid_kerb_auth'
>> '--enable-digest-auth-helpers=password,ldap,eDirectory'
>> '--enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_group'
>> '--with-default-user=squid' '--with-pthreads' '--with-dl'
>> '--with-openssl=/usr' '--with-large-files'
>> '--with-build-environment=default' '--enable-mit=/usr'
>> '--with-logdir=/var/log/squid' '--enable-http-violations'
>> '--enable-zph-qos' '--with-filedescriptors=8192'
>> 'build_alias=i586-mandriva-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wformat
>> -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fstack-protector
>> --param=ssp-buffer-size=4 -fstack-protector-all -fomit-frame-pointer
>> -march=i586 -mtune=generic -fasynchronous-unwind-tables
>> -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64' 'LDFLAGS=
>> -Wl,--as-needed -Wl,--no-undefined -Wl,-z,relro -Wl,-O1
>> -Wl,--build-id' 'CPPFLAGS=-I/usr/include/openssl ' 'CXXFLAGS=-O2 -g
>> -pipe -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2
>> -fstack-protector --param=ssp-buffer-size=4 -fstack-protector-all
>> -fomit-frame-pointer -march=i586 -mtune=generic
>> -fasynchronous-unwind-tables -D_LARGEFILE_SOURCE
>> -D_FILE_OFFSET_BITS=64'
>> --with-squid=/home/qateam/rpm/BUILD/squid-3.1.4
>> --enable-ltdl-convenience
>> [root_at_gw /]#
>>
>>
>>
>> Into logs of Winbind, we have:
>> [2012/12/23 09:17:42.125070, 2]
>> winbindd/winbindd_pam.c:1781(winbindd_dual_pam_auth)
>> Plain-text authentication for user NTDOMAIN/none returned
>> NT_STATUS_NO_SUCH_USER (PAM: 10)
>> [2012/12/23 09:17:42.224588, 2]
>> winbindd/winbindd_pam.c:1781(winbindd_dual_pam_auth)
>> Plain-text authentication for user NTDOMAIN/none returned
>> NT_STATUS_NO_SUCH_USER (PAM: 10)
>> [2012/12/23 09:17:42.239454, 2]
>> winbindd/winbindd_pam.c:2099(winbindd_dual_pam_auth_crap)
>> NTLM CRAP authentication for user [U17330]\[timecard] returned
>> NT_STATUS_NO_SUCH_USER (PAM: 10)
>> [2012/12/23 09:18:40.586285, 2]
>> libsmb/cliconnect.c:795(cli_session_setup_kerberos)
>> Doing kerberos session setup
>>
>>
>>
>> Anyone have a idea ?
>>
>> Thanks
>> Jerome
>>
>>
>>
> first use the token "--helper-protocol=squid-2.5-ntlmssp"
>
>
> This is not a Squid issue but a permissions issue
> Many problems cam from Squid did not have rights under the
> /var/lib/samba/winbindd_privileged or /var/run/samba/winbindd_privileged
>
> The ntlm helper try to access for read/right on the
> /var/lib/samba/winbindd_privileged/pipe socket file
> This directory is on 0750 permissions with root and winbindd_priv group.
>
> The first step is to add the squid user under the winbindd_priv group
> eg usermod -a -G winbindd_priv squid
> second is to chmod 1777 /var/lib/samba/winbindd_privileged/pipe
> Bu you will fight again and again.
> So the best way is to turn the partition that store /var/lib/samba
> into acl mode in order to perform a
> setfacl -R -m u:squid:rwx /var/lib/samba
> setfacl -R -m u:squid:rwx /var/lib/samba
>
> And you will be able to authenticate correctly members....

Or to remove cache_effective_group and add the Squid user to the
winbind_priv group (not possible on RHEL builds who hard-coded the
Squid directive to a single group permission).

Amos
Received on Thu Dec 27 2012 - 10:28:35 MST