[squid-users] Fwd: squid 3.2.8 ntlm

From: JC Putter <jcputter_at_gmail.com>
Date: Thu, 30 May 2013 02:00:22 +0200

I've been running squid 3.2.8 for a while now using
negotiate_wrapper_auth with kerberos and NTLM however i discovered
today that NTLM auth does not work

wbinfo -t

checking the trust secret for domain MYDOMAIN via RPC calls succeeded

# /usr/bin/ntlm_auth --username=myuser --password=pass

NT_STATUS_OK: Success (0x0)

Kerberos and Basic works 100% it's only NTLM that does not seem to work..

OS:Centos 6.4 (updated)
Squid:3.2.8
Samba:rpm -qf /usr/bin/ntlm_auth
samba-winbind-clients-3.6.9-151.el6.x86_64

Auth Helper config

### negotiate kerberos and ntlm authentication
auth_param negotiate program /usr/lib64/squid/negotiate_wrapper_auth
-D --ntlm /usr/bin/ntlm_auth --diagnostics
--helper-protocol=squid-2.5-ntlmssp --domain=DOMAIN --kerberos
/usr/lib64/squid/negotiate_kerberos_auth -r -s GSS_C_NO_NAME
auth_param negotiate children 50
auth_param negotiate keep_alive off

### pure ntlm authentication
auth_param ntlm program /usr/bin/ntlm_auth --debug-level=10
--diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=DOMAIN
auth_param ntlm children 50
auth_param ntlm keep_alive off

### provide basic authentication via ldap for clients not
authenticated via kerberos/ntlm
auth_param basic program /usr/lib64/squid/basic_ldap_auth -d -R -b
"dc=domian,dc=local" -D proxy_at_domain.local -W /etc/squid/ldappass.txt
-f sAMAccountName=%s -h server.domain.local
auth_param basic children 50
auth_param basic realm Internet Proxy
auth_param basic credentialsttl 1 minute

Log:

2013/05/30 01:58:22| negotiate_wrapper: Got 'KK
TlRMTVNTUAADAAAAGAAYAGIAAAAYABgAegAAAAAAAABIAAAACgAKAEgAAAAQABAAUgAAAAAAAACSAAAABYKIogUBKAoAAAAPYQBkAG0AaQBuAFUAUwBFAFIALQBQAEMAMQCyjgMoFTqyXQAAAAAAAAAAAAAAAAAAAABioAHqJBhnJnwFLhF18yrGqgT5zLhxN9o='
from squid (length: 199).
2013/05/30 01:58:22| negotiate_wrapper: Decode
'TlRMTVNTUAADAAAAGAAYAGIAAAAYABgAegAAAAAAAABIAAAACgAKAEgAAAAQABAAUgAAAAAAAACSAAAABYKIogUBKAoAAAAPYQBkAG0AaQBuAFUAUwBFAFIALQBQAEMAMQCyjgMoFTqyXQAAAAAAAAAAAAAAAAAAAABioAHqJBhnJnwFLhF18yrGqgT5zLhxN9o='
(decoded length: 146).
2013/05/30 01:58:22| negotiate_wrapper: received type 216 NTLM token
2013/05/30 01:58:22| negotiate_wrapper: Return 'NA = NT_STATUS_UNSUCCESSFUL
Received on Thu May 30 2013 - 00:00:29 MDT

This archive was generated by hypermail 2.2.0 : Thu May 30 2013 - 12:00:07 MDT