NTLM Authentication / Centos 7

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

NTLM Authentication / Centos 7

Jon Cuthbert
On a new installation, I can not get the ntlm_auth working correctly:
Squid - v 3.5.20 

2018/08/20 17:00:27| helperOpenServers: Starting 1/5 'ntlm_auth' processes
2018/08/20 17:00:27| WARNING: basicauthenticator #Hlpr243 exited
2018/08/20 17:00:27| Too few basicauthenticator processes are running (need 1/5)
2018/08/20 17:00:27| Starting new helpers
2018/08/20 17:00:27| helperOpenServers: Starting 1/5 'ntlm_auth' processes
2018/08/20 17:00:27| WARNING: basicauthenticator #Hlpr244 exited
2018/08/20 17:00:27| Too few basicauthenticator processes are running (need 1/5)
2018/08/20 17:00:27| Starting new helpers
2018/08/20 17:00:27| helperOpenServers: Starting 1/5 'ntlm_auth' processes

The ntlm_auth process respawns constantly, with the following error once the request & user authentication attempt is sent from the browser:
'helperOpenServers: Starting 1/10 'ntlm_auth' processes
username must be specified!'

Above is with auth_param ntlm # commented out but the same happens if ntlm is first.

squid.conf file contains:

auth_param ntlm program /usr/bin/ntlm_auth -–helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 10
auth_param basic program /usr/bin/ntlm_auth -–helper-protocol=squid-2.5-basic
auth_param basic children 5
acl AuthorizedUsers proxy_auth REQUIRED
http_access allow all AuthorizedUsers



The following ownerships are in place:
root:wbpriv /var/lib/samba/winbindd_privileged/   
root:wbpriv /var/run/samba/winbindd/pipe

wbinfo - works for both plaintext & challenge/response
wbinfo -t works

/usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic 
works correctly - (if a space is left after the c basic, otherwise it complains about username - I've tried squid.conf leaving a space as well)

/usr/bin/ntlm_auth -–helper-protocol=squid-2.5-ntlmssp
gives BH SPNEGO request invalid prefix - assume related to Negotiate, but will investigate after basic authentication in case related).

I've looked at as many install instructions as possible, and this should be okay?

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: NTLM Authentication / Centos 7

Amos Jeffries
Administrator
On 21/08/18 4:15 AM, Jon Cuthbert wrote:

> On a new installation, I can not get the ntlm_auth working correctly:
> Squid - v 3.5.20 
>
> 2018/08/20 17:00:27| helperOpenServers: Starting 1/5 'ntlm_auth' processes
> 2018/08/20 17:00:27| WARNING: basicauthenticator #Hlpr243 exited
> 2018/08/20 17:00:27| Too few basicauthenticator processes are running
> (need 1/5)
> 2018/08/20 17:00:27| Starting new helpers
> 2018/08/20 17:00:27| helperOpenServers: Starting 1/5 'ntlm_auth' processes
> 2018/08/20 17:00:27| WARNING: basicauthenticator #Hlpr244 exited
> 2018/08/20 17:00:27| Too few basicauthenticator processes are running
> (need 1/5)
> 2018/08/20 17:00:27| Starting new helpers
> 2018/08/20 17:00:27| helperOpenServers: Starting 1/5 'ntlm_auth' processes
>
> The ntlm_auth process respawns constantly, with the following error once
> the request & user authentication attempt is sent from the browser:
> 'helperOpenServers: Starting 1/10 'ntlm_auth' processes
> username must be specified!'
>
> Above is with auth_param ntlm # commented out but the same happens if
> ntlm is first.
>
> squid.conf file contains:
>
> auth_param ntlm program /usr/bin/ntlm_auth
> -–helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 10
> auth_param basic program /usr/bin/ntlm_auth
> -–helper-protocol=squid-2.5-basic
> auth_param basic children 5
> acl AuthorizedUsers proxy_auth REQUIRED

> http_access allow all AuthorizedUsers

This use of "all" does nothing but add confusion.

Also, what then do the other lines in your config then say to do with
the NTLM type-1 requests (no credentials) and failed-login requests?

Note those are different types of message. "http_access allow" only
handles completed + successful logins.

This is why our recommended and example configs always have three parts
and a "deny" action associated to the login:


 # ... things which don't require login credentials
 http_access deny login
 # ... things which depend on credentials


>
> The following ownerships are in place:
> root:wbpriv /var/lib/samba/winbindd_privileged/   
> root:wbpriv /var/run/samba/winbindd/pipe
>
> wbinfo - works for both plaintext & challenge/response
> wbinfo -t works

Is the proxy user a member of that wbpriv group, AND the old
cache_effective_* directives _absent_ from your squid.conf.


>
> /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic 
> works correctly - (if a space is left after the c basic, otherwise it
> complains about username - I've tried squid.conf leaving a space as well)

That's odd.

>
> /usr/bin/ntlm_auth -–helper-protocol=squid-2.5-ntlmssp
> gives BH SPNEGO request invalid prefix - assume related to Negotiate,
> but will investigate after basic authentication in case related).
>
> I've looked at as many install instructions as possible, and this should
> be okay?


The "BH SPEGNO" indicates that the client/ Browser is *not* sending NTLM
authentication in the HTTP messages labled "Proxy-Authorization: NTLM ..."

Have you considered configuring Kerberos instead? All MS products since
WinXP should be defaulting to that more secure scheme.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: NTLM Authentication / Centos 7

Amos Jeffries
Administrator
On 21/08/18 7:54 AM, Amos Jeffries wrote:
>
>  # ... things which don't require login credentials
>  http_access deny login

Oops. That should be "deny !login"

>  # ... things which depend on credentials
>

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: NTLM Authentication / Centos 7

L.P.H. van Belle
In reply to this post by Amos Jeffries
> Also, what then do the other lines in your config then say to do with
> the NTLM type-1 requests (no credentials) and failed-login requests?

No this happend after the last security update of samba.

This is due to a samba update.
SECURITY UPDATE: Weak authentication protocol allowed
CVE-2018-1139-*.patch: Do not allow ntlmv1 over SMB1

You can easily test this, add 'ntlm auth = yes' to smb.conf and
restart. If this cures your problem, then you have two choices, leave
it alone and put up with a possibly insecure server, or fix your
clients to only use NTLMv2 and remove the line from smb.conf.

Greetz,

Louis

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: NTLM Authentication / Centos 7

Amos Jeffries
Administrator
On 21/08/18 7:09 PM, L.P.H. van Belle wrote:
>> Also, what then do the other lines in your config then say to do with
>> the NTLM type-1 requests (no credentials) and failed-login requests?
>
> No this happend after the last security update of samba.
>

"No" to what ? My Q above was in regards to the omitted http_access
behaviour.


The 'type-1' I am speaking of is the initial NTLM credentials token. Not
the version number. All LanManager based exchanges (LM 1.0, LM4, LM
32-bit, SMB LM, NTLMv1 NTLMv2, NTLMv2 extended) begin with a type-1 token.


> This is due to a samba update.
> SECURITY UPDATE: Weak authentication protocol allowed
> CVE-2018-1139-*.patch: Do not allow ntlmv1 over SMB1
>
> You can easily test this, add 'ntlm auth = yes' to smb.conf and
> restart. If this cures your problem, then you have two choices, leave
> it alone and put up with a possibly insecure server, or fix your
> clients to only use NTLMv2 and remove the line from smb.conf.
>

Yes, that is worth testing for.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: NTLM Authentication / Centos 7

Jon Cuthbert
Hi,

I got this working in the end, the issue was with the '-' on the --helper-protocol being wrong. I'm assuming this was caused during a copy /paste rather than typing as I was looking at web pages when creating the file. I noticed the 2nd - seemed longer.

Thank you for the help though.

Jon



On Tue, Aug 21, 2018 at 3:21 PM Amos Jeffries <[hidden email]> wrote:
On 21/08/18 7:09 PM, L.P.H. van Belle wrote:
>> Also, what then do the other lines in your config then say to do with
>> the NTLM type-1 requests (no credentials) and failed-login requests?
>
> No this happend after the last security update of samba.
>

"No" to what ? My Q above was in regards to the omitted http_access
behaviour.


The 'type-1' I am speaking of is the initial NTLM credentials token. Not
the version number. All LanManager based exchanges (LM 1.0, LM4, LM
32-bit, SMB LM, NTLMv1 NTLMv2, NTLMv2 extended) begin with a type-1 token.


> This is due to a samba update.
> SECURITY UPDATE: Weak authentication protocol allowed
> CVE-2018-1139-*.patch: Do not allow ntlmv1 over SMB1
>
> You can easily test this, add 'ntlm auth = yes' to smb.conf and
> restart. If this cures your problem, then you have two choices, leave
> it alone and put up with a possibly insecure server, or fix your
> clients to only use NTLMv2 and remove the line from smb.conf.
>

Yes, that is worth testing for.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users


--

Jon Cuthbert
<a href="javascript:void(0);" value="+447961915060" style="color:rgb(17,85,204)" target="_blank">+44 7961 915060


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: NTLM Authentication / Centos 7

L.P.H. van Belle
In reply to this post by Amos Jeffries

Ah, sorry Amos,

I was understanding you ment the Question was about the NTLM auth itself not the token.
My mis understanding.  :-/

Greetz,

Louis


> -----Oorspronkelijk bericht-----
> Van: squid-users
> [mailto:[hidden email]] Namens
> Amos Jeffries
> Verzonden: dinsdag 21 augustus 2018 16:21
> Aan: [hidden email]
> Onderwerp: Re: [squid-users] NTLM Authentication / Centos 7
>
> On 21/08/18 7:09 PM, L.P.H. van Belle wrote:
> >> Also, what then do the other lines in your config then say
> to do with
> >> the NTLM type-1 requests (no credentials) and failed-login
> requests?
> >
> > No this happend after the last security update of samba.
> >
>
> "No" to what ? My Q above was in regards to the omitted http_access
> behaviour.
>
>
> The 'type-1' I am speaking of is the initial NTLM credentials
> token. Not
> the version number. All LanManager based exchanges (LM 1.0, LM4, LM
> 32-bit, SMB LM, NTLMv1 NTLMv2, NTLMv2 extended) begin with a
> type-1 token.
>
>
> > This is due to a samba update.
> > SECURITY UPDATE: Weak authentication protocol allowed
> > CVE-2018-1139-*.patch: Do not allow ntlmv1 over SMB1
> >
> > You can easily test this, add 'ntlm auth = yes' to smb.conf and
> > restart. If this cures your problem, then you have two
> choices, leave
> > it alone and put up with a possibly insecure server, or fix your
> > clients to only use NTLMv2 and remove the line from smb.conf.
> >
>
> Yes, that is worth testing for.
>
> Amos
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
>

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users