squid 4 fails to authenticate using NTLM

classic Classic list List threaded Threaded
5 messages Options
zby
Reply | Threaded
Open this post in threaded view
|

squid 4 fails to authenticate using NTLM

zby
My problem:  my browser keeps on prompting for authentication.
Facts:

Debian 10 x86_64
squid-4.6 + samba-4.9
joined AD using "net ads join -U ...". OK.
wbinfo -t : OK
wbinfo -P or -p : OK
wbinfo -i userXYZ : returns data (OK)
wbinfo -g (well, fails to "deliver", too many users?)
smbclient -U userXYZ //host/share : works, logs me in

wbinfo -a domain\\user%pass:
plaintext password authentication succeeded
challenge/response password authentication failed

sqadmin@host13:~$ ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain=ad001
userw01 Passwd001
SPNEGO request [userw01 Passwd001] invalid prefix
BH SPNEGO request invalid prefix

squid/cache.log:
.....
2019/07/22 17:39:31.252 kid1| 11,2| client_side.cc(1323) parseHttpRequest: HTTP Client REQUEST:
---------
CONNECT www.bing.com:443 HTTP/1.0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: www.bing.com
Proxy-Authorization: NTLM TlRMTVNTUAADAAAAGAAYAIwAAABOAU4BpAAAAAoACgBYAAAAEAAQAGIAAAAa....
DNT: 1
Proxy-Connection: Keep-Alive
Pragma: no-cache
Content-Length: 0


----------
2019/07/22 17:39:31.253 kid1| 29,9| UserRequest.cc(57) valid: Validating Auth::UserRequest '0x55eb35131d80'.
2019/07/22 17:39:31.253 kid1| 29,5| UserRequest.cc(77) valid: Validated. Auth::UserRequest '0x55eb35131d80'.
2019/07/22 17:39:31.253 kid1| 29,9| UserRequest.cc(65) authenticated: user not fully authenticated.
2019/07/22 17:39:31.253 kid1| 29,9| UserRequest.cc(332) authenticate: header NTLM TlRMTVNTUAADAAAAGAAYAIwAAABOAU4.....
...
2019/07/22 17:39:31.256 kid1| 29,9| UserRequest.cc(254) authenticate: auth state ntlm failed. NTLM TlRMTVNTUAADAAAAGAA....


Please advise.
Thank you.
Zbynek



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: squid 4 fails to authenticate using NTLM

Amos Jeffries
Administrator
On 23/07/19 7:53 am, zby wrote:

> My problem:  my browser keeps on prompting for authentication.
> Facts:
>
> Debian 10 x86_64
> squid-4.6 + samba-4.9
> joined AD using "net ads join -U ...". OK.
> wbinfo -t : OK
> wbinfo -P or -p : OK
> wbinfo -i userXYZ : returns data (OK)
> wbinfo -g (well, fails to "deliver", too many users?)
> smbclient -U userXYZ //host/share : works, logs me in

This is irrelevant to Squid. It only tells that the user account has
filesystem access privileges. Nothing about web access privileges, or
whether the *Squid* user account has access to authenticate user logins.


>
> wbinfo -a domain\\user%pass:
> plaintext password authentication succeeded

 "plaintext" means Basic authentication.

> challenge/response password authentication failed
>

Challenge/Response could mean anything auth related.


> sqadmin@host13:~$ ntlm_auth --helper-protocol=squid-2.5-ntlmssp
> --domain=ad001
> userw01 Passwd001
> SPNEGO request [userw01 Passwd001] invalid prefix
> BH SPNEGO request invalid prefix
>

"userw01 Passwd001" is not a SPNEGO token.

see
<https://wiki.squid-cache.org/Features/AddonHelpers#Negotiate_and_NTLM_Scheme>

Pass the helper the "KK" request command and the token you see in the
HTTP headers. For example:

KK TlRMTVNTUAADAAAAGAAYAIwAAABOAU4BpAAAAAoACgBYAAAAEAAQAGIAAAAa...



Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
zby
Reply | Threaded
Open this post in threaded view
|

Re: squid 4 fails to authenticate using NTLM

zby
echo "KK TlRMTVNTUAADAAAAGAAYAIwA....." | ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain=DOM1
NA NT_STATUS_INVALID_PARAMETER

---------------------------------------
squid.conf snippet:
...
## Authentication of NTLM:
auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=DOM1
auth_param ntlm children 100 startup=10
auth_param ntlm keep_alive off
external_acl_type ad_group ttl=600 children-max=200 %LOGIN /usr/lib/squid/ext_wbinfo_group_acl
...
##No other auth scheme.
----------------------------------------------
## /var/lib/samba:
drwxr-x---  2 root winbindd_priv   4096 Jul 23 15:30 winbindd_privileged


Zbynek




On 23/07/19 7:53 am, zby wrote:

> My problem:  my browser keeps on prompting for authentication.
> Facts:
>
> Debian 10 x86_64
> squid-4.6 + samba-4.9
> joined AD using "net ads join -U ...". OK.
> wbinfo -t : OK
> wbinfo -P or -p : OK
> wbinfo -i userXYZ : returns data (OK)
> wbinfo -g (well, fails to "deliver", too many users?)
> smbclient -U userXYZ //host/share : works, logs me in

This is irrelevant to Squid. It only tells that the user account has
filesystem access privileges. Nothing about web access privileges, or
whether the *Squid* user account has access to authenticate user logins.


>
> wbinfo -a domain\\user%pass:
> plaintext password authentication succeeded

"plaintext" means Basic authentication.

> challenge/response password authentication failed
>

Challenge/Response could mean anything auth related.


> sqadmin@host13:~$ ntlm_auth --helper-protocol=squid-2.5-ntlmssp
> --domain=ad001
> userw01 Passwd001
> SPNEGO request [userw01 Passwd001] invalid prefix
> BH SPNEGO request invalid prefix
>

"userw01 Passwd001" is not a SPNEGO token.

see
<https://wiki.squid-cache.org/Features/AddonHelpers#Negotiate_and_NTLM_Scheme>

Pass the helper the "KK" request command and the token you see in the
HTTP headers. For example:

KK TlRMTVNTUAADAAAAGAAYAIwAAABOAU4BpAAAAAoACgBYAAAAEAAQAGIAAAAa...



Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
zby
Reply | Threaded
Open this post in threaded view
|

Re: squid 4 fails to authenticate using NTLM

zby
In reply to this post by Amos Jeffries
I found one more thing in the cache.log:
Got user=[user1] domain=[DOM1] workstation=[machine1] len1=24 len2=334
Login for user [DOM1\[user1]@[machine1 failed due to [Reading winbind reply failed!]
ntlmssp_server_auth_send: Checking NTLMSSP password for DOM1\user1 failed: NT_STATUS_UNSUCCESSFUL
gensec_update_done: ntlmssp[0x55713e452900]: NT_STATUS_UNSUCCESSFUL
GENSEC login failed: NT_STATUS_UNSUCCESSFUL

Why failed?
/var/lib/samba:
drwxr-x---  2 root winbindd_priv   4096 Jul 23 18:09 winbindd_privileged
/var/run/samba:
drwxr-xr-x 2 root root     60 Jul 23 18:09 winbindd

If I chmod to anything else than expected winbindd fails to start complaining about an unexpected dir mode.
The dir modes remain the same as "defined" in the debian package.
ntlm_auth --username=user1 run as a regular user results in: "NT_STATUS_OK: The operation completed successfully. (0x0)"
It should fail if not allowed to read from winbind, I suppose.

Thanks.
Zb




On 23/07/19 7:53 am, zby wrote:

> My problem:  my browser keeps on prompting for authentication.
> Facts:
>
> Debian 10 x86_64
> squid-4.6 + samba-4.9
> joined AD using "net ads join -U ...". OK.
> wbinfo -t : OK
> wbinfo -P or -p : OK
> wbinfo -i userXYZ : returns data (OK)
> wbinfo -g (well, fails to "deliver", too many users?)
> smbclient -U userXYZ //host/share : works, logs me in

This is irrelevant to Squid. It only tells that the user account has
filesystem access privileges. Nothing about web access privileges, or
whether the *Squid* user account has access to authenticate user logins.


>
> wbinfo -a domain\\user%pass:
> plaintext password authentication succeeded

"plaintext" means Basic authentication.

> challenge/response password authentication failed
>

Challenge/Response could mean anything auth related.


> sqadmin@host13:~$ ntlm_auth --helper-protocol=squid-2.5-ntlmssp
> --domain=ad001
> userw01 Passwd001
> SPNEGO request [userw01 Passwd001] invalid prefix
> BH SPNEGO request invalid prefix
>

"userw01 Passwd001" is not a SPNEGO token.

see
<https://wiki.squid-cache.org/Features/AddonHelpers#Negotiate_and_NTLM_Scheme>

Pass the helper the "KK" request command and the token you see in the
HTTP headers. For example:

KK TlRMTVNTUAADAAAAGAAYAIwAAABOAU4BpAAAAAoACgBYAAAAEAAQAGIAAAAa...



Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
zby
Reply | Threaded
Open this post in threaded view
|

Re: squid 4 fails to authenticate using NTLM

zby
Good morning (CEST).
Solved for NTLM.
I added the squid user to the group winbindd_priv as described in "man ntml_auth". Well, I just overlooked it.
Thanks all for reading/thinking/help.
Zbynek




I found one more thing in the cache.log:
Got user=[user1] domain=[DOM1] workstation=[machine1] len1=24 len2=334
Login for user [DOM1\[user1]@[machine1 failed due to [Reading winbind reply failed!]
ntlmssp_server_auth_send: Checking NTLMSSP password for DOM1\user1 failed: NT_STATUS_UNSUCCESSFUL
gensec_update_done: ntlmssp[0x55713e452900]: NT_STATUS_UNSUCCESSFUL
GENSEC login failed: NT_STATUS_UNSUCCESSFUL

Why failed?
/var/lib/samba:
drwxr-x---  2 root winbindd_priv   4096 Jul 23 18:09 winbindd_privileged
/var/run/samba:
drwxr-xr-x 2 root root     60 Jul 23 18:09 winbindd

If I chmod to anything else than expected winbindd fails to start complaining about an unexpected dir mode.
The dir modes remain the same as "defined" in the debian package.
ntlm_auth --username=user1 run as a regular user results in: "NT_STATUS_OK: The operation completed successfully. (0x0)"
It should fail if not allowed to read from winbind, I suppose.

Thanks.
Zb




On 23/07/19 7:53 am, zby wrote:

> My problem:  my browser keeps on prompting for authentication.
> Facts:
>
> Debian 10 x86_64
> squid-4.6 + samba-4.9
> joined AD using "net ads join -U ...". OK.
> wbinfo -t : OK
> wbinfo -P or -p : OK
> wbinfo -i userXYZ : returns data (OK)
> wbinfo -g (well, fails to "deliver", too many users?)
> smbclient -U userXYZ //host/share : works, logs me in

This is irrelevant to Squid. It only tells that the user account has
filesystem access privileges. Nothing about web access privileges, or
whether the *Squid* user account has access to authenticate user logins.


>
> wbinfo -a domain\\user%pass:
> plaintext password authentication succeeded

"plaintext" means Basic authentication.

> challenge/response password authentication failed
>

Challenge/Response could mean anything auth related.


> sqadmin@host13:~$ ntlm_auth --helper-protocol=squid-2.5-ntlmssp
> --domain=ad001
> userw01 Passwd001
> SPNEGO request [userw01 Passwd001] invalid prefix
> BH SPNEGO request invalid prefix
>

"userw01 Passwd001" is not a SPNEGO token.

see
<https://wiki.squid-cache.org/Features/AddonHelpers#Negotiate_and_NTLM_Scheme>

Pass the helper the "KK" request command and the token you see in the
HTTP headers. For example:

KK TlRMTVNTUAADAAAAGAAYAIwAAABOAU4BpAAAAAoACgBYAAAAEAAQAGIAAAAa...



Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users