subject:"\[squid\-users\] Fwd\: NTLM LDAP authentication problem"

Re: [squid-users] Fwd: NTLM LDAP authentication problem

2015-11-16 Thread Eugene M. Zheganin

Hi,

On 16.11.2015 19:51, Matej Kotras wrote:
> Thank you for your response, as this is my first try with Squid, and
> fairly newb in Linux.
> I do not understand at all differences between basic/ntlm/gss-spnego
> auths so I will do my homework and read about them. I've managed to
> get this working after few weeks of "trial and error" method (I know,
> I know, but I gotta start somewhere rite) following multiple guides.
>
The usual issue with all those copy/paste tutorials is that they tend to
teach how to do everything at once, instead of moving from simple things
to more difficult ones. This order of simplicity/difficulty is the
following:

- adding Basic authentication, all authenticated users are authorized to
use proxy
- adding NTLM authentication, all authenticated users are authorized to
use proxy
- adding group-based authorization, authenticated users are authorized
to use proxy basing on the group membership, using simple helper like
squid_group_ldap
- adding GSS-SPNEGO authentication
- adding full-fledged GSS-SPNEGO group authorization helper.

You can try my article,
http://squidquotas.hq.norma.perm.ru/squid-auth.shtml. Though it's not
perfect and still lacks two last steps, at least it tries to follow that
approach.

Eugene.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Fwd: NTLM LDAP authentication problem

2015-11-16 Thread Rafael Akchurin

Hello Matej, Eugene,

Hope our humble tutorial for Squid <-> Active Directory integration with 
Kerberos SSO, Basic(LDAP) auth is also useful - 
http://docs.diladele.com/administrator_guide_4_3/active_directory/index.html 
No NTLM though!!!

Best regards,
Rafael Akchurin
Diladele B.V.

--
Please take a look at Web Safety - our ICAP based web filter server for Squid 
proxy

-Original Message-
From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of Eugene M. Zheganin
Sent: Monday, November 16, 2015 4:49 PM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Fwd: NTLM LDAP authentication problem

Hi,

On 16.11.2015 19:51, Matej Kotras wrote:
> Thank you for your response, as this is my first try with Squid, and 
> fairly newb in Linux.
> I do not understand at all differences between basic/ntlm/gss-spnego 
> auths so I will do my homework and read about them. I've managed to 
> get this working after few weeks of "trial and error" method (I know, 
> I know, but I gotta start somewhere rite) following multiple guides.
>
The usual issue with all those copy/paste tutorials is that they tend to teach 
how to do everything at once, instead of moving from simple things to more 
difficult ones. This order of simplicity/difficulty is the
following:

- adding Basic authentication, all authenticated users are authorized to use 
proxy
- adding NTLM authentication, all authenticated users are authorized to use 
proxy
- adding group-based authorization, authenticated users are authorized to use 
proxy basing on the group membership, using simple helper like squid_group_ldap
- adding GSS-SPNEGO authentication
- adding full-fledged GSS-SPNEGO group authorization helper.

You can try my article,
http://squidquotas.hq.norma.perm.ru/squid-auth.shtml. Though it's not perfect 
and still lacks two last steps, at least it tries to follow that approach.

Eugene.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Fwd: NTLM LDAP authentication problem

2015-11-16 Thread Eugene M. Zheganin

On 16.11.2015 14:29, Matej Kotras wrote:
> Hi guys
>
> I've managed squid to work with AD, and authorize users based on what
> AD group they are in. I use Squid-Analyzer for doing reports from
> access.log. I've found 2 anomalies with authorization so far. In
> access log, I see that user is authorized based on his PC name(not
> desired) and not on the user account name. I've just enabled debugging
> on negotiate wrapper, so I will monitor these logs also.
>
> But in the meantime, have you got any idea why could this happen ?
>
> *PC NAME AUTH:*
> 1447562119.348  0 10.13.34.31 TCP_DENIED/407 3834 CONNECT
> clients2.google.com:443  -
> HIER_NONE/- text/html
> 1447562119.374  2 10.13.34.31 TCP_DENIED/407 4094 CONNECT
> clients2.google.com:443  -
> HIER_NONE/- text/html
> 1447562239.350 119976 10.13.34.31 TCP_MISS/200   4200 CONNECT
> clients2.google.com:443  icz800639-03$
> HIER_DIRECT/173.194.116.231  -
>
> *USER NAME AUTH:*
> 1447562039.176  0 10.13.34.31 TCP_DENIED/407 3850 CONNECT
> lyncwebext.inventec.com:443  -
> HIER_NONE/- text/html
> 1447562039.215 27 10.13.34.31 TCP_DENIED/407 4110 CONNECT
> lyncwebext.inventec.com:443  -
> HIER_NONE/- text/html
> 1447562041.118   2702 10.13.34.31 TCP_MISS/200   6213 CONNECT
> lyncwebext.inventec.com:443 
> icz800639 HIER_DIRECT/10.8.100.165  -
Does't seem like you have working GSS-SPNEGO scheme. Unless you have
username fields in log with realm set which yyou didn't post here.

>
>
> *Squid.conf*
> #
> #Enable KERBEROS authentication#
> #
>
> auth_param negotiate program /usr/local/bin/negotiate_wrapper -d
> --ntlm /usr/bin/ntlm_auth --diagnostics
> --helper-protocol=squid-2.5-ntlmssp --domain=ICZ --kerberos
> /usr/lib64/squid/negotiate_kerberos_auth -s GSS_C_NO_NAME
> auth_param negotiate children 20 startup=0 idle=1
> auth_param negotiate keep_alive off
>
>
> #
> #Enable NTLM authentication#
> #
>
> #auth_param ntlm program /usr/bin/ntlm_auth --diagnostics
> --helper-protocol=squid-2.5-ntlmssp --domain=ICZ
> #auth_param ntlm children 10
> #auth_param ntlm keep_alive off
So you disable the explicit NTLM authentication. That's bad. This far
you only have GSS-SPNEGO failover to NTLM.
>
>
> #
> # ENABLE LDAP AUTH#
> #
>
> auth_param basic program /usr/lib64/squid/basic_ldap_auth -R -b
> "dc=icz,dc=inventec" -D squid@icz.inventec -W /etc/squid/ldappass.txt
> -f sAMAccountName=%s -h icz-dc-1.icz.inventec
> auth_param basic children 10
> auth_param basic realm Please enter user name to access the internet
> auth_param basic credentialsttl 1 hour
This is pure basic.
>
> external_acl_type ldap_group ttl=3600 negative_ttl=0 children-max=50
> children-startup=10  %LOGIN /usr/lib64/squid/ext_wbinfo_group_acl
>
The part with http_access is missing, it's hard to tell why you have
TCP_MISS for machine accounts.

Eugene.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Fwd: NTLM LDAP authentication problem

2015-11-16 Thread Matej Kotras

Thank you for your response, as this is my first try with Squid, and fairly
newb in Linux.
I do not understand at all differences between basic/ntlm/gss-spnego auths
so I will do my homework and read about them. I've managed to get this
working after few weeks of "trial and error" method (I know, I know, but I
gotta start somewhere rite) following multiple guides.

The commented lines are not supposed to be here, sorry. I've been testing
log outputs and functionality of auth helpers when commenting some. I
attach my squid.conf in email.

Thank you

On Mon, Nov 16, 2015 at 3:19 PM, Eugene M. Zheganin 
wrote:

> On 16.11.2015 14:29, Matej Kotras wrote:
>
> Hi guys
>
> I've managed squid to work with AD, and authorize users based on what AD
> group they are in. I use Squid-Analyzer for doing reports from access.log.
> I've found 2 anomalies with authorization so far. In access log, I see that
> user is authorized based on his PC name(not desired) and not on the user
> account name. I've just enabled debugging on negotiate wrapper, so I will
> monitor these logs also.
>
> But in the meantime, have you got any idea why could this happen ?
>
> *PC NAME AUTH:*
> 1447562119.348  0 10.13.34.31 TCP_DENIED/407 3834 CONNECT
> clients2.google.com:443 - HIER_NONE/- text/html
> 1447562119.374  2 10.13.34.31 TCP_DENIED/407 4094 CONNECT
> clients2.google.com:443 - HIER_NONE/- text/html
> 1447562239.350 119976 10.13.34.31 TCP_MISS/200   4200 CONNECT
> clients2.google.com:443 icz800639-03$ HIER_DIRECT/173.194.116.231 -
>
> *USER NAME AUTH:*
> 1447562039.176  0 10.13.34.31 TCP_DENIED/407 3850 CONNECT
> lyncwebext.inventec.com:443 - HIER_NONE/- text/html
> 1447562039.215 27 10.13.34.31 TCP_DENIED/407 4110 CONNECT
> lyncwebext.inventec.com:443 - HIER_NONE/- text/html
> 1447562041.118   2702 10.13.34.31 TCP_MISS/200   6213 CONNECT
> lyncwebext.inventec.com:443 icz800639 HIER_DIRECT/10.8.100.165 -
>
> Does't seem like you have working GSS-SPNEGO scheme. Unless you have
> username fields in log with realm set which yyou didn't post here.
>
>
>
> *Squid.conf*
> #
> # Enable KERBEROS authentication #
> #
>
> auth_param negotiate program /usr/local/bin/negotiate_wrapper -d --ntlm
> /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp
> --domain=ICZ --kerberos /usr/lib64/squid/negotiate_kerberos_auth -s
> GSS_C_NO_NAME
> auth_param negotiate children 20 startup=0 idle=1
> auth_param negotiate keep_alive off
>
>
> #
> # Enable NTLM authentication #
> #
>
> #auth_param ntlm program /usr/bin/ntlm_auth --diagnostics
> --helper-protocol=squid-2.5-ntlmssp --domain=ICZ
> #auth_param ntlm children 10
> #auth_param ntlm keep_alive off
>
> So you disable the explicit NTLM authentication. That's bad. This far you
> only have GSS-SPNEGO failover to NTLM.
>
>
>
> #
> # ENABLE LDAP AUTH #
> #
>
> auth_param basic program /usr/lib64/squid/basic_ldap_auth -R -b
> "dc=icz,dc=inventec" -D squid@icz.inventec -W
> /etc/squid/ldappass.txt -f sAMAccountName=%s -h icz-dc-1.icz.inventec
> auth_param basic children 10
> auth_param basic realm Please enter user name to access the internet
> auth_param basic credentialsttl 1 hour
>
> This is pure basic.
>
>
> external_acl_type ldap_group ttl=3600 negative_ttl=0 children-max=50
> children-startup=10  %LOGIN /usr/lib64/squid/ext_wbinfo_group_acl
>
> The part with http_access is missing, it's hard to tell why you have
> TCP_MISS for machine accounts.
>
> Eugene.
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
>


squid.conf
Description: Binary data
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Fwd: NTLM LDAP authentication problem

2015-11-16 Thread Amos Jeffries

On 16/11/2015 10:29 p.m., Matej Kotras wrote:
> Hi guys
> 
> I've managed squid to work with AD, and authorize users based on what AD
> group they are in. I use Squid-Analyzer for doing reports from access.log.
> I've found 2 anomalies with authorization so far. In access log, I see that
> user is authorized based on his PC name(not desired) and not on the user
> account name. I've just enabled debugging on negotiate wrapper, so I will
> monitor these logs also.
> 
> But in the meantime, have you got any idea why could this happen ?

Not everything is about users. Machines use the network too.

This is why we are very careful to use the term "client" to describe the
entity making an HTTP request of Squid.

Sometimes a client is a user, sometimes it is a machine acting on a
users instructions, sometimes it is a machine acting for itself.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Fwd: NTLM LDAP authentication problem

2015-11-16 Thread Amos Jeffries

On 17/11/2015 4:48 a.m., Eugene M. Zheganin wrote:
> Hi,
> 
> On 16.11.2015 19:51, Matej Kotras wrote:
>> Thank you for your response, as this is my first try with Squid, and
>> fairly newb in Linux.
>> I do not understand at all differences between basic/ntlm/gss-spnego
>> auths so I will do my homework and read about them. I've managed to
>> get this working after few weeks of "trial and error" method (I know,
>> I know, but I gotta start somewhere rite) following multiple guides.
>>
> The usual issue with all those copy/paste tutorials is that they tend to
> teach how to do everything at once, instead of moving from simple things
> to more difficult ones. This order of simplicity/difficulty is the
> following:
> 
> - adding Basic authentication, all authenticated users are authorized to
> use proxy
> - adding NTLM authentication, all authenticated users are authorized to
> use proxy
> - adding group-based authorization, authenticated users are authorized
> to use proxy basing on the group membership, using simple helper like
> squid_group_ldap
> - adding GSS-SPNEGO authentication
> - adding full-fledged GSS-SPNEGO group authorization helper.
> 
> You can try my article,
> http://squidquotas.hq.norma.perm.ru/squid-auth.shtml. Though it's not
> perfect and still lacks two last steps, at least it tries to follow that
> approach.

Unfortunately it is not quite as simple as that.

The difference between the PC-NAME vs USER-LABEL logins is whether the
particular client software has access to the Windows Integrated
Authentication credentials or not. Whether that machine is registered to
the DOMAIN, or the User account is logged in specifically under their
own name, or a service account on the machine. And whether the software
is actually being used by a "user".

Notice how I avoid the word "username" - since that is not applicable.
Only the account label as passed in the auth tokens is seen by Squids
part of the authentication. As you have noticed machines do traffic too,
users are not always involved.

One might also want to follow the simple Config examples provided in the
Squid wiki. They are carefully restricted to only documenting one thing
task at a time. Not going into unrelated features configuration that the
author was interested in.

Negotiate/Kerberos only:

NTLM (with Basic backup for non-NTLM clients):

Full Windows AD integration. (Negotiate/Kerberos, Negotiate/NTLM, NTLM,
and Basic):

PS. Eugene, your section on "Add remaining permissions" is wrong and
suggests a very broken configuration be done. Squid needs *read*
permission and that is done with unix group membership not by editing
the pipe itself. Please have a read of our NTLM+Basic examples' section
on Winbind privileges. Doing it the right way allows Samba to manage its
pipe properly.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Fwd: NTLM LDAP authentication problem

2015-11-16 Thread Matej Kotras

Hi guys

I've managed squid to work with AD, and authorize users based on what AD
group they are in. I use Squid-Analyzer for doing reports from access.log.
I've found 2 anomalies with authorization so far. In access log, I see that
user is authorized based on his PC name(not desired) and not on the user
account name. I've just enabled debugging on negotiate wrapper, so I will
monitor these logs also.

But in the meantime, have you got any idea why could this happen ?

*PC NAME AUTH:*
1447562119.348  0 10.13.34.31 TCP_DENIED/407 3834 CONNECT
clients2.google.com:443 - HIER_NONE/- text/html
1447562119.374  2 10.13.34.31 TCP_DENIED/407 4094 CONNECT
clients2.google.com:443 - HIER_NONE/- text/html
1447562239.350 119976 10.13.34.31 TCP_MISS/200   4200 CONNECT
clients2.google.com:443 icz800639-03$ HIER_DIRECT/173.194.116.231 -

*USER NAME AUTH:*
1447562039.176  0 10.13.34.31 TCP_DENIED/407 3850 CONNECT
lyncwebext.inventec.com:443 - HIER_NONE/- text/html
1447562039.215 27 10.13.34.31 TCP_DENIED/407 4110 CONNECT
lyncwebext.inventec.com:443 - HIER_NONE/- text/html
1447562041.118   2702 10.13.34.31 TCP_MISS/200   6213 CONNECT
lyncwebext.inventec.com:443 icz800639 HIER_DIRECT/10.8.100.165 -


*Squid.conf*
#
# Enable KERBEROS authentication #
#

auth_param negotiate program /usr/local/bin/negotiate_wrapper -d --ntlm
/usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp
--domain=ICZ --kerberos /usr/lib64/squid/negotiate_kerberos_auth -s
GSS_C_NO_NAME
auth_param negotiate children 20 startup=0 idle=1
auth_param negotiate keep_alive off


#
# Enable NTLM authentication #
#

#auth_param ntlm program /usr/bin/ntlm_auth --diagnostics
--helper-protocol=squid-2.5-ntlmssp --domain=ICZ
#auth_param ntlm children 10
#auth_param ntlm keep_alive off


#
# ENABLE LDAP AUTH #
#

auth_param basic program /usr/lib64/squid/basic_ldap_auth -R -b
"dc=icz,dc=inventec" -D squid@icz.inventec -W /etc/squid/ldappass.txt -f
sAMAccountName=%s -h icz-dc-1.icz.inventec
auth_param basic children 10
auth_param basic realm Please enter user name to access the internet
auth_param basic credentialsttl 1 hour

external_acl_type ldap_group ttl=3600 negative_ttl=0 children-max=50
children-startup=10  %LOGIN /usr/lib64/squid/ext_wbinfo_group_acl



Thank you
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Fwd: NTLM LDAP authentication problem

Re: [squid-users] Fwd: NTLM LDAP authentication problem

Re: [squid-users] Fwd: NTLM LDAP authentication problem

Re: [squid-users] Fwd: NTLM LDAP authentication problem

Re: [squid-users] Fwd: NTLM LDAP authentication problem

Re: [squid-users] Fwd: NTLM LDAP authentication problem

[squid-users] Fwd: NTLM LDAP authentication problem

7 matches

Site Navigation

Mail list logo

Footer information