Re: [squid-users] NTLM Authentication Failing
On 22/10/2015 10:33 a.m., Alex Samad wrote: > Would it be fair to say best practice is to get kerbose working in favour > of ntlm ? Best Practice is not to have NTLM at all. In the same way that its best practice not to use 8-bit (1 letter) passwords. NTLM was formally deprecated in 2006 by MS. Kerberos was added in 1998. You should not be using NTLM at all by now unless you are running software that has not been updated since before 2001 and still requires NTLM as its only possible authentication scheme. I'm really not joking when I write that Basic auth is more secure than NTLM. The simple fact that everyone is aware of the weakness in Basic auth credentials means a lot of extra protection has gone into keeping them secure and safe. NTLM can trivially be auto-downgraded to LanMan which is just as insecure - but still treated widely as if it were a magically "secure and unbreakable" auth even though its crypto was obsolete almost 20 years ago. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] NTLM Authentication Failing
Would it be fair to say best practice is to get kerbose working in favour of ntlm ? On 21/10/2015 3:18 PM, "Amos Jeffries"wrote: > On 2015-10-21 15:38, Ilias Clifton wrote: > >> >>> On 20/10/2015 4:04 p.m., Ilias Clifton wrote: >>> > Hi All, >>> > I've been following the guide at this location for Active Directory >>> integration >>> > >>> http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Proxy[http://wiki.bitbinary.com/index.php/ >>> >Active_Directory_Integrated_Squid_Proxy] >>> > >>> > First, some versions for sanity.. >>> > Ubuntu : 14.04.3 LTS >>> > Squid : 3.3.8 (from ubuntu repositories) >>> > Samba : 4.1.6-Ubuntu >>> > DC : Windows Server 2012 R2 >>> > >>> > I am currently testing the authentication, negotiate kerberos and >>> basic ldap are >>> > both working correctly. However ntlm is not and I don't seem to making >>> any >>> > progress on debugging further. >>> >>> Date: Tue, 20 Oct 2015 18:06:17 +1300 >>> From: Amos Jeffries >>> >>> >>> >>> Your version of Squid has big problems with (4) and some with (2), and >>> your DC server version has big problems with (1) and (3). >>> >>> >>> Amos >>> >>> >>> >>> >> Hi Amos, >> >> Thank you for your detailed answer. >> >> So what is the best way to authenticate users in a mixed environment? >> I've got Windows domain PCs with IE/firefox/chrome. Linux PCs with >> Firefox/chrome. Windows non-domain joined PCs with IE/firefox/chrome - >> plus various mobile devices. >> >> I've tried getting rid of ntlm and just using negotiate kerberos and >> ldap for basic, is that all I need? >> > > I believe thats at least very close to the solution. The getting rid of > NTLM is something that needs to happen at the client end though, so IE does > not attempt to use it over Negotiate scheme. > > > >> On the non-domain joined PCs, if I disable 'Enable Integrated Windows >> Authentication', they now correctly use basic ldap. >> > > And thats the way to do it IIRC. Someone more familiar may know a better > way. > > > >> My config now looks like.. >> >> ### negotiate kerberos and ntlm authentication >> auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth >> -d -s GSS_C_NO_NAME >> auth_param negotiate children 10 >> auth_param negotiate keep_alive off >> >> ### provide basic authentication via ldap for clients not >> authenticated via kerberos/ntlm >> auth_param basic program /usr/lib/squid3/basic_ldap_auth -R -b >> "DC=domain,DC=local" -D proxyuser at domain.local -W >> /etc/squid3/ldappass.txt -f sAMAccountName=%s -h dc1.domain.local >> auth_param basic children 10 >> auth_param basic realm Internet Proxy >> auth_param basic credentialsttl 30 minutes >> >> ### ldap authorisation >> external_acl_type memberof %LOGIN /usr/lib/squid3/ext_ldap_group_acl >> -R -K -S -b "DC=domain,DC=local" -D proxyuser at domain.local -W >> /etc/squid3/ldappass.txt -f >> >> "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%g,OU=Proxy,DC=domain,DC=local))" >> -h dc1.domain.local >> >> Does that look ok? >> > > Looks reasonable for a small installation. If you have a medium to large > network you may find Squid mentioning queue issues and requesting more > helper children be configured. Simply increasing the numbers there should > resolve that. > > Amos > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] NTLM Authentication Failing
On 2015-10-21 15:38, Ilias Clifton wrote: On 20/10/2015 4:04 p.m., Ilias Clifton wrote: > Hi All, > I've been following the guide at this location for Active Directory integration > http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Proxy[http://wiki.bitbinary.com/index.php/>Active_Directory_Integrated_Squid_Proxy] > > First, some versions for sanity.. > Ubuntu : 14.04.3 LTS > Squid : 3.3.8 (from ubuntu repositories) > Samba : 4.1.6-Ubuntu > DC : Windows Server 2012 R2 > > I am currently testing the authentication, negotiate kerberos and basic ldap are > both working correctly. However ntlm is not and I don't seem to making any > progress on debugging further. Date: Tue, 20 Oct 2015 18:06:17 +1300 From: Amos JeffriesYour version of Squid has big problems with (4) and some with (2), and your DC server version has big problems with (1) and (3). Amos Hi Amos, Thank you for your detailed answer. So what is the best way to authenticate users in a mixed environment? I've got Windows domain PCs with IE/firefox/chrome. Linux PCs with Firefox/chrome. Windows non-domain joined PCs with IE/firefox/chrome - plus various mobile devices. I've tried getting rid of ntlm and just using negotiate kerberos and ldap for basic, is that all I need? I believe thats at least very close to the solution. The getting rid of NTLM is something that needs to happen at the client end though, so IE does not attempt to use it over Negotiate scheme. On the non-domain joined PCs, if I disable 'Enable Integrated Windows Authentication', they now correctly use basic ldap. And thats the way to do it IIRC. Someone more familiar may know a better way. My config now looks like.. ### negotiate kerberos and ntlm authentication auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -d -s GSS_C_NO_NAME auth_param negotiate children 10 auth_param negotiate keep_alive off ### provide basic authentication via ldap for clients not authenticated via kerberos/ntlm auth_param basic program /usr/lib/squid3/basic_ldap_auth -R -b "DC=domain,DC=local" -D proxyuser at domain.local -W /etc/squid3/ldappass.txt -f sAMAccountName=%s -h dc1.domain.local auth_param basic children 10 auth_param basic realm Internet Proxy auth_param basic credentialsttl 30 minutes ### ldap authorisation external_acl_type memberof %LOGIN /usr/lib/squid3/ext_ldap_group_acl -R -K -S -b "DC=domain,DC=local" -D proxyuser at domain.local -W /etc/squid3/ldappass.txt -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%g,OU=Proxy,DC=domain,DC=local))" -h dc1.domain.local Does that look ok? Looks reasonable for a small installation. If you have a medium to large network you may find Squid mentioning queue issues and requesting more helper children be configured. Simply increasing the numbers there should resolve that. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] NTLM Authentication Failing
Sorry, re-post in plain-text.. Hi All, I've been following the guide at this location for Active Directory integration http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Proxy First, some versions for sanity.. Ubuntu : 14.04.3 LTS Squid : 3.3.8 (from ubuntu repositories) Samba : 4.1.6-Ubuntu DC : Windows Server 2012 R2 I am currently testing the authentication, negotiate kerberos and basic ldap are both working correctly. However ntlm is not and I don't seem to making any progress on debugging further. Here is the relevant part of squid.conf ### negotiate kerberos and ntlm authentication auth_param negotiate program /usr/lib/squid3/negotiate_wrapper_auth -d --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=DOMAIN --kerberos /usr/lib/squid3/negotiate_kerberos_auth -d -s GSS_C_NO_NAME auth_param negotiate children 10 auth_param negotiate keep_alive off ### pure ntlm authentication auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=DOMAIN auth_param ntlm children 10 auth_param ntlm keep_alive off ### provide basic authentication via ldap for clients not authenticated via kerberos/ntlm auth_param basic program /usr/lib/squid3/basic_ldap_auth -R -b "DC=domain,DC=local" -D proxyuser@domain.local -W /etc/squid3/ldappass.txt -f sAMAccountName=%s -h dc1.domain.local auth_param basic children 10 auth_param basic realm Internet Proxy auth_param basic credentialsttl 30 minutes ### ldap authorisation external_acl_type memberof %LOGIN /usr/lib/squid3/ext_ldap_group_acl -R -K -S -b "DC=domain,DC=local" -D proxyuser@domain.local -W /etc/squid3/ldappass.txt -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%g,OU=Proxy,DC=domain,DC=local))" -h dc1.domain.local With kerberos and ldap working correctly, this seems to cover all my users, except for non-domain joined internet explorer, which unfortunately I still need to cater for. For testing I have allowed the proxy user to login. The following commands work successfully as proxy user wbinfo -p wbinfo -u wbinfo -g wbinfo -t does not run successfully as proxy user, but does run as root. testing ntlm_auth at the command line works correctly. ntlm_auth --helper-protocol=squid-2.5-basic DOMAIN\user password OK When a non-domain joined user with internet explorer attempt to use the proxy, they are continually prompted for credentials. In /var/log/cache.log, I see: 2015/10/20 12:33:19| negotiate_wrapper: Got 'YR TlRMTVNTUAABl4II4gAGA4AlDw==' from squid (length: 59). 2015/10/20 12:33:19| negotiate_wrapper: Decode 'TlRMTVNTUAABl4II4gAGA4AlDw==' (decoded length: 40). 2015/10/20 12:33:19| negotiate_wrapper: received type 1 NTLM token 2015/10/20 12:33:19| negotiate_wrapper: Return 'TT TlRMTVNTUAACEAAQADgVgoninreK53QrtdEAADgAOABIBgEAAA9JAE4AUwBFAEMAVQBSAEUAAgAQAEkATgBTAEUAQwBVAFIARQABAAoAUABSAE8AWABZAAQDAAoAcAByAG8AeAB5AAA= ' 2015/10/20 12:33:19| negotiate_wrapper: Got 'KK TlRMTVNTUAADGAAYAHQAAADYANgAjBAAEABYCAAIAGgEAAQAcBAAEABkAQAAFYKI4gYDgCUP4J12bZve1C56VHP1YUJ5N2kAbgBzAGUAYwB1AHIAZQBiAHIAYQBkAEkATwAI1+mUr3xj8iMVIytXIZcbAQEAAADgQryt3wrRAStLKXVkL/kDAAIAEABJAE4AUwBFAEMAVQBSAEUAAQAKAFAAUgBPAFgAWQAEAwAKAHAAcgBvAHgAeQAIADAAMAABABAAALfe6ZoORXwOZjR0QdSusCHwlNUGYo79byijLZDZARCDCgAQAAAJACQASABUAFQAUAAvADEANwAyAC4AMgA4AC4AMgA5AC4AMQA0ADcAAACEC4x7NJBCdMLgU3gJ6QTq' from squid (length: 499). 2015/10/20 12:33:19| negotiate_wrapper: Decode 'TlRMTVNTUAADGAAYAHQAAADYANgAjBAAEABYCAAIAGgEAAQAcBAAEABkAQAAFYKI4gYDgCUP4J12bZve1C56VHP1YUJ5N2kAbgBzAGUAYwB1AHIAZQBiAHIAYQBkAEkATwAI1+mUr3xj8iMVIytXIZcbAQEAAADgQryt3wrRAStLKXVkL/kDAAIAEABJAE4AUwBFAEMAVQBSAEUAAQAKAFAAUgBPAFgAWQAEAwAKAHAAcgBvAHgAeQAIADAAMAABABAAALfe6ZoORXwOZjR0QdSusCHwlNUGYo79byijLZDZARCDCgAQAAAJACQASABUAFQAUAAvADEANwAyAC4AMgA4AC4AMgA5AC4AMQA0ADcAAACEC4x7NJBCdMLgU3gJ6QTq' (decoded length: 372). 2015/10/20 12:33:19| negotiate_wrapper: received type 3 NTLM token 2015/10/20 12:33:19| negotiate_wrapper: Return 'BH NT_STATUS_UNSUCCESSFUL NT_STATUS_UNSUCCESSFUL ' 2015/10/20 12:33:19| ERROR: Negotiate Authentication validating user. Error returned 'BH NT_STATUS_UNSUCCESSFUL NT_STATUS_UNSUCCESSFUL' Can anyone give me any pointers on what I am doing incorrectly? Thank you. Ilias ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] NTLM Authentication Failing
Hi All, I've been following the guide at this location for Active Directory integration http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Proxy First, some versions for sanity.. Ubuntu : 14.04.3 LTS Squid : 3.3.8 (from ubuntu repositories) Samba : 4.1.6-Ubuntu DC : Windows Server 2012 R2 I am currently testing the authentication, negotiate kerberos and basic ldap are both working correctly. However ntlm is not and I don't seem to making any progress on debugging further. Here is the relevant part of squid.conf ### negotiate kerberos and ntlm authentication auth_param negotiate program /usr/lib/squid3/negotiate_wrapper_auth -d --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=DOMAIN --kerberos /usr/lib/squid3/negotiate_kerberos_auth -d -s GSS_C_NO_NAME auth_param negotiate children 10 auth_param negotiate keep_alive off ### pure ntlm authentication auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=DOMAIN auth_param ntlm children 10 auth_param ntlm keep_alive off ### provide basic authentication via ldap for clients not authenticated via kerberos/ntlm auth_param basic program /usr/lib/squid3/basic_ldap_auth -R -b "DC=domain,DC=local" -D proxyuser@domain.local -W /etc/squid3/ldappass.txt -f sAMAccountName=%s -h dc1.domain.local auth_param basic children 10 auth_param basic realm Internet Proxy auth_param basic credentialsttl 30 minutes ### ldap authorisation external_acl_type memberof %LOGIN /usr/lib/squid3/ext_ldap_group_acl -R -K -S -b "DC=domain,DC=local" -D proxyuser@domain.local -W /etc/squid3/ldappass.txt -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%g,OU=Proxy,DC=domain,DC=local))" -h dc1.domain.local With kerberos and ldap working correctly, this seems to cover all my users, except for non-domain joined internet explorer, which unfortunately I still need to cater for. For testing I have allowed the proxy user to login. The following commands work successfully as proxy user wbinfo -p wbinfo -u wbinfo -g wbinfo -t does not run successfully as proxy user, but does run as root. testing ntlm_auth at the command line works correctly. ntlm_auth --helper-protocol=squid-2.5-basic DOMAIN\user password OK When a non-domain joined user with internet explorer attempt to use the proxy, they are continually prompted for credentials. In /var/log/cache.log, I see: 2015/10/20 12:33:19| negotiate_wrapper: Got 'YR TlRMTVNTUAABl4II4gAGA4AlDw==' from squid (length: 59). 2015/10/20 12:33:19| negotiate_wrapper: Decode 'TlRMTVNTUAABl4II4gAGA4AlDw==' (decoded length: 40). 2015/10/20 12:33:19| negotiate_wrapper: received type 1 NTLM token 2015/10/20 12:33:19| negotiate_wrapper: Return 'TT TlRMTVNTUAACEAAQADgVgoninreK53QrtdEAADgAOABIBgEAAA9JAE4AUwBFAEMAVQBSAEUAAgAQAEkATgBTAEUAQwBVAFIARQABAAoAUABSAE8AWABZAAQDAAoAcAByAG8AeAB5AAA= ' 2015/10/20 12:33:19| negotiate_wrapper: Got 'KK TlRMTVNTUAADGAAYAHQAAADYANgAjBAAEABYCAAIAGgEAAQAcBAAEABkAQAAFYKI4gYDgCUP4J12bZve1C56VHP1YUJ5N2kAbgBzAGUAYwB1AHIAZQBiAHIAYQBkAEkATwAI1+mUr3xj8iMVIytXIZcbAQEAAADgQryt3wrRAStLKXVkL/kDAAIAEABJAE4AUwBFAEMAVQBSAEUAAQAKAFAAUgBPAFgAWQAEAwAKAHAAcgBvAHgAeQAIADAAMAABABAAALfe6ZoORXwOZjR0QdSusCHwlNUGYo79byijLZDZARCDCgAQAAAJACQASABUAFQAUAAvADEANwAyAC4AMgA4AC4AMgA5AC4AMQA0ADcAAACEC4x7NJBCdMLgU3gJ6QTq' from squid (length: 499). 2015/10/20 12:33:19| negotiate_wrapper: Decode 'TlRMTVNTUAADGAAYAHQAAADYANgAjBAAEABYCAAIAGgEAAQAcBAAEABkAQAAFYKI4gYDgCUP4J12bZve1C56VHP1YUJ5N2kAbgBzAGUAYwB1AHIAZQBiAHIAYQBkAEkATwAI1+mUr3xj8iMVIytXIZcbAQEAAADgQryt3wrRAStLKXVkL/kDAAIAEABJAE4AUwBFAEMAVQBSAEUAAQAKAFAAUgBPAFgAWQAEAwAKAHAAcgBvAHgAeQAIADAAMAABABAAALfe6ZoORXwOZjR0QdSusCHwlNUGYo79byijLZDZARCDCgAQAAAJACQASABUAFQAUAAvADEANwAyAC4AMgA4AC4AMgA5AC4AMQA0ADcAAACEC4x7NJBCdMLgU3gJ6QTq' (decoded length: 372). 2015/10/20 12:33:19| negotiate_wrapper: received type 3 NTLM token 2015/10/20 12:33:19| negotiate_wrapper: Return 'BH NT_STATUS_UNSUCCESSFUL NT_STATUS_UNSUCCESSFUL ' 2015/10/20 12:33:19| ERROR: Negotiate Authentication validating user. Error returned 'BH NT_STATUS_UNSUCCESSFUL NT_STATUS_UNSUCCESSFUL' Can anyone give me any pointers on what I am doing incorrectly? Thank you. Ilias ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users