subject:"\[squid\-users\] NTLM Authentication Failing"

Re: [squid-users] NTLM Authentication Failing

2015-10-22 Thread Amos Jeffries

On 22/10/2015 10:33 a.m., Alex Samad wrote:
> Would it be fair to say best practice  is to get kerbose working in favour
> of ntlm ?

Best Practice is not to have NTLM at all. In the same way that its best
practice not to use 8-bit (1 letter) passwords.

NTLM was formally deprecated in 2006 by MS. Kerberos was added in 1998.
You should not be using NTLM at all by now unless you are running
software that has not been updated since before 2001 and still requires
NTLM as its only possible authentication scheme.

I'm really not joking when I write that Basic auth is more secure than
NTLM. The simple fact that everyone is aware of the weakness in Basic
auth credentials means a lot of extra protection has gone into keeping
them secure and safe. NTLM can trivially be auto-downgraded to LanMan
which is just as insecure - but still treated widely as if it were a
magically "secure and unbreakable" auth even though its crypto was
obsolete almost 20 years ago.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] NTLM Authentication Failing

2015-10-21 Thread Alex Samad

Would it be fair to say best practice  is to get kerbose working in favour
of ntlm ?
On 21/10/2015 3:18 PM, "Amos Jeffries"  wrote:

> On 2015-10-21 15:38, Ilias Clifton wrote:
>
>>
>>> On 20/10/2015 4:04 p.m., Ilias Clifton wrote:
>>> > Hi All,
>>> > I've been following the guide at this location for Active Directory
>>> integration
>>> >
>>> http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Proxy[http://wiki.bitbinary.com/index.php/
>>> >Active_Directory_Integrated_Squid_Proxy]
>>> >
>>> > First, some versions for sanity..
>>> > Ubuntu : 14.04.3 LTS
>>> > Squid : 3.3.8 (from ubuntu repositories)
>>> > Samba : 4.1.6-Ubuntu
>>> > DC : Windows Server 2012 R2
>>> >
>>> > I am currently testing the authentication, negotiate kerberos and
>>> basic ldap are
>>> > both working correctly. However ntlm is not and I don't seem to making
>>> any
>>> > progress on debugging further.
>>>
>>> Date: Tue, 20 Oct 2015 18:06:17 +1300
>>> From: Amos Jeffries 
>>>
>>>
>>>
>>> Your version of Squid has big problems with (4) and some with (2), and
>>> your DC server version has big problems with (1) and (3).
>>>
>>>
>>> Amos
>>>
>>>
>>>
>>>
>> Hi Amos,
>>
>> Thank you for your detailed answer.
>>
>> So what is the best way to authenticate users in a mixed environment?
>> I've got Windows domain PCs with IE/firefox/chrome. Linux PCs with
>> Firefox/chrome. Windows non-domain joined PCs with IE/firefox/chrome -
>> plus various mobile devices.
>>
>> I've tried getting rid of ntlm and just using negotiate kerberos and
>> ldap for basic, is that all I need?
>>
>
> I believe thats at least very close to the solution. The getting rid of
> NTLM is something that needs to happen at the client end though, so IE does
> not attempt to use it over Negotiate scheme.
>
>
>
>> On the non-domain joined PCs, if I disable 'Enable Integrated Windows
>> Authentication', they now correctly use basic ldap.
>>
>
> And thats the way to do it IIRC. Someone more familiar may know a better
> way.
>
>
>
>> My config now looks like..
>>
>> ### negotiate kerberos and ntlm authentication
>> auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth
>> -d -s GSS_C_NO_NAME
>> auth_param negotiate children 10
>> auth_param negotiate keep_alive off
>>
>> ### provide basic authentication via ldap for clients not
>> authenticated via kerberos/ntlm
>> auth_param basic program /usr/lib/squid3/basic_ldap_auth -R -b
>> "DC=domain,DC=local" -D proxyuser at domain.local -W
>> /etc/squid3/ldappass.txt -f sAMAccountName=%s -h dc1.domain.local
>> auth_param basic children 10
>> auth_param basic realm Internet Proxy
>> auth_param basic credentialsttl 30 minutes
>>
>> ### ldap authorisation
>> external_acl_type memberof %LOGIN /usr/lib/squid3/ext_ldap_group_acl
>> -R -K -S -b "DC=domain,DC=local" -D proxyuser at domain.local -W
>> /etc/squid3/ldappass.txt -f
>>
>> "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%g,OU=Proxy,DC=domain,DC=local))"
>> -h dc1.domain.local
>>
>> Does that look ok?
>>
>
> Looks reasonable for a small installation. If you have a medium to large
> network you may find Squid mentioning queue issues and requesting more
> helper children be configured. Simply increasing the numbers there should
> resolve that.
>
> Amos
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] NTLM Authentication Failing

2015-10-20 Thread Amos Jeffries

On 2015-10-21 15:38, Ilias Clifton wrote:

On 20/10/2015 4:04 p.m., Ilias Clifton wrote:
> Hi All,
> I've been following the guide at this location for Active Directory 
integration
> 
http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Proxy[http://wiki.bitbinary.com/index.php/>Active_Directory_Integrated_Squid_Proxy]
>
> First, some versions for sanity..
> Ubuntu : 14.04.3 LTS
> Squid : 3.3.8 (from ubuntu repositories)
> Samba : 4.1.6-Ubuntu
> DC : Windows Server 2012 R2
>
> I am currently testing the authentication, negotiate kerberos and basic ldap 
are
> both working correctly. However ntlm is not and I don't seem to making any
> progress on debugging further.

Date: Tue, 20 Oct 2015 18:06:17 +1300
From: Amos Jeffries 

Your version of Squid has big problems with (4) and some with (2), and
your DC server version has big problems with (1) and (3).

Amos

Hi Amos,

Thank you for your detailed answer.

So what is the best way to authenticate users in a mixed environment?
I've got Windows domain PCs with IE/firefox/chrome. Linux PCs with
Firefox/chrome. Windows non-domain joined PCs with IE/firefox/chrome -
plus various mobile devices.

I've tried getting rid of ntlm and just using negotiate kerberos and
ldap for basic, is that all I need?

I believe thats at least very close to the solution. The getting rid of 
NTLM is something that needs to happen at the client end though, so IE 
does not attempt to use it over Negotiate scheme.

On the non-domain joined PCs, if I disable 'Enable Integrated Windows
Authentication', they now correctly use basic ldap.

And thats the way to do it IIRC. Someone more familiar may know a better 
way.

My config now looks like..

### negotiate kerberos and ntlm authentication
auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth
-d -s GSS_C_NO_NAME
auth_param negotiate children 10
auth_param negotiate keep_alive off

### provide basic authentication via ldap for clients not
authenticated via kerberos/ntlm
auth_param basic program /usr/lib/squid3/basic_ldap_auth -R -b
"DC=domain,DC=local" -D proxyuser at domain.local -W
/etc/squid3/ldappass.txt -f sAMAccountName=%s -h dc1.domain.local
auth_param basic children 10
auth_param basic realm Internet Proxy
auth_param basic credentialsttl 30 minutes

### ldap authorisation
external_acl_type memberof %LOGIN /usr/lib/squid3/ext_ldap_group_acl
-R -K -S -b "DC=domain,DC=local" -D proxyuser at domain.local -W
/etc/squid3/ldappass.txt -f
"(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%g,OU=Proxy,DC=domain,DC=local))"
-h dc1.domain.local

Does that look ok?

Looks reasonable for a small installation. If you have a medium to large 
network you may find Squid mentioning queue issues and requesting more 
helper children be configured. Simply increasing the numbers there 
should resolve that.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] NTLM Authentication Failing

2015-10-19 Thread Ilias Clifton

Sorry, re-post in plain-text..

Hi All,

I've been following the guide at this location for Active Directory integration
http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Proxy
 
First, some versions for sanity..
Ubuntu : 14.04.3 LTS
Squid  : 3.3.8 (from ubuntu repositories)
Samba  : 4.1.6-Ubuntu
DC : Windows Server 2012 R2
 
I am currently testing the authentication, negotiate kerberos and basic ldap 
are both working correctly. However ntlm is not and I don't seem to making any 
progress on debugging further.
 
Here is the relevant part of squid.conf
 
### negotiate kerberos and ntlm authentication
auth_param negotiate program /usr/lib/squid3/negotiate_wrapper_auth -d --ntlm 
/usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp 
--domain=DOMAIN --kerberos /usr/lib/squid3/negotiate_kerberos_auth -d -s 
GSS_C_NO_NAME
auth_param negotiate children 10
auth_param negotiate keep_alive off
### pure ntlm authentication
auth_param ntlm program /usr/bin/ntlm_auth --diagnostics 
--helper-protocol=squid-2.5-ntlmssp --domain=DOMAIN
auth_param ntlm children 10
auth_param ntlm keep_alive off
### provide basic authentication via ldap for clients not authenticated via 
kerberos/ntlm
auth_param basic program /usr/lib/squid3/basic_ldap_auth -R -b 
"DC=domain,DC=local" -D proxyuser@domain.local -W /etc/squid3/ldappass.txt -f 
sAMAccountName=%s -h dc1.domain.local
auth_param basic children 10
auth_param basic realm Internet Proxy
auth_param basic credentialsttl 30 minutes
### ldap authorisation
external_acl_type memberof %LOGIN /usr/lib/squid3/ext_ldap_group_acl -R -K -S 
-b "DC=domain,DC=local" -D proxyuser@domain.local -W /etc/squid3/ldappass.txt 
-f 
"(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%g,OU=Proxy,DC=domain,DC=local))"
 -h dc1.domain.local
 

With kerberos and ldap working correctly, this seems to cover all my users, 
except for non-domain joined internet explorer, which unfortunately I still 
need to cater for.
For testing I have allowed the proxy user to login.
 
The following commands work successfully as proxy user
 
wbinfo -p
wbinfo -u
wbinfo -g
 
wbinfo -t does not run successfully as proxy user, but does run as root.
 
testing ntlm_auth at the command line works correctly.
 
ntlm_auth --helper-protocol=squid-2.5-basic
DOMAIN\user password
OK

When a non-domain joined user with internet explorer attempt to use the proxy, 
they are continually prompted for credentials. In /var/log/cache.log, I see:
 
2015/10/20 12:33:19| negotiate_wrapper: Got 'YR 
TlRMTVNTUAABl4II4gAGA4AlDw==' from squid (length: 
59).
2015/10/20 12:33:19| negotiate_wrapper: Decode 
'TlRMTVNTUAABl4II4gAGA4AlDw==' (decoded length: 40).
2015/10/20 12:33:19| negotiate_wrapper: received type 1 NTLM token
2015/10/20 12:33:19| negotiate_wrapper: Return 'TT 
TlRMTVNTUAACEAAQADgVgoninreK53QrtdEAADgAOABIBgEAAA9JAE4AUwBFAEMAVQBSAEUAAgAQAEkATgBTAEUAQwBVAFIARQABAAoAUABSAE8AWABZAAQDAAoAcAByAG8AeAB5AAA=
'
2015/10/20 12:33:19| negotiate_wrapper: Got 'KK 
TlRMTVNTUAADGAAYAHQAAADYANgAjBAAEABYCAAIAGgEAAQAcBAAEABkAQAAFYKI4gYDgCUP4J12bZve1C56VHP1YUJ5N2kAbgBzAGUAYwB1AHIAZQBiAHIAYQBkAEkATwAI1+mUr3xj8iMVIytXIZcbAQEAAADgQryt3wrRAStLKXVkL/kDAAIAEABJAE4AUwBFAEMAVQBSAEUAAQAKAFAAUgBPAFgAWQAEAwAKAHAAcgBvAHgAeQAIADAAMAABABAAALfe6ZoORXwOZjR0QdSusCHwlNUGYo79byijLZDZARCDCgAQAAAJACQASABUAFQAUAAvADEANwAyAC4AMgA4AC4AMgA5AC4AMQA0ADcAAACEC4x7NJBCdMLgU3gJ6QTq'
 from squid (length: 499).
2015/10/20 12:33:19| negotiate_wrapper: Decode 
'TlRMTVNTUAADGAAYAHQAAADYANgAjBAAEABYCAAIAGgEAAQAcBAAEABkAQAAFYKI4gYDgCUP4J12bZve1C56VHP1YUJ5N2kAbgBzAGUAYwB1AHIAZQBiAHIAYQBkAEkATwAI1+mUr3xj8iMVIytXIZcbAQEAAADgQryt3wrRAStLKXVkL/kDAAIAEABJAE4AUwBFAEMAVQBSAEUAAQAKAFAAUgBPAFgAWQAEAwAKAHAAcgBvAHgAeQAIADAAMAABABAAALfe6ZoORXwOZjR0QdSusCHwlNUGYo79byijLZDZARCDCgAQAAAJACQASABUAFQAUAAvADEANwAyAC4AMgA4AC4AMgA5AC4AMQA0ADcAAACEC4x7NJBCdMLgU3gJ6QTq'
 (decoded length: 372).
2015/10/20 12:33:19| negotiate_wrapper: received type 3 NTLM token
2015/10/20 12:33:19| negotiate_wrapper: Return 'BH NT_STATUS_UNSUCCESSFUL 
NT_STATUS_UNSUCCESSFUL
'
2015/10/20 12:33:19| ERROR: Negotiate Authentication validating user. Error 
returned 'BH NT_STATUS_UNSUCCESSFUL NT_STATUS_UNSUCCESSFUL'
 
 
 
 
Can anyone give me any pointers on what I am doing incorrectly?
 
Thank you.
 
Ilias
 
 
 
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] NTLM Authentication Failing

2015-10-19 Thread Ilias Clifton


Hi All,

 

I've been following the guide at this location for Active Directory integration
http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Proxy
 
First, some versions for sanity..
Ubuntu : 14.04.3 LTS
Squid  : 3.3.8 (from ubuntu repositories)
Samba  : 4.1.6-Ubuntu
DC : Windows Server 2012 R2
 
I am currently testing the authentication, negotiate kerberos and basic ldap are both working correctly. However ntlm is not and I don't seem to making any progress on debugging further.
 
Here is the relevant part of squid.conf
 
### negotiate kerberos and ntlm authentication
auth_param negotiate program /usr/lib/squid3/negotiate_wrapper_auth -d --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=DOMAIN --kerberos /usr/lib/squid3/negotiate_kerberos_auth -d -s GSS_C_NO_NAME
auth_param negotiate children 10
auth_param negotiate keep_alive off
### pure ntlm authentication
auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=DOMAIN
auth_param ntlm children 10
auth_param ntlm keep_alive off
### provide basic authentication via ldap for clients not authenticated via kerberos/ntlm
auth_param basic program /usr/lib/squid3/basic_ldap_auth -R -b "DC=domain,DC=local" -D proxyuser@domain.local -W /etc/squid3/ldappass.txt -f sAMAccountName=%s -h dc1.domain.local
auth_param basic children 10
auth_param basic realm Internet Proxy
auth_param basic credentialsttl 30 minutes
### ldap authorisation
external_acl_type memberof %LOGIN /usr/lib/squid3/ext_ldap_group_acl -R -K -S -b "DC=domain,DC=local" -D proxyuser@domain.local -W /etc/squid3/ldappass.txt -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%g,OU=Proxy,DC=domain,DC=local))" -h dc1.domain.local
 

With kerberos and ldap working correctly, this seems to cover all my users, except for non-domain joined internet explorer, which unfortunately I still need to cater for.
For testing I have allowed the proxy user to login.
 
The following commands work successfully as proxy user
 
wbinfo -p
wbinfo -u
wbinfo -g
 
wbinfo -t does not run successfully as proxy user, but does run as root.
 
testing ntlm_auth at the command line works correctly.
 
ntlm_auth --helper-protocol=squid-2.5-basic
DOMAIN\user password
OK

 

When a non-domain joined user with internet explorer attempt to use the proxy, they are continually prompted for credentials. In /var/log/cache.log, I see:
 
2015/10/20 12:33:19| negotiate_wrapper: Got 'YR TlRMTVNTUAABl4II4gAGA4AlDw==' from squid (length: 59).
2015/10/20 12:33:19| negotiate_wrapper: Decode 'TlRMTVNTUAABl4II4gAGA4AlDw==' (decoded length: 40).
2015/10/20 12:33:19| negotiate_wrapper: received type 1 NTLM token
2015/10/20 12:33:19| negotiate_wrapper: Return 'TT TlRMTVNTUAACEAAQADgVgoninreK53QrtdEAADgAOABIBgEAAA9JAE4AUwBFAEMAVQBSAEUAAgAQAEkATgBTAEUAQwBVAFIARQABAAoAUABSAE8AWABZAAQDAAoAcAByAG8AeAB5AAA=
'
2015/10/20 12:33:19| negotiate_wrapper: Got 'KK TlRMTVNTUAADGAAYAHQAAADYANgAjBAAEABYCAAIAGgEAAQAcBAAEABkAQAAFYKI4gYDgCUP4J12bZve1C56VHP1YUJ5N2kAbgBzAGUAYwB1AHIAZQBiAHIAYQBkAEkATwAI1+mUr3xj8iMVIytXIZcbAQEAAADgQryt3wrRAStLKXVkL/kDAAIAEABJAE4AUwBFAEMAVQBSAEUAAQAKAFAAUgBPAFgAWQAEAwAKAHAAcgBvAHgAeQAIADAAMAABABAAALfe6ZoORXwOZjR0QdSusCHwlNUGYo79byijLZDZARCDCgAQAAAJACQASABUAFQAUAAvADEANwAyAC4AMgA4AC4AMgA5AC4AMQA0ADcAAACEC4x7NJBCdMLgU3gJ6QTq' from squid (length: 499).
2015/10/20 12:33:19| negotiate_wrapper: Decode 'TlRMTVNTUAADGAAYAHQAAADYANgAjBAAEABYCAAIAGgEAAQAcBAAEABkAQAAFYKI4gYDgCUP4J12bZve1C56VHP1YUJ5N2kAbgBzAGUAYwB1AHIAZQBiAHIAYQBkAEkATwAI1+mUr3xj8iMVIytXIZcbAQEAAADgQryt3wrRAStLKXVkL/kDAAIAEABJAE4AUwBFAEMAVQBSAEUAAQAKAFAAUgBPAFgAWQAEAwAKAHAAcgBvAHgAeQAIADAAMAABABAAALfe6ZoORXwOZjR0QdSusCHwlNUGYo79byijLZDZARCDCgAQAAAJACQASABUAFQAUAAvADEANwAyAC4AMgA4AC4AMgA5AC4AMQA0ADcAAACEC4x7NJBCdMLgU3gJ6QTq' (decoded length: 372).
2015/10/20 12:33:19| negotiate_wrapper: received type 3 NTLM token
2015/10/20 12:33:19| negotiate_wrapper: Return 'BH NT_STATUS_UNSUCCESSFUL NT_STATUS_UNSUCCESSFUL
'
2015/10/20 12:33:19| ERROR: Negotiate Authentication validating user. Error returned 'BH NT_STATUS_UNSUCCESSFUL NT_STATUS_UNSUCCESSFUL'
 
 
 
 
Can anyone give me any pointers on what I am doing incorrectly?
 
Thank you.
 
Ilias
 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] NTLM Authentication Failing

Re: [squid-users] NTLM Authentication Failing

Re: [squid-users] NTLM Authentication Failing

[squid-users] NTLM Authentication Failing

[squid-users] NTLM Authentication Failing

5 matches

Site Navigation

Mail list logo

Footer information