RE: [squid-users] NTLM Domain Membership Issue
Hi Jay, At 03.38 31/07/2003, Jay Turner wrote: Hi Guido, I don't think this is the problem. Preliminary testing is pointing to incorrect security policies being deployed to the client workstations with LAN Authentication set to NTLM Responses only rather than LM NTLM Responses. Right, I think that this should be the problem: There is a problem in the Squid NTLM/LM support, see Bugzilla #610. Henrik: I think that this should fixed before STABLE 4, there was already many reports about similar problems using Windows XP and 2003. Regards - Guido Serassio Acme Consulting S.r.l. Via Gorizia, 69 10136 - Torino - ITALY Tel. : +39.011.3249426 Fax. : +39.011.3293665 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
RE: [squid-users] NTLM Domain Membership Issue
Hi Guido, I don't think this is the problem. Preliminary testing is pointing to incorrect security policies being deployed to the client workstations with LAN Authentication set to NTLM Responses only rather than LM NTLM Responses. I am still proving this in the development environment and scheduled to go back out onsite tomorrow to test if this resolves the issue in the production environment. I'll inform the list of my results. Thanks Jay -Original Message- From: Serassio Guido [mailto:[EMAIL PROTECTED] Sent: Thursday, 31 July 2003 3:53 AM To: [EMAIL PROTECTED]; Serassio Guido Cc: [EMAIL PROTECTED] Subject: RE: [squid-users] NTLM Domain Membership Issue Hi Jay, Sorry for the delayed response, but now I'm very busy. At 07.16 27/07/2003, Jay Turner wrote: -Original Message- From: Serassio Guido [mailto:[EMAIL PROTECTED] Sent: Saturday, 26 July 2003 3:20 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: [squid-users] NTLM Domain Membership Issue Hi, At 08.05 26/07/2003, Jay Turner wrote: Hi All, I am experiencing an unusual problem with NTLM and Domain Membership.. Environment: Red Hat 7.3 Squid2.5-STABLE2 Samba 2.2.7-3.7.3 (Red Hat) Windows 2000 AD server (Native Mode with Pre-2000 compatibility) WinXP SP1, IE6 SP1 + all current patches applied Background: I have deployed Squid and NTLM a number of times now so I have a bit of experience installing trouble shooting it. Winbindd is working correctly from the command line with wbinfo -t, -u, -g, -r and -a all performing correctly. wb_auth from the command line also works correctly and so does wb_group So from what I can see Winbindd is working fine. If have a client computer (Win2000 or WinXP) that is on the network, but not a member of the domain and I access the proxy, I receive an authentication window. This is correct as NTLM will fail as it is not a member of the domain and fall back to Basic. I can enter a valid username/password/domain and then access the proxy correctly. Cache and access.log all report the correct behaviour as I expect. As soon as I add this client computer to become a member of the domain, everything stops working. NTLM authentication does not work, and neither does Basic authentication. The browser sits there for a second then displays the standard IE 'Page cannot be found'. I have increased debugging on Authentication in squid.conf and run winbindd in debug mode (winbindd -i -d 3) to try and establish the problem. When a client on the domain requests a page cache.log reports authenticateValidateUser: Validating Auth_user request '0x8413238' authenticateValidateUser: Validated Auth_user request '0x8413238' User not fully authenticated But nothing is being recorded by Winbindd (as opposed to when it works). This message could hold the key, but I'm not entirely sure where I should look next for this. I have reams of log files with debugging turned right up which I can post specific sections of if required, but I'm not going to post all of them now for people to wade through. I commented out wb_ntlmauth in squid.conf and tried using just wb_auth to see if I could get the basic auth to work and that did the same thing.. The interesting thing is that I brought this server back to my office and changed it's IP address and made it a member of our Windows NT4 domain and then using the same Win XP client from the other network (it's a laptop) it works perfectly!! This leads me to believe that there must be something in the way their AD is setup that might be causing this problem?? Any advice will be greatly appreciated. Some tips: - Do You have restarted Squid after disabling NTLM authentication ? - an AD replication problem ? Samba should use always the DC that acts as PDC emulator - some strange behaviour of DNS caching Hoping to help you Regards Guido Hi Guido, 1)I don't specifically remember restarting Squid, but I would have definately issued a 'squid -k reconfigure'. Is it necessary when dealing with winbind to actually issue 'service squid restart'? If I'm not wrong, when the authentication schema are changed, squid should be restarted. 2)I'm not a Windows 2000 admin (which makes this harder) so while I understand what you are saying, I'm not sure how it might affect me and this install. I believe there is only one AD server that authenticates user logins in this network but I will follow that up 3) It's funny you mention DNS caching because I did notice some strange DNS behaviour onsite. It's not so funny, AD domains are DNS based and Microsoft DNS sometimes is very strange While trying to isolate the problem I noticed by using
[squid-users] NTLM Domain Membership Issue
Hi All, I am experiencing an unusual problem with NTLM and Domain Membership.. Environment: Red Hat 7.3 Squid2.5-STABLE2 Samba 2.2.7-3.7.3 (Red Hat) Windows 2000 AD server (Native Mode with Pre-2000 compatibility) WinXP SP1, IE6 SP1 + all current patches applied Background: I have deployed Squid and NTLM a number of times now so I have a bit of experience installing trouble shooting it. Winbindd is working correctly from the command line with wbinfo -t, -u, -g, -r and -a all performing correctly. wb_auth from the command line also works correctly and so does wb_group So from what I can see Winbindd is working fine. If have a client computer (Win2000 or WinXP) that is on the network, but not a member of the domain and I access the proxy, I receive an authentication window. This is correct as NTLM will fail as it is not a member of the domain and fall back to Basic. I can enter a valid username/password/domain and then access the proxy correctly. Cache and access.log all report the correct behaviour as I expect. As soon as I add this client computer to become a member of the domain, everything stops working. NTLM authentication does not work, and neither does Basic authentication. The browser sits there for a second then displays the standard IE 'Page cannot be found'. I have increased debugging on Authentication in squid.conf and run winbindd in debug mode (winbindd -i -d 3) to try and establish the problem. When a client on the domain requests a page cache.log reports authenticateValidateUser: Validating Auth_user request '0x8413238' authenticateValidateUser: Validated Auth_user request '0x8413238' User not fully authenticated But nothing is being recorded by Winbindd (as opposed to when it works). This message could hold the key, but I'm not entirely sure where I should look next for this. I have reams of log files with debugging turned right up which I can post specific sections of if required, but I'm not going to post all of them now for people to wade through. I commented out wb_ntlmauth in squid.conf and tried using just wb_auth to see if I could get the basic auth to work and that did the same thing.. The interesting thing is that I brought this server back to my office and changed it's IP address and made it a member of our Windows NT4 domain and then using the same Win XP client from the other network (it's a laptop) it works perfectly!! This leads me to believe that there must be something in the way their AD is setup that might be causing this problem?? Any advice will be greatly appreciated. Thanks Regards Jay
Re: [squid-users] NTLM Domain Membership Issue
Hi, At 08.05 26/07/2003, Jay Turner wrote: Hi All, I am experiencing an unusual problem with NTLM and Domain Membership.. Environment: Red Hat 7.3 Squid2.5-STABLE2 Samba 2.2.7-3.7.3 (Red Hat) Windows 2000 AD server (Native Mode with Pre-2000 compatibility) WinXP SP1, IE6 SP1 + all current patches applied Background: I have deployed Squid and NTLM a number of times now so I have a bit of experience installing trouble shooting it. Winbindd is working correctly from the command line with wbinfo -t, -u, -g, -r and -a all performing correctly. wb_auth from the command line also works correctly and so does wb_group So from what I can see Winbindd is working fine. If have a client computer (Win2000 or WinXP) that is on the network, but not a member of the domain and I access the proxy, I receive an authentication window. This is correct as NTLM will fail as it is not a member of the domain and fall back to Basic. I can enter a valid username/password/domain and then access the proxy correctly. Cache and access.log all report the correct behaviour as I expect. As soon as I add this client computer to become a member of the domain, everything stops working. NTLM authentication does not work, and neither does Basic authentication. The browser sits there for a second then displays the standard IE 'Page cannot be found'. I have increased debugging on Authentication in squid.conf and run winbindd in debug mode (winbindd -i -d 3) to try and establish the problem. When a client on the domain requests a page cache.log reports authenticateValidateUser: Validating Auth_user request '0x8413238' authenticateValidateUser: Validated Auth_user request '0x8413238' User not fully authenticated But nothing is being recorded by Winbindd (as opposed to when it works). This message could hold the key, but I'm not entirely sure where I should look next for this. I have reams of log files with debugging turned right up which I can post specific sections of if required, but I'm not going to post all of them now for people to wade through. I commented out wb_ntlmauth in squid.conf and tried using just wb_auth to see if I could get the basic auth to work and that did the same thing.. The interesting thing is that I brought this server back to my office and changed it's IP address and made it a member of our Windows NT4 domain and then using the same Win XP client from the other network (it's a laptop) it works perfectly!! This leads me to believe that there must be something in the way their AD is setup that might be causing this problem?? Any advice will be greatly appreciated. Some tips: - Do You have restarted Squid after disabling NTLM authentication ? - an AD replication problem ? Samba should use always the DC that acts as PDC emulator - some strange behaviour of DNS caching Hoping to help you Regards Guido Thanks Regards Jay - Guido Serassio Acme Consulting S.r.l. Via Gorizia, 69 10136 - Torino - ITALY Tel. : +39.011.3249426 Fax. : +39.011.3293665 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/