Validating user via ntlm

By the way, I have come up with something strange on wireshark logs after using negotiate_wrapper, I've always checked if my server and client gets the tickets from KDC, I and couldn't figure out the problem, because they both had the tickets.2012/01/11 | squid_kerb_auth: DEBUG: Decode 'Tl RMTVNTUAABAAAAl4II4g AAAAAAAAAAAAAAAAAAAAAGAb Ed AAAADw==' (decoded length: 40).2012/01/11 | squid_kerb_auth: WARNING: received type 1 NTLM token 2012/01/11 | authenticate Negotiate Handle Reply: Error validating user via Negotiate.The problem has been asked and replied many times on both the squid-users list and on the web, I have read them all, and tried to solve the problem. I'm not sure why client tries to authorize with NTLM instead of Kerberos, and I would really appreciate if you explain me how to inspect the reason, and how to fix the problem. (config files are prepared as exactly as with the wiki; Examples/Authenticate/Kerberos) tail -f 2012/01/11 | squid_kerb_auth: DEBUG: Got 'YR Tl RMTVNTUAABAAAAl4II4g AAAAAAAAAAAAAAAAAAAAAGAb Ed AAAADw==' from squid (length: 59).2012/01/11 | squid_kerb_auth: DEBUG: Decode 'Tl RMTVNTUAABAAAAl4II4g AAAAAAAAAAAAAAAAAAAAAGAb Ed AAAADw==' (decoded length: 40).

validating user via ntlm-61validating user via ntlm-16validating user via ntlm-70

L'intérêt premier est que les utilisateurs d' Active Directory seront authentifiés directement depuis leurs sessions Windows en cours et n'auront donc plus à saisir d'identifiants et mots de passe pour accéder à Internet.http_port 192.168.0.80icp_port 0pid_filename /var/run/squid.pidcache_effective_user proxycache_effective_group proxyerror_directory /usr/local/etc/squid/errors/Englishicon_directory /usr/local/etc/squid/iconsvisible_hostname localhostcache_mgr admin at localhostaccess_log /var/squid/logs/access.logcache_log /var/squid/logs/cache.logreferer_log /var/squid/logs/referer.loglogfile_rotate 0cache_store_log noneshutdown_lifetime 3 seconds# Allow local network(s) on interface(s)acl localnet src 192.168.0.0/255.255.255.0uri_whitespace stripdns_nameservers 2.222cache_mem 8 MBmaximum_object_size_in_memory 32 KBmemory_replacement_policy heap GDSFcache_replacement_policy heap LFUDAcache_dir ufs /var/squid/cache 100 16 256minimum_object_size 0 KBmaximum_object_size 4 KBoffline_mode offcache_swap_low 90cache_swap_high 95url_rewrite_program /usr/local/bin/redirectorurl_rewrite_children 50# Setup some default aclsacl all src 0.0.0.0/0.0.0.0acl localhost src 127.0.0.1/255.255.255.255acl safeports port 21 70 80 210 280 443 488 563 591 631 7 3128 1025-65535 5080 81 80 443 21 20acl sslports port 4 5080 81 80 443 21 20acl manager proto cache_objectacl purge method PURGEacl connect method CONNECTacl dynamic urlpath_regex cgi-bin \?acl unrestricted_hosts src "/var/squid/acl/unrestricted_hosts.acl"acl whitelist dstdom_regex -i "/var/squid/acl/whitelist.acl"cache deny dynamichttp_access allow manager localhosthttp_access deny managerhttp_access allow purge localhosthttp_access deny purgehttp_access deny ! sslports# Always allow localhost connectionshttp_access allow localhostrequest_body_max_size 0 KBreply_body_max_size 0 deny alldelay_pools 1delay_class 1 2delay_parameters 1 -1/-1 -1/-1delay_initial_bucket_level 100delay_access 1 allow all# Custom optionstcp_outgoing_address 192.168.0.1auth_param ntlm keep_alive on# These hosts do not have any restrictionshttp_access allow unrestricted_hosts# Always allow access to whitelist domainshttp_access allow whitelistauth_param ntlm program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmsspauth_param ntlm children 45auth_param basic program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-basicauth_param basic casesensitive offauthenticate_cache_garbage_interval 10 secondsauth_param basic children 45auth_param basic realm Please enter your credentials to access the proxyauth_param basic credentialsttl 600 minutesacl password proxy_auth REQUIREDhttp_access allow unrestricted_hostshttp_access allow password localnet# Default block all to be surehttp_access deny all My winbind_privilegeddrwxr-x--- 2 root proxy 512B Oct 2 winbindd_privileged Error logs:[2013/10/01 , 0] utils/ntlm_auth.c:833(manage_squid_ntlmssp_request) NTLMSSP BH: NT_STATUS_ACCESS_DENIED2013/10/01 | authenticate NTLMHandle Reply: Error validating user via NTLM.LOCAL[appdefaults]pam = {ticket_lifetime = 1drenew_lifetime = 1dforwardable = trueproxiable = falseretain_after_close = falseminimum_uid = 1squid.conf# Do not edit manually !http_port 192.168.0.80icp_port 0pid_filename /var/run/squid.pidcache_effective_user proxycache_effective_group proxyerror_directory /usr/local/etc/squid/errors/Englishicon_directory /usr/local/etc/squid/iconsvisible_hostname localhostcache_mgr admin at localhostaccess_log /var/squid/logs/access.logcache_log /var/squid/logs/cache.logreferer_log /var/squid/logs/referer.loglogfile_rotate 0cache_store_log noneshutdown_lifetime 3 seconds# Allow local network(s) on interface(s)acl localnet src 192.168.0.0/255.255.255.0uri_whitespace stripdns_nameservers 2.222cache_mem 8 MBmaximum_object_size_in_memory 32 KBmemory_replacement_policy heap GDSFcache_replacement_policy heap LFUDAcache_dir ufs /var/squid/cache 100 16 256minimum_object_size 0 KBmaximum_object_size 4 KBoffline_mode offcache_swap_low 90cache_swap_high 95url_rewrite_program /usr/local/bin/redirectorurl_rewrite_children 50# Setup some default aclsacl all src 0.0.0.0/0.0.0.0acl localhost src 127.0.0.1/255.255.255.255acl safeports port 21 70 80 210 280 443 488 563 591 631 73128 1025-65535 5080 81 80 443 21 20acl sslports port 4 5080 81 80 443 21 20acl manager proto cache_objectacl purge method PURGEacl connect method CONNECTacl dynamic urlpath_regex cgi-bin \?Here is the some of the parts of wireshark log; (if needed, you can get the full log from here: Yu ) client to server; Hypertext Transfer Protocol GET HTTP/1.1\r\n [Expert Info (Chat/Sequence): GET Request Method: GET Request URI: Request Version: HTTP/1.1 Host: User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:8.0) Gecko/20100101 Firefox/8.0\r\n Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8\r\n Accept-Language: tr-tr,tr;q=0.8,en-us;q=0.5,en;q=0.3\r\n Accept-Encoding: gzip, deflate\r\n Accept-Charset: ISO-8859-9,utf-8;q=0.7,*;q=0.7\r\n Proxy-Connection: keep-alive\r\n server reply; Hypertext Transfer Protocol HTTP/1.0 407 Proxy Authentication Required\r\n [Expert Info (Chat/Sequence): HTTP/1.0 407 Proxy Authentication Required\r\n] Request Version: HTTP/1.0 Status Code: 407 Response Phrase: Proxy Authentication Required Server: squid/3.1.12\r\n Mime-Version: 1.0\r\n Date: Wed, GMT\r\n Content-Type: text/html\r\n Content-Length: 1152\r\n X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0\r\n Proxy-Authenticate: Negotiate\r\n X-Cache: MISS from labris-1\r\n X-Cache-Lookup: NONE from labris-28\r\n Via: 1.0 labris-1 (squid/3.1.12)\r\n Connection: keep-alive\r\n \r\n client tries authentication; Hypertext Transfer Protocol GET HTTP/1.1\r\n [Expert Info (Chat/Sequence): GET Request Method: GET Request URI: Request Version: HTTP/1.1 Host: User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:8.0) Gecko/20100101 Firefox/8.0\r\n Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8\r\n Accept-Language: tr-tr,tr;q=0.8,en-us;q=0.5,en;q=0.3\r\n Accept-Encoding: gzip, deflate\r\n Accept-Charset: ISO-8859-9,utf-8;q=0.7,*;q=0.7\r\n Proxy-Connection: keep-alive\r\n Proxy-Authorization: Negotiate Tl RMTVNTUAABAAAAl4II4g AAAAAAAAAAAAAAAAAAAAAGAb Ed AAAADw==\r\n NTLM Secure Service Provider NTLMSSP identifier: NTLMSSP NTLM Message Type: NTLMSSP_NEGOTIATE (0x00000001) Flags: 0xe2088297 Calling workstation domain: NULL Calling workstation name: NULL Version 6.1 (Build 7601); NTLM Current Revision 15 Major Version: 6 Minor Version: 1 Build Number: 7601 NTLM Current Revision: 15 Please see me as a newbie, I'd really appreciate a detailed solution to get squid working with kerberos and what may cause the problem. The easiest solution is to use the negotiate_wrapper Marcus developed last year.

358

Leave a Reply