Re: [squid-users] Samba 3-ntlm_auth, Squid-2.5Stable4 and W2K3 Authentication options

> What protocol did you tell ntlm_auth to use? I.e. what does your
> auth_param lines look like?

Here is my entire setup:

Here is my squid compile parameters:

CFLAGS="-O3 -march=i686 -mcpu=i686 -funroll-loops -fomit-frame-pointer"
\
./configure \
--prefix=/usr \
--datadir=/usr/share \
--localstatedir=/var \
--sysconfdir=/etc/squid \
--infodir=/usr/share/info \
--mandir=/usr/share/man \
--enable-useragent_log \
--enable-auth="ntlm,basic" \
--enable-basic-auth-helpers="winbind" \
--enable-ntlm-auth-helpers="fakeauth,no_check,SMB,winbind" \
--enable-external-acl-helpers="ip_user,ldap_group,unix_group,wbinfo_group,winbind_group"

(I am sure that some of these are NOT needed but I would rather compile
everything, find out what works and then recompile with just what is
needed)

My squid.conf auth settings:

auth_param ntlm program /usr/local/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp (yes this is the samba 3 version)
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 3
auth_param ntlm max_challenge_lifetime 2 minutes

# these are used by every other browser
auth_param basic program /usr/local/bin/ntlm_auth
--helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 minutes

My wbinfo output as requested:

root@caleb ~> wbinfo -t
checking the trust secret via RPC calls succeeded

root@caleb ~> wbinfo -u
Administrator
Guest
SUPPORT_388945a0
krbtgt
testuser
surfer
samba

root@caleb ~> wbinfo -g
Domain Computers
Domain Controllers
Schema Admins
Enterprise Admins
Domain Admins
Domain Users
Domain Guests
Group Policy Creator Owners
AuthorizedUsers
IntranetUsers
StaffUsers

root@caleb ~> wbinfo -a surfer%surfer2003
plaintext password authentication succeeded
challenge/response password authentication succeeded

root@caleb ~> squid -v
Squid Cache: Version 2.5.STABLE4
configure options: --prefix=/usr --datadir=/usr/share
--localstatedir=/var --sysconfdir=/etc/squid --infodir=/usr/share/info
--mandir=/usr/share/man --enable-useragent_log --enable-auth=ntlm,basic
--enable-basic-auth-helpers=winbind
--enable-ntlm-auth-helpers=fakeauth,no_check,SMB,winbind
--enable-external-acl-helpers=ip_user,ldap_group,unix_group,wbinfo_group,winbind_group

root@caleb ~> su - squid
[squid@caleb squid]$ /usr/local/bin/ntlm_auth --username=surfer
password:
NT_STATUS_OK: Success (0x0)

Turning mime_headers on reveals the following in the squid access log:

1069265718.735 119 172.16.215.30 TCP_DENIED/407 1645 GET
http://www.google.com/ - NONE/- text/html [Accept: image/gif,
image/x-xbitmap, image/jpeg, image/pjpeg, */*\r\nAccept-Language:
en-us\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.0)\r\nHost:
www.google.com\r\nProxy-Connection: Keep-Alive\r\nCookie:
PREF=ID=56c8b0c142718d37:TM=1065216586:LM=1065560328:TB=2:S=FbXQxkoNGt1g8HVm\r\n] [HTTP/1.0 407 Proxy Authentication Required\r\nServer: squid/2.5.STABLE4\r\nMime-Version: 1.0\r\nDate: Wed, 19 Nov 2003 18:15:18 GMT\r\nContent-Type: text/html\r\nContent-Length: 1302\r\nExpires: Wed, 19 Nov 2003 18:15:18 GMT\r\nX-Squid-Error: ERR_CACHE_ACCESS_DENIED 0\r\nProxy-Authenticate: NTLM\r\n\r]
1069265718.947 107 172.16.215.30 TCP_DENIED/407 1715 GET
http://www.google.com/ - NONE/- text/html [Accept: image/gif,
image/x-xbitmap, image/jpeg, image/pjpeg, */*\r\nAccept-Language:
en-us\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.0)\r\nHost:
www.google.com\r\nProxy-Connection: Keep-Alive\r\nProxy-Authorization:
NTLM
TlRMTVNTUAABAAAAB7IAoAQABAAoAAAACAAIACAAAABLQ001MDI5OEJVR1M=\r\nCookie:
PREF=ID=56c8b0c142718d37:TM=1065216586:LM=1065560328:TB=2:S=FbXQxkoNGt1g8HVm\r\n] [HTTP/1.0 407 Proxy Authentication Required\r\nServer: squid/2.5.STABLE4\r\nMime-Version: 1.0\r\nDate: Wed, 19 Nov 2003 18:15:18 GMT\r\nContent-Type: text/html\r\nContent-Length: 1302\r\nExpires: Wed, 19 Nov 2003 18:15:18 GMT\r\nX-Squid-Error: ERR_CACHE_ACCESS_DENIED 0\r\nProxy-Authenticate: NTLM TlRMTVNTUAACAAAAAAAAADAAAAACAgAg9nDlwSM9D0wAAAAAAAAAAAAAAAAwAAAA\r\n\r]

This is where it breaks- It appears to me that squid is NOT logging the
user/domain information in the log file

AND

when I run squid with the following (squid -XN -d 1) and then try to
access the web page , squid says:

        FATAL: authenticateNTLMHandleReply: called with no result string

        Aborted

So Samba's NTLM doesn't appear to give the answer in the form that Squid
wants.

Also, here is my samba compile settings and configuration file:

CFLAGS="-O3 -march=i686 -mcpu=i686 -funroll-loops -fomit-frame-pointer"
\
./configure \
--sysconfdir=/etc/samba \
--prefix=/usr/local/samba \
--localstatedir=/var \
--with-configdir=/etc/samba \
--with-privatedir=/etc/samba \
--enable-auth="ntlm,basic" \
--enable-basic-auth-helpers="winbind" \
--enable-ntlm-auth-helpers="winbind" \
--enable-external-acl-helpers=winbind_group \
--with-fhs \
--with-quotas \
--with-msdfs \
--with-smbmount \
--with-ads \
--with-pam \
--with-pam_smbpass \
--with-syslog \
--with-utmp \
--with-sambabook=/usr/share/swat/using_samba \
--with-swatdir=/usr/share/swat \
--with-libsmbclient \

AND

/etc/samba/smb.conf

[global]

workgroup = BUGS
netbios name = BUGS00001

realm = BUGS.EXAMPLE.COM
security = ads
encrypt passwords = yes
password server = W2003.BUGS.EXAMPLE.COM

winbind separator = /

winbind uid = 10000-20000
winbind gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
interfaces = 172.16.215.20 127.0.0.1
bind interfaces only = yes
winbind use default domain = yes
log file = /var/log/samba/log.%m
log level = 3
client signing = Yes
server signing = Yes
client use spnego = Yes

template shell = /bin/bash

template homedir = /home/%D/%U

finally, just for grins, my /etc/krb5.conf (krb5-1.3.1 compiled from
source) contents:

[libdefaults]
    default_realm = BUGS.EXAMPLE.COM
    default_tgs_enctypes = des-cbc-crc des-cbc-md5
     default_tkt_enctypes = des-cbc-crc des-cbc-md5
    #default_etypes = arcfour-hmac-md5
    #default_etypes_des = arcfour-hmac-md5
    dns_lookup_realm = true
    dns_lookup_kdc = true

[realms]
BUGS.EXAMPLE.COM = {
    admin_server = W2003.BUGS.EXAMPLE.COM
    default_domain = BUGS.EXAMPLE.COM
    kdc = W2003.BUGS.EXAMPLE.COM
}

[domain_realm]
 .bugs.kcm.org = BUGS.EXAMPLE.COM
 bugs.kcm.org = BUGS.EXAMPLE.COM

[logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log

Thanks for your time on this problem,

Dave Augustus
Received on Thu Nov 20 2003 - 07:25:00 MST