[squid-users] ntlm_auth question/problem

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Sat, 14 Jun 2008 20:57:41 +0100

I am trying to authenticate users with ntlm_auth but fail and don't find the
reason. I see the initial NTLM challenge, but then the Browser doesn't
continue the next NTLM step ( at least that is what I think happens)

Any idea what I did wrong ?

Thank you
Markus

 uname -a
Linux Opensuse 2.6.22.17-0.1-default #1 SMP 2008/02/10 20:01:04 UTC i686
i686 i386 GNU/Linux
Opensuse:~ # cat /etc/SuSE-release
openSUSE 10.3 (i586)
VERSION = 10.3

squid -v
Squid Cache: Version 2.6.STABLE14
configure options: '--prefix=/usr' '--sysconfdir=/etc/squid'
'--bindir=/usr/sbin' '--sbindir=/usr/sbin' '--localstatedir=/var'
'--libexecdir=/usr/sbin' '--datadir=/usr/share/squid'
'--mandir=/usr/share/man' '--with-dl' '--with-maxfd=4096'
'--with-valgrind-debug' '--enable-snmp' '--enable-carp' '--enable-auth=basic
digest negotiate ntlm' '--enable-basic-auth-helpers=LDAP MSNT NCSA PAM SMB
YP getpwnam multi-domain-NTLM' '--enable-ntlm-auth-helpers=SMB fakeauth
no_check' '--enable-digest-auth-helpers=ldap password'
'--enable-external-acl-helpers=ip_user ldap_group session unix_group
wbinfo_group' '--enable-ntlm-fail-open' '--enable-arp-acl' '--enable-htcp'
'--enable-underscores' '--enable-stacktraces' '--enable-delay-pools'
'--enable-useragent-log' '--enable-referer-log' '--enable-forward-log'
'--enable-multicast-miss' '--enable-ssl' '--enable-cache-digests'
'--enable-auth-on-acceleration' '--enable-storeio=aufs,coss,diskd,null,ufs'
'--enable-linux-netfilter' '--enable-removal-policies=heap,lru'
'--enable-icmp' '--with-samba-sources=/usr/include/samba'
'--enable-large-cache-files' '--enable-x-accelerator-vary'
'--enable-follow-x-forwarded-for'
'CFLAGS=-O2 -march=i586 -mtune=i686 -fmessage-length=0 -Wall -D_FORTIFY_SOURCE=2
 -fstack-protector -g -fPIE -DLDAP_DEPRECATED -fno-strict-aliasing'
'LDFLAGS=-pie'

squid.conf:

http_port 3128
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
access_log /var/log/squid/access.log squid
auth_param ntlm program /usr/sbin/ntlm_auth -d WIN2003R2\\w2k3r2
auth_param ntlm children 5
auth_param ntlm keep_alive on
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 8333
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl authenticated proxy_auth REQUIRED
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access allow authenticated
http_access deny all
icp_access allow all
coredump_dir /var/cache/squid

cache.log

ntlm_auth[8452](ntlm_auth.c:284): managing request
ntlm_auth[8452](ntlm_auth.c:290): ntlm authenticator. Got 'YR
TlRMTVNTUAABAAAAB7IIogkACQAtAAAABQAFACgAAAAFASgKAAAAD1dJTlhQV0lOMjAwM1Iy'
from Squid
ntlm_auth[8452](ntlm_auth.c:239): obtain_challenge: selecting
WIN2003R2\W2K3R2 (attempt #1)
ntlm_auth[8452](ntlm_auth.c:251): attempting challenge retrieval
ntlm_auth[8452](libntlmssp.c:119): Connecting to server W2K3R2 domain
WIN2003R2
ntlm_auth[8452](ntlm_auth.c:253): make_challenge retuned 0x8000ef60
ntlm_auth[8452](ntlm_auth.c:255): Got it
ntlm_auth[8452](ntlm_auth.c:437): sending 'TT
TlRMTVNTUAACAAAACQAJACgAAACCgkEAyigxBxKJUqQAAAAAAAAAAFdJTjIwMDNSMg==' to
squid

Wireshark capture:

GET http://www.bbc.co.uk/ HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, */*
Accept-Language: en-us
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR
2.0.50727)
Proxy-Authorization: NTLM
TlRMTVNTUAABAAAAB7IIogkACQAtAAAABQAFACgAAAAFASgKAAAAD1dJTlhQV0lOMjAwM1Iy
Proxy-Connection: Keep-Alive
Host: www.bbc.co.uk

HTTP/1.0 407 Proxy Authentication Required
Server: squid/2.6.STABLE14
Date: Sat, 14 Jun 2008 18:55:14 GMT
Content-Type: text/html
Content-Length: 1310
Expires: Sat, 14 Jun 2008 18:55:14 GMT
X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
Proxy-Authenticate: NTLM
TlRMTVNTUAACAAAACQAJACgAAACCgkEAiqcyv4MUME0AAAAAAAAAAFdJTjIwMDNSMg==
X-Cache: MISS from opensuse.suse.home
X-Cache-Lookup: NONE from opensuse.suse.home:3128
Via: 1.0 opensuse.suse.home:3128 (squid/2.6.STABLE14)
Proxy-Connection: keep-alive

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<HTML><HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html;
charset=iso-8859-1">
<TITLE>ERROR: Cache Access Denied</TITLE>
<STYLE
type="text/css"><!--BODY{background-color:#ffffff;font-family:verdana,sans-serif}PRE{font-family:sans-serif}--></STYLE>
</HEAD>
<BODY>
<H1>ERROR</H1>
<H2>Cache Access Denied</H2>
<HR noshade size="1px">
<P>
While trying to retrieve the URL:
<A HREF="http://www.bbc.co.uk/">http://www.bbc.co.uk/</A>
<P>
The following error was encountered:
<UL>
<LI>
<STRONG>
Cache Access Denied.
</STRONG>
</UL>
</P>

<P>Sorry, you are not currently allowed to request:
<PRE> http://www.bbc.co.uk/</PRE>
from this cache until you have authenticated yourself.
</P>

<P>
You need to use Netscape version 2.0 or greater, or Microsoft Internet
Explorer 3.0, or an HTTP/1.1 compliant browser for this to work. Please
contact the <A HREF="mailto:webmaster">cache administrator</a> if you have
difficulties authenticating yourself or
<A HREF="http://opensuse.suse.home/cgi-bin/chpasswd.cgi">change</a> your
default password.
</P>

<BR clear="all">
<HR noshade size="1px">
<ADDRESS>
Generated Sat, 14 Jun 2008 18:55:14 GMT by opensuse.suse.home
(squid/2.6.STABLE14)
</ADDRESS>

squid server is part of domain (e.g. wbinfo -g works fine)

wbinfo -g
WIN2003R2\iis_wpg
WIN2003R2\session directory computers
WIN2003R2\domain computers
WIN2003R2\domain controllers
WIN2003R2\schema admins
WIN2003R2\enterprise admins
WIN2003R2\cert publishers
WIN2003R2\domain admins
WIN2003R2\domain users
WIN2003R2\domain guests
WIN2003R2\group policy creator owners
WIN2003R2\ras and ias servers
WIN2003R2\dnsadmins
WIN2003R2\dnsupdateproxy
WIN2003R2\certsvc_dcom_access
WIN2003R2\win2003r2users
WIN2003R2\sqlserver2005sqlbrowseruser$w2k3r2
WIN2003R2\sqlserver2005mssqlserveradhelperuser$w2k3r2
WIN2003R2\sqlserver2005mssqluser$w2k3r2$sqlexpress
WIN2003R2\solarisgroup
WIN2003R2\susegroup
WIN2003R2\squid_allow
Received on Sat Jun 14 2008 - 19:58:03 MDT

This archive was generated by hypermail 2.2.0 : Sun Jun 22 2008 - 12:00:04 MDT