[squid-users] Re: Re: ntlm_auth question/problem

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Mon, 23 Jun 2008 00:02:44 +0100

OK then I must do something wrong. BTW does ntlm_auth support NTLMv2 ?
When I change the client to LM & NTLM (The default was: Send NTLMv2 response
only\refuse LM) I get some more entries although some garbage:

ntlm_auth[10880](ntlm_auth.c:284): managing request
ntlm_auth[10880](ntlm_auth.c:290): ntlm authenticator. Got 'YR
TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' from Squid
ntlm_auth[10880](ntlm_auth.c:239): obtain_challenge: selecting
WIN2003R2\W2K3R2 (attempt #1)
ntlm_auth[10880](ntlm_auth.c:251): attempting challenge retrieval
ntlm_auth[10880](libntlmssp.c:119): Connecting to server W2K3R2 domain
WIN2003R2
ntlm_auth[10880](ntlm_auth.c:253): make_challenge retuned 0x8000ef60
ntlm_auth[10880](ntlm_auth.c:255): Got it
ntlm_auth[10880](ntlm_auth.c:437): sending 'TT
TlRMTVNTUAACAAAACQAJACgAAACCgkEA3yxFDYM9K0YAAAAAAAAAAFdJTjIwMDNSMg==' to
squid
ntlm_auth[10880](ntlm_auth.c:284): managing request
ntlm_auth[10880](ntlm_auth.c:290): ntlm authenticator. Got 'KK
TlRMTVNTUAADAAAAGAAYAGMAAAAYABgAewAAAAkACQBIAAAADQANAFEAAAAFAAUAXgAAAAAAAACTAAAABoIAAgUBKAoAAAAPV0lOMjAwM1IyQURNSU5JU1RSQVRPUldJTlhQVNQJn8CeS0yZT5mE7ua1XRp7fUfpuomzSqoATyYC2tZhHTmVMOR/tVjDabI1Az35'
from Squid
iáJRmüÖã{2xF0êC¥¤Ã
ntlm_auth[10880](libntlmssp.c:268): Empty LM pass detection: user:
'ADMINISTRATOR', ours:'KWÜ.É8*ähK´câ ±>møJServer returned a
non-zero SMB Error Class and Code.', his: 'TÔ ÀKLO
                                                                    îæµ]{}G麳Jª'(length:
24)
ntlm_auth[10880](libntlmssp.c:280): Empty NT pass detection: user:
'ADMINISTRATOR', ours:'JRmüÖã{2xF0êC¥¤Ã
                                                                             
                              ±>møJServer returned a non-zero SMB Error
Class and Code.', his: 'Jª'(length: 24)
ntlm_auth[10880](libntlmssp.c:294): checking domain: 'WIN2003R2', user:
'ADMINISTRATOR', pass='TÔ ÀKLO
                                                                             
                                îæµ]{}G麳'
ntlm_auth[10880](libntlmssp.c:297): Login attempt had result -1
ntlm_auth[10880](ntlm_auth.c:350): No creds. SMBlib error 1, SMB error class
1, SMB error code 5, NB error 0
ntlm_auth[10880](ntlm_auth.c:371): DOS error
ntlm_auth[10880](ntlm_auth.c:376): sending 'NA Access denied' to squid

Thank you
Markus

"Henrik Nordstrom" <henrik_at_henriknordstrom.net> wrote in message
news:1214161664.14622.5.camel_at_henriknordstrom.net...
> Pleanty of users use ntlm.
>
> A guess is that your client does not trust the proxy server with
> automatic NTLM authentication. If I am not mistaken the best results is
> seen when it's configured with a shortname to the proxy (servername
> without domain).
>
>
>
>
> On sön, 2008-06-22 at 18:42 +0100, Markus Moeller wrote:
>> Does nobody use ntlm_auth ?
>>
>> Markus
>>
>> "Markus Moeller" <huaraz_at_moeller.plus.com> wrote in message
>> news:g317rp$9v7$1_at_ger.gmane.org...
>> >I am trying to authenticate users with ntlm_auth but fail and don't find
>> >the reason. I see the initial NTLM challenge, but then the Browser
>> >doesn't
>> >continue the next NTLM step ( at least that is what I think happens)
>> >
>> > Any idea what I did wrong ?
>> >
>> > Thank you
>> > Markus
>> >
>> > uname -a
>> > Linux Opensuse 2.6.22.17-0.1-default #1 SMP 2008/02/10 20:01:04 UTC
>> > i686
>> > i686 i386 GNU/Linux
>> > Opensuse:~ # cat /etc/SuSE-release
>> > openSUSE 10.3 (i586)
>> > VERSION = 10.3
>> >
>> > squid -v
>> > Squid Cache: Version 2.6.STABLE14
>> > configure options: '--prefix=/usr' '--sysconfdir=/etc/squid'
>> > '--bindir=/usr/sbin' '--sbindir=/usr/sbin' '--localstatedir=/var'
>> > '--libexecdir=/usr/sbin' '--datadir=/usr/share/squid'
>> > '--mandir=/usr/share/man' '--with-dl' '--with-maxfd=4096'
>> > '--with-valgrind-debug' '--enable-snmp' '--enable-carp'
>> > '--enable-auth=basic digest negotiate ntlm'
>> > '--enable-basic-auth-helpers=LDAP MSNT NCSA PAM SMB YP getpwnam
>> > multi-domain-NTLM' '--enable-ntlm-auth-helpers=SMB fakeauth no_check'
>> > '--enable-digest-auth-helpers=ldap password'
>> > '--enable-external-acl-helpers=ip_user ldap_group session unix_group
>> > wbinfo_group' '--enable-ntlm-fail-open' '--enable-arp-acl'
>> > '--enable-htcp'
>> > '--enable-underscores' '--enable-stacktraces' '--enable-delay-pools'
>> > '--enable-useragent-log' '--enable-referer-log' '--enable-forward-log'
>> > '--enable-multicast-miss' '--enable-ssl' '--enable-cache-digests'
>> > '--enable-auth-on-acceleration'
>> > '--enable-storeio=aufs,coss,diskd,null,ufs' '--enable-linux-netfilter'
>> > '--enable-removal-policies=heap,lru' '--enable-icmp'
>> > '--with-samba-sources=/usr/include/samba' '--enable-large-cache-files'
>> > '--enable-x-accelerator-vary' '--enable-follow-x-forwarded-for'
>> > 'CFLAGS=-O2 -march=i586 -mtune=i686 -fmessage-length=0 -Wall -D_FORTIFY_SOURCE=2
>> > -fstack-protector -g -fPIE -DLDAP_DEPRECATED -fno-strict-aliasing'
>> > 'LDFLAGS=-pie'
>> >
>> >
>> > squid.conf:
>> >
>> > http_port 3128
>> > hierarchy_stoplist cgi-bin ?
>> > acl QUERY urlpath_regex cgi-bin \?
>> > cache deny QUERY
>> > acl apache rep_header Server ^Apache
>> > broken_vary_encoding allow apache
>> > access_log /var/log/squid/access.log squid
>> > auth_param ntlm program /usr/sbin/ntlm_auth -d WIN2003R2\\w2k3r2
>> > auth_param ntlm children 5
>> > auth_param ntlm keep_alive on
>> > refresh_pattern ^ftp: 1440 20% 10080
>> > refresh_pattern ^gopher: 1440 0% 1440
>> > refresh_pattern . 0 20% 4320
>> > acl all src 0.0.0.0/0.0.0.0
>> > acl manager proto cache_object
>> > acl localhost src 127.0.0.1/255.255.255.255
>> > acl to_localhost dst 127.0.0.0/8
>> > acl SSL_ports port 443 8333
>> > acl Safe_ports port 80 # http
>> > acl Safe_ports port 21 # ftp
>> > acl Safe_ports port 443 # https
>> > acl Safe_ports port 70 # gopher
>> > acl Safe_ports port 210 # wais
>> > acl Safe_ports port 1025-65535 # unregistered ports
>> > acl Safe_ports port 280 # http-mgmt
>> > acl Safe_ports port 488 # gss-http
>> > acl Safe_ports port 591 # filemaker
>> > acl Safe_ports port 777 # multiling http
>> > acl CONNECT method CONNECT
>> > acl authenticated proxy_auth REQUIRED
>> > http_access allow manager localhost
>> > http_access deny manager
>> > http_access deny !Safe_ports
>> > http_access deny CONNECT !SSL_ports
>> > http_access allow localhost
>> > http_access allow authenticated
>> > http_access deny all
>> > icp_access allow all
>> > coredump_dir /var/cache/squid
>> >
>> > cache.log
>> >
>> > ntlm_auth[8452](ntlm_auth.c:284): managing request
>> > ntlm_auth[8452](ntlm_auth.c:290): ntlm authenticator. Got 'YR
>> > TlRMTVNTUAABAAAAB7IIogkACQAtAAAABQAFACgAAAAFASgKAAAAD1dJTlhQV0lOMjAwM1Iy'
>> > from Squid
>> > ntlm_auth[8452](ntlm_auth.c:239): obtain_challenge: selecting
>> > WIN2003R2\W2K3R2 (attempt #1)
>> > ntlm_auth[8452](ntlm_auth.c:251): attempting challenge retrieval
>> > ntlm_auth[8452](libntlmssp.c:119): Connecting to server W2K3R2 domain
>> > WIN2003R2
>> > ntlm_auth[8452](ntlm_auth.c:253): make_challenge retuned 0x8000ef60
>> > ntlm_auth[8452](ntlm_auth.c:255): Got it
>> > ntlm_auth[8452](ntlm_auth.c:437): sending 'TT
>> > TlRMTVNTUAACAAAACQAJACgAAACCgkEAyigxBxKJUqQAAAAAAAAAAFdJTjIwMDNSMg=='
>> > to
>> > squid
>> >
>> >
>> > Wireshark capture:
>> >
>> > GET http://www.bbc.co.uk/ HTTP/1.1
>> > Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
>> > application/x-shockwave-flash, */*
>> > Accept-Language: en-us
>> > UA-CPU: x86
>> > Accept-Encoding: gzip, deflate
>> > User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR
>> > 2.0.50727)
>> > Proxy-Authorization: NTLM
>> > TlRMTVNTUAABAAAAB7IIogkACQAtAAAABQAFACgAAAAFASgKAAAAD1dJTlhQV0lOMjAwM1Iy
>> > Proxy-Connection: Keep-Alive
>> > Host: www.bbc.co.uk
>> >
>> > HTTP/1.0 407 Proxy Authentication Required
>> > Server: squid/2.6.STABLE14
>> > Date: Sat, 14 Jun 2008 18:55:14 GMT
>> > Content-Type: text/html
>> > Content-Length: 1310
>> > Expires: Sat, 14 Jun 2008 18:55:14 GMT
>> > X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
>> > Proxy-Authenticate: NTLM
>> > TlRMTVNTUAACAAAACQAJACgAAACCgkEAiqcyv4MUME0AAAAAAAAAAFdJTjIwMDNSMg==
>> > X-Cache: MISS from opensuse.suse.home
>> > X-Cache-Lookup: NONE from opensuse.suse.home:3128
>> > Via: 1.0 opensuse.suse.home:3128 (squid/2.6.STABLE14)
>> > Proxy-Connection: keep-alive
>> >
>> > <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
>> > "http://www.w3.org/TR/html4/loose.dtd">
>> > <HTML><HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html;
>> > charset=iso-8859-1">
>> > <TITLE>ERROR: Cache Access Denied</TITLE>
>> > <STYLE
>> > type="text/css"><!--BODY{background-color:#ffffff;font-family:verdana,sans-serif}PRE{font-family:sans-serif}--></STYLE>
>> > </HEAD>
>> > <BODY>
>> > <H1>ERROR</H1>
>> > <H2>Cache Access Denied</H2>
>> > <HR noshade size="1px">
>> > <P>
>> > While trying to retrieve the URL:
>> > http://www.bbc.co.uk/
>> > <P>
>> > The following error was encountered:
>> > <UL>
>> > <LI>
>> > <STRONG>
>> > Cache Access Denied.
>> > </STRONG>
>> > </UL>
>> > </P>
>> >
>> > <P>Sorry, you are not currently allowed to request:
>> > <PRE> http://www.bbc.co.uk/</PRE>
>> > from this cache until you have authenticated yourself.
>> > </P>
>> >
>> > <P>
>> > You need to use Netscape version 2.0 or greater, or Microsoft Internet
>> > Explorer 3.0, or an HTTP/1.1 compliant browser for this to work.
>> > Please
>> > contact the <A HREF="mailto:webmaster">cache administrator</a> if you
>> > have
>> > difficulties authenticating yourself or
>> > change
>> > your
>> > default password.
>> > </P>
>> >
>> > <BR clear="all">
>> > <HR noshade size="1px">
>> > <ADDRESS>
>> > Generated Sat, 14 Jun 2008 18:55:14 GMT by opensuse.suse.home
>> > (squid/2.6.STABLE14)
>> > </ADDRESS>
>> >
>> > squid server is part of domain (e.g. wbinfo -g works fine)
>> >
>> > wbinfo -g
>> > WIN2003R2\iis_wpg
>> > WIN2003R2\session directory computers
>> > WIN2003R2\domain computers
>> > WIN2003R2\domain controllers
>> > WIN2003R2\schema admins
>> > WIN2003R2\enterprise admins
>> > WIN2003R2\cert publishers
>> > WIN2003R2\domain admins
>> > WIN2003R2\domain users
>> > WIN2003R2\domain guests
>> > WIN2003R2\group policy creator owners
>> > WIN2003R2\ras and ias servers
>> > WIN2003R2\dnsadmins
>> > WIN2003R2\dnsupdateproxy
>> > WIN2003R2\certsvc_dcom_access
>> > WIN2003R2\win2003r2users
>> > WIN2003R2\sqlserver2005sqlbrowseruser$w2k3r2
>> > WIN2003R2\sqlserver2005mssqlserveradhelperuser$w2k3r2
>> > WIN2003R2\sqlserver2005mssqluser$w2k3r2$sqlexpress
>> > WIN2003R2\solarisgroup
>> > WIN2003R2\susegroup
>> > WIN2003R2\squid_allow
>> >
>> >
>> >
>> >
>>
>
>
Received on Sun Jun 22 2008 - 23:03:04 MDT

This archive was generated by hypermail 2.2.0 : Tue Jun 24 2008 - 12:00:08 MDT