Hi Louis,

When you have an offline PC do you use DHCP to give an IP ? If so can you also provide the PC with a WINS server via DHCP ? If that is possible and you run WINS you can authenticate the user with ***@DOMAIN.COM when you get the authentication popup. The WINS server will point the PC to the AD server of the domain DOMAIN.COM ( I assume you have given out some AD guest accounts to the none domain PC )

Regards
Markus


"L.P.H. van Belle" <***@bazuin.nl> wrote in message news:***@ms249-lin-003.rotterdam.bazuin.nl...
Nobody any hint where the NTLM auth is going wrong, or what i can do to fix this.




------------------------------------------------------------------------------
Van: squid-users [mailto:squid-users-***@lists.squid-cache.org] Namens L.P.H. van Belle
Verzonden: maandag 17 augustus 2015 17:06
Aan: squid-***@lists.squid-cache.org
Onderwerp: [squid-users] debian Jessie squid with auth (kerberos/ntlm/basic) ERROR type NTLM type 3


Hai all,

I have a Debian Jessie setup with squid 3.4 , all debian packages.
Im using samba 4 AD as domain controllers for my kerberos authentication.

I've a setup as followed here :
http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory

I have my kerberos auth working, so i dont type any password with a "domain joined computer" when i want to internet.
I Have my Ldap auth working, for my "Non windows, non domain joined" Devices.

Now, i need to give users access to the internet, a non domain joined, windows PC.

Im getting : ( with markus negotiate_wrapper 1.0.1 )
2015/08/17 16:31:51 kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: NT_STATUS_UNSUCCESSFUL * NT_STATUS_UNSUCCESSFUL; }
2015/08/17 16:32:03| negotiate_wrapper: Got 'YR TlR.... =' from squid (length: 59).
2015/08/17 16:32:03| negotiate_wrapper: Decode 'TlR... =' (decoded length: 40).
2015/08/17 16:32:03| negotiate_wrapper: received type 1 NTLM token
2015/08/17 16:32:03| negotiate_wrapper: Return 'TT TlR...... AA= *
2015/08/17 16:32:03| negotiate_wrapper: Got 'KK TlR.... 8=' from squid (length: 711).
2015/08/17 16:32:03| negotiate_wrapper: Decode 'TlR.....8=' (decoded length: 530).
2015/08/17 16:32:03| negotiate_wrapper: received type 3 NTLM token
2015/08/17 16:32:03| negotiate_wrapper: Return 'BH NT_STATUS_UNSUCCESSFUL * NT_STATUS_UNSUCCESSFUL
2015/08/17 16:32:03 kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: NT_STATUS_UNSUCCESSFUL * NT_STATUS_UNSUCCESSFUL; }}



I know the following : ( and correct me if im thinking wrong here.)
## 1) Pure Kerberos. Passthrough auth for windows users with windows DOMAIN JOINED pc's.
## Fallback to Ldap for NON WINDOWS NON DOMAIN JOINED Devices.
## NO NTLM. AKA, a windows pc, NOT JOINED in the domain, with end up in always user popup for auth.
## Which will always fail because of NTLM TYPE 1 and TYPE 2, authorisations.
## 2) NEGOTIATE AUTH, which will do all of above, but also authenticated Windows PC's Not domain Joined.

But i recieve a type 3 NTLM token...


This are the configs have tested and these 2 work.
For kerberos auth
auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -s HTTP/***@REALM

for basic auth
auth_param basic program /usr/lib/squid3/basic_ldap_auth -R \
-b "dc=internal,dc=domain,dc=tld" \
-D ldap-***@internal.domain.tld -W /etc/squid3/private/ldap-bind \
-f (|(userPrincipalName=%s)(sAMAccountName=%s)) \
-h addc.internal.domain.tld

These dont work.

auth_param negotiate program /usr/lib/squid3/negotiate_wrapper_auth -d \
--ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=BAZRTD \
--kerberos /usr/lib/squid3/negotiate_kerberos_auth -d -s GSS_C_NO_NAME
or
auth_param negotiate program /usr/local/bin/negotiate_wrapper -d \
--ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=BAZRTD \
--kerberos /usr/lib/squid3/negotiate_kerberos_auth -d -s GSS_C_NO_NAME

tried here the supplied wrapper with squid.: /usr/lib/squid3/negotiate_wrapper_auth
and i have tried the negotiate_wrapper of Markus, as the wiki.squid-cache.org also says here
http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory ( Install negotiate_wrapper )

the kerberos part works but not the ntlm .

when i try with only:

### pure ntlm authentication
auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=EXAMPLE
auth_param ntlm children 10
auth_param ntlm keep_alive off

im also unable to authenticat on the proxy.

all winbind test work..

I googled a lot, but i didnt find any solutions so im hoping someone here knows more.

so anyone any hint where to look, i cant figure this out.


Greetz,

Louis







--------------------------------------------------------------------------------

Hello Markus,
 
This a hard one , but ill explian a bit first, because this depends on the pc im testing with.
 
I have 2 networks within one ip range atm, and with the 2 networks i mean 2 samba (windows) domains.
Im migrating the old to new and im testing in the new domain, but old 2 new is complete rebuild, setup clean.
 
Old. samba 3 ldap, with dhcp. own dns servers and wins through dhcp. wins is assinged by dhcp here.
new, samba 4 kerberos, the DCs are the DNS servers and static ips for the pc's.
 
no, this isnt done, is this needed? i was testing with a AD user.
for example myself, i must be able to auth on the proxy with any device, domain joined or not.
 
What i will do, use the kerberos and ldap fall back first, this works.
Migrate the netwerk first and then redo my tests on my proxy server.
setup the DHCP for the new AD servers, and take-ing notice of the wins setting your pointed me to.
 
When i'll test, you say : ***@DOMAIN.COM for user.
Do you mean, ***@UPN  or ***@REALM  just to be sure.
 
If you can confirm that the use setup below is correct, thats a nice to know.
then i can put these auth files in the "working" backup-setup folder..  ;-)
 
And thank you for your reply, very appriciated.
 
Greetz,
 
Louis
 
 
Van: squid-users [mailto:squid-users-***@lists.squid-cache.org] Namens Markus Moeller
Verzonden: woensdag 19 augustus 2015 0:03
Aan: squid-***@lists.squid-cache.org
Onderwerp: Re: [squid-users] debian Jessie squid with auth (kerberos/ntlm/basic) ERROR type NTLM type 3



Hi Louis,
 
   When you have an offline PC do you use DHCP to give an IP ?   If so can you also provide the PC with a WINS server via DHCP ?  If that is possible and you run WINS you can authenticate the user with ***@DOMAIN.COM when you get the authentication popup. The WINS server will point the PC to the AD server of the domain DOMAIN.COM ( I assume you have given out some AD guest accounts to the none domain PC ) 
 
Regards
Markus
 
 
"L.P.H. van Belle" <***@bazuin.nl> wrote in message news:***@ms249-lin-003.rotterdam.bazuin.nl...


Nobody any hint where the NTLM auth is going wrong, or what i can do to fix this.
 

Van: squid-users [mailto:squid-users-***@lists.squid-cache.org] Namens L.P.H. van Belle
Verzonden: maandag 17 augustus 2015 17:06
Aan: squid-***@lists.squid-cache.org
Onderwerp: [squid-users] debian Jessie squid with auth (kerberos/ntlm/basic) ERROR type NTLM type 3



Hai all,
 
I have a Debian Jessie setup with squid 3.4 , all debian packages.
Im using samba 4 AD as domain controllers for my kerberos authentication.
 
I've a setup as followed here :
http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory 
 
I have my kerberos auth working, so i dont type any password with a "domain joined computer"  when i want to internet.
I Have my Ldap auth working, for my "Non windows, non domain joined" Devices.
 
Now, i need to give users access to the internet, a non domain joined, windows PC.
 
Im getting :  ( with markus negotiate_wrapper 1.0.1  )
2015/08/17 16:31:51 kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: NT_STATUS_UNSUCCESSFUL * NT_STATUS_UNSUCCESSFUL; }
2015/08/17 16:32:03| negotiate_wrapper: Got 'YR TlR....   =' from squid (length: 59).
2015/08/17 16:32:03| negotiate_wrapper: Decode 'TlR... =' (decoded length: 40).
2015/08/17 16:32:03| negotiate_wrapper: received type 1 NTLM token
2015/08/17 16:32:03| negotiate_wrapper: Return 'TT TlR......  AA= *
2015/08/17 16:32:03| negotiate_wrapper: Got 'KK TlR....  8=' from squid (length: 711).
2015/08/17 16:32:03| negotiate_wrapper: Decode 'TlR.....8=' (decoded length: 530).
2015/08/17 16:32:03| negotiate_wrapper: received type 3 NTLM token
2015/08/17 16:32:03| negotiate_wrapper: Return 'BH NT_STATUS_UNSUCCESSFUL * NT_STATUS_UNSUCCESSFUL
2015/08/17 16:32:03 kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: NT_STATUS_UNSUCCESSFUL * NT_STATUS_UNSUCCESSFUL; }}
 
 
 
I know the following : ( and correct me if im thinking wrong here.)
## 1) Pure Kerberos. Passthrough auth for windows users with windows DOMAIN JOINED pc's.
##    Fallback to Ldap for NON WINDOWS NON DOMAIN JOINED Devices.
##    NO NTLM. AKA, a windows pc, NOT JOINED in the domain, with end up in always user popup for auth.
##    Which will always fail because of NTLM TYPE 1 and TYPE 2, authorisations.
## 2) NEGOTIATE AUTH, which will do all of above, but also authenticated Windows PC's Not domain Joined.

But i recieve a type 3 NTLM token... 
 
 
This are the configs have tested and these 2 work.
For kerberos auth
auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -s HTTP/***@REALM   
 
for basic auth
auth_param basic program /usr/lib/squid3/basic_ldap_auth -R \
    -b "dc=internal,dc=domain,dc=tld" \
    -D ldap-***@internal.domain.tld -W /etc/squid3/private/ldap-bind \
    -f (|(userPrincipalName=%s)(sAMAccountName=%s)) \
    -h addc.internal.domain.tld 

These dont work.
 
auth_param negotiate program /usr/lib/squid3/negotiate_wrapper_auth -d \
    --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=BAZRTD \
    --kerberos /usr/lib/squid3/negotiate_kerberos_auth -d -s GSS_C_NO_NAME
or
auth_param negotiate program /usr/local/bin/negotiate_wrapper -d \
    --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=BAZRTD \
    --kerberos /usr/lib/squid3/negotiate_kerberos_auth -d -s GSS_C_NO_NAME

tried here the supplied wrapper with squid.:     /usr/lib/squid3/negotiate_wrapper_auth 
and i have tried the negotiate_wrapper of Markus, as the wiki.squid-cache.org also says  here
http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory   ( Install negotiate_wrapper ) 
 
the kerberos part works but not the ntlm .
 
when i try with only:
 
### pure ntlm authentication
auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=EXAMPLE
auth_param ntlm children 10
auth_param ntlm keep_alive off
 
im also unable to authenticat on the proxy.
 
all winbind test work.. 
 
I googled a lot, but i didnt find any solutions so im hoping someone here knows more.
 
so anyone any hint where to look, i cant figure this out.
 
 
Greetz,
 
Louis
 
 
 
 
 

_______________________________________________
squid-users mailing list
squid-***@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

All Squid can do is offer mechanisms. The client is required to respond
using the most secure that it can use.

Configuring auth schemes in this order:

auth_param negotiate program ...
auth_param basic program ...

Should meet your needs almost all the time. But it really depends on the
client following either the specs or your offered order. Not all do. And
some think "Negotiate" means "Negotiate/NTLM", and/or try that before
Negotiate/Kerberos.
Basic auth RADIUS helper can use RADIUS as an authentication backend.
Other than that I'm not familiar with it.
Take a look and see what its sending for Basic auth credentials on first
try.

You may need to use a Basic auth helper that allows stripping the
@DOMAIN part off the credentials received. I think some systems send the
***@DOMAIN in Basic with the machine name as DOMAIN. That wont work
against any real DC server.
For NTLM or Negotiate credentials being used. Then credentials once
authenticated are tied permanently to the TCP connection(s) they were
used on. You have to fully close all the affected TCP connections to
"logout". The only reliable way to do that is shutdown the whole browser.

For Basic auth credentials being used. They are only accepted so long as
the auth backend keeps accepting them. HTTP actually requires the
browser/client to send credentials on every single request. Squid checks
these against the ones it seen being valid before, or once every
credentialsttl timeout it re-checks fully against the backend server.
I dont see where NTLM comes into that.

From your description fallback authentication *is* working. But with
users able to send credentials that you dont want to allow their use of.

That is a different (authorization) problem to solve. By authenticating
successfully the user is "proving" that they are who they claim to be.
Although Basic auth could possibly be a lie with somebody elses valid
credentials.

It is up to your authorization system to determine if the sener of
credentials X:Y are still allowed to access anything, and what. Squid
ACLs primarily used for that, but also the AD server can reject re-login
verification after Basic auth credentialsttl by Squid helper - that will
probably result in more popups.


Amos