[Samba] [squid-users] debian Jessie squid with auth (kerberos/ntlm/basic) ERROR type NTLM type 3
L.P.H. van Belle
belle at bazuin.nl
Tue Aug 18 08:00:28 UTC 2015
... sorry wrong list..
but you can read it and learn from it.. :-))
Greetz,
Louis
>-----Oorspronkelijk bericht-----
>Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>L.P.H. van Belle
>Verzonden: dinsdag 18 augustus 2015 9:45
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] [squid-users] debian Jessie squid with
>auth (kerberos/ntlm/basic) ERROR type NTLM type 3
>
>Hai Amos,
>
>Thank you for your very clear responce.. few small questions..
>
>Is there a way to setup the proxy for the following.
>1) use negotiate kerberos for auth, ( which is working already
>for all domain joined machines )
>2) use a fall back that works, for now basic ldap works for
>non windows machines, and domain joined machines.
>3) use any other fallback way for authentication users on
>windows machines, that are not in the domain.
> and without modify-ing anything in windows. as these
>are often guest machines.
>
>Is a link to a radius server an option, dont have a radus jet,
>but can be installed.
>and radius is also comming for my wifi authentication.
>whould that fix my problem (3) above, in a authentication
>fallback setup.
>
>
>>One puzzling thing is why Win7 client is trying to use NTLM in
>>the first
>>place. NTLM is disabled by default in Vista and later due to
>>its lack of
>>security.
>>
>>Try adding "auth_param negotiate keep_alive off" to close connections
>>when Negotiate/NTLM is used and force the client to retry with other
>>auth credentials on a clean connection.
>
>these :
>>> auth_param negotiate program
>/usr/lib/squid3/negotiate_kerberos_auth -s HTTP/hostname.fqdn at REALM
>and
>>> auth_param negotiate program /usr/local/bin/negotiate_wrapper
>These lines, work both for negotiate kerberos.
>The last, when useing : /usr/local/bin/negotiate_wrapper was
>tested with the parameter
>negotiate keep_alive off.
>
>Above works fine with the domain joined pc, but not with the
>"non domain joined" PC.
>the negotiate kerberos works very good, but the fall back not.
>( as you explained )
>
>I found that if i setup with only basic_ldap_auth, against the
>AD, then i can use both,
>domain joined and not domain joined, but the first time it
>always gives a popup for authenticating.
>If once authenticated, it keeps it authenticated, aka
>windows/IE keeps the login and password.
>even if i clear the history.
>
>Why i dont want this...
>If a user is logging in the domain, and kerberos auth is used,
>then when going on internet,
>the "correct" aka logged in user, is always used.
>but when i use basic_ldap_auth, then it gives the user to put
>in an other username/password at popup,
>then it remembers the login and a user now is internetting
>with an other users name.
>
>So, when im right, a fallback for all is not possible, due to
>NTLM auth?
>
>And a big thank you for your responce.
>
>
>Greetz,
>
>Louis
>
>
>>-----Oorspronkelijk bericht-----
>>Van: squid-users
>>[mailto:squid-users-bounces at lists.squid-cache.org] Namens
>Amos Jeffries
>>Verzonden: dinsdag 18 augustus 2015 8:39
>>Aan: squid-users at lists.squid-cache.org
>>Onderwerp: Re: [squid-users] debian Jessie squid with auth
>>(kerberos/ntlm/basic) ERROR type NTLM type 3
>>
>>On 18/08/2015 3:06 a.m., L.P.H. van Belle wrote:
>>> Hai all,
>>>
>>> I have a Debian Jessie setup with squid 3.4 , all debian packages.
>>> Im using samba 4 AD as domain controllers for my kerberos
>>authentication.
>>>
>>> I've a setup as followed here :
>>>
>>http://wiki.squid-cache.org/ConfigExamples/Authenticate/Windows
>>ActiveDirectory
>>>
>>> I have my kerberos auth working, so i dont type any password
>>with a "domain joined computer" when i want to internet.
>>> I Have my Ldap auth working, for my "Non windows, non domain
>>joined" Devices.
>>>
>>> Now, i need to give users access to the internet, a non
>>domain joined, windows PC.
>>>
>>> Im getting : ( with markus negotiate_wrapper 1.0.1 )
>>> 2015/08/17 16:31:51 kid1| ERROR: Negotiate Authentication
>>validating user. Result: {result=BH, notes={message:
>>NT_STATUS_UNSUCCESSFUL * NT_STATUS_UNSUCCESSFUL; }
>>> 2015/08/17 16:32:03| negotiate_wrapper: Got 'YR TlR.... ='
>>from squid (length: 59).
>>> 2015/08/17 16:32:03| negotiate_wrapper: Decode 'TlR... ='
>>(decoded length: 40).
>>> 2015/08/17 16:32:03| negotiate_wrapper: received type 1 NTLM token
>>
>>Type 1 NTLM.
>
>
>>
>>> 2015/08/17 16:32:03| negotiate_wrapper: Return 'TT TlR...... AA= *
>>> 2015/08/17 16:32:03| negotiate_wrapper: Got 'KK TlR.... 8='
>>from squid (length: 711).
>>> 2015/08/17 16:32:03| negotiate_wrapper: Decode 'TlR.....8='
>>(decoded length: 530).
>>> 2015/08/17 16:32:03| negotiate_wrapper: received type 3 NTLM token
>>> 2015/08/17 16:32:03| negotiate_wrapper: Return 'BH
>>NT_STATUS_UNSUCCESSFUL * NT_STATUS_UNSUCCESSFUL
>>> 2015/08/17 16:32:03 kid1| ERROR: Negotiate Authentication
>>validating user. Result: {result=BH, notes={message:
>>NT_STATUS_UNSUCCESSFUL * NT_STATUS_UNSUCCESSFUL; }}
>>>
>>>
>>>
>>> I know the following : ( and correct me if im thinking wrong here.)
>>> ## 1) Pure Kerberos. Passthrough auth for windows users with
>>windows DOMAIN JOINED pc's.
>>> ## Fallback to Ldap for NON WINDOWS NON DOMAIN JOINED Devices.
>>> ## NO NTLM. AKA, a windows pc, NOT JOINED in the domain,
>>with end up in always user popup for auth.
>>> ## Which will always fail because of NTLM TYPE 1 and TYPE
>>2, authorisations.
>>> ## 2) NEGOTIATE AUTH, which will do all of above, but also
>>authenticated Windows PC's Not domain Joined.
>>
>>Regarding (1):
>>
>>* "Pure kerberos" aka "Kerberos " auth scheme is not supported
>>in Squid.
>>Only Negotate/Kerberos. It was accepted by Squid-2 as an alias for
>>Negotiate, but Squid-3 operates differently and it was
>dropped for now.
>>
>>* Rejecting NTLM (ie Negotiate/NTLM) is an artifact of the Squid
>>kerberos-only helper rejecting NTLM tokens. Nothing more.
>>
>>You could reject the Negotiate/Kerberos tokens by configuring a
>>NTLM-only helper in the "auth_param negotiate program".
>>
>>* off-domain machines only ever worked using Basic authentication or
>>similar protocols called LanMan which sent passwords inside NTLM or
>>Negotiate/NTLM tokens. But LanMan are so insecure they are no longer
>>supported.
>> NP: if you have a client that will only authenticate with LanMan (SMB
>>LM) protocols you are better off security-wise not
>authenticating it at
>>all. At least that stops it broadcasting the users password to
>>the world.
>>
>>
>>Regarding (2):
>>
>>* The machine still does need to be domain joined, at least recently
>>enough to have a valid Kerberos token. What can be avoided is being
>>connected "live" during the handshake itself.
>>
>> But that is a feature of the client software not related to Squid. So
>>some clients support it, most actually dont.
>>
>>
>>>
>>> But i recieve a type 3 NTLM token...
>>>
>>
>>You also received NTLM type 1 prior to it. I suspect a machine not
>>joined to the domain is trying to use NTLM, which requires
>being on the
>>domain.
>>
>>There is no problem with this *unless* the client machine is
>>refusing to
>>fallback to Negotiate/Kerberos or Basic auth after the failure.
>>
>>There is no reason a popup should occur unless all forms of
>>Negotiate/Kerberos Negotiate/NTLM, NTLM, and Basic which are
>offered by
>>the proxy have failed.
>>
>>
>>>
>>> This are the configs have tested and these 2 work.
>>> For kerberos auth
>>> auth_param negotiate program
>>/usr/lib/squid3/negotiate_kerberos_auth -s
>HTTP/hostname.fqdn at REALM
>>>
>>> for basic auth
>>> auth_param basic program /usr/lib/squid3/basic_ldap_auth -R \
>>> -b "dc=internal,dc=domain,dc=tld" \
>>> -D ldap-bind at internal.domain.tld -W
>>/etc/squid3/private/ldap-bind \
>>> -f (|(userPrincipalName=%s)(sAMAccountName=%s)) \
>>> -h addc.internal.domain.tld
>>>
>>> These dont work.
>>
>>I assume that by the positioning of your "these" statements you meant
>>the above work, and the below dont.
>>
>>>
>>> auth_param negotiate program
>>/usr/lib/squid3/negotiate_wrapper_auth -d \
>>> --ntlm /usr/bin/ntlm_auth --diagnostics
>>--helper-protocol=squid-2.5-ntlmssp --domain=BAZRTD \
>>> --kerberos /usr/lib/squid3/negotiate_kerberos_auth -d -s
>>GSS_C_NO_NAME
>>> or
>>> auth_param negotiate program /usr/local/bin/negotiate_wrapper -d \
>>> --ntlm /usr/bin/ntlm_auth --diagnostics
>>--helper-protocol=squid-2.5-ntlmssp --domain=BAZRTD \
>>> --kerberos /usr/lib/squid3/negotiate_kerberos_auth -d -s
>>GSS_C_NO_NAME
>>>
>>> tried here the supplied wrapper with squid.:
>>/usr/lib/squid3/negotiate_wrapper_auth
>>> and i have tried the negotiate_wrapper of Markus, as the
>>wiki.squid-cache.org also says here
>>>
>>http://wiki.squid-cache.org/ConfigExamples/Authenticate/Windows
>>ActiveDirectory ( Install negotiate_wrapper )
>>>
>>> the kerberos part works but not the ntlm .
>>
>>One puzzling thing is why Win7 client is trying to use NTLM in
>>the first
>>place. NTLM is disabled by default in Vista and later due to
>>its lack of
>>security.
>>
>>Try adding "auth_param negotiate keep_alive off" to close connections
>>when Negotiate/NTLM is used and force the client to retry with other
>>auth credentials on a clean connection.
>>
>>
>>>
>>> when i try with only:
>>>
>>> ### pure ntlm authentication
>>> auth_param ntlm program /usr/bin/ntlm_auth --diagnostics
>>--helper-protocol=squid-2.5-ntlmssp --domain=EXAMPLE
>>> auth_param ntlm children 10
>>> auth_param ntlm keep_alive off
>>>
>>> im also unable to authenticat on the proxy.
>>
>>NTLM will only work with current MS software if the client is
>joined to
>>the domain, and if NTLM is explicitly re-enabled.
>>
>>The 1970-80's LanMan protocols are no longer supported since
>>2006 (WinXP
>>SP3). The most secure of these can be decrypted in under 50
>>milliseconds
>>- ie "live".
>>
>>Ironically that was exactly how Squid helpers used to work for
>>off-domain clients all through the 2000's. LanMan passwords being
>>decrypted in real-time allowed Basic auth APIs in AD to be
>used. Giving
>>the appearance that off-domain machines were authenticating securely,
>>when in fact they were just broadcasting their passwords about. Not a
>>good situation.
>>
>>The old 1990's NTLM v1 and v2 are also on the way out since
>Vista. NTLM
>>v1 can be decrypted in a few seconds, v2 in a few minutes.
>>
>>
>>HTH
>>Amos
>>_______________________________________________
>>squid-users mailing list
>>squid-users at lists.squid-cache.org
>>http://lists.squid-cache.org/listinfo/squid-users
>>
>
>
>--
>To unsubscribe from this list go to the following URL and read the
>instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list