[Samba] [squid-users] debian Jessie squid with auth (kerberos/ntlm/basic) ERROR type NTLM type 3

L.P.H. van Belle belle at bazuin.nl
Tue Aug 18 07:45:14 UTC 2015


Hai Amos, 

Thank you for your very clear responce.. few small questions..

Is there a way to setup the proxy for the following.
1) use negotiate kerberos for auth, ( which is working already for all domain joined machines )
2) use a fall back that works, for now basic ldap works for non windows machines, and domain joined machines.
3) use any other fallback way for authentication users on windows machines, that are not in the domain.
	and without modify-ing anything in windows. as these are often guest machines. 

Is a link to a radius server an option, dont have a radus jet, but can be installed. 
and radius is also comming for my wifi authentication. 
whould that fix my problem (3) above, in a authentication fallback setup. 


>One puzzling thing is why Win7 client is trying to use NTLM in 
>the first
>place. NTLM is disabled by default in Vista and later due to 
>its lack of
>security.
>
>Try adding "auth_param negotiate keep_alive off" to close connections
>when Negotiate/NTLM is used and force the client to retry with other
>auth credentials on a clean connection.

these : 
>> auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -s HTTP/hostname.fqdn at REALM    
and 
>> auth_param negotiate program /usr/local/bin/negotiate_wrapper
These lines, work both for negotiate kerberos.  
The last, when useing : /usr/local/bin/negotiate_wrapper was tested with the parameter 
negotiate keep_alive off. 

Above works fine with the domain joined pc, but not with the "non domain joined" PC. 
the negotiate kerberos works very good, but the fall back not. ( as you explained ) 

I found that if i setup with only basic_ldap_auth, against the AD, then i can use both,
domain joined and not domain joined, but the first time it always gives a popup for authenticating. 
If once authenticated, it keeps it authenticated, aka windows/IE keeps the login and password. 
even if i clear the history. 

Why i dont want this... 
If a user is logging in the domain, and kerberos auth is used, then when going on internet, 
the "correct" aka logged in user, is always used. 
but when i use basic_ldap_auth, then it gives the user to put in an other username/password at popup, 
then it remembers the login and a user now is internetting with an other users name. 

So, when im right, a fallback for all is not possible, due to NTLM auth? 

And a big thank you for your responce. 


Greetz, 

Louis


>-----Oorspronkelijk bericht-----
>Van: squid-users 
>[mailto:squid-users-bounces at lists.squid-cache.org] Namens Amos Jeffries
>Verzonden: dinsdag 18 augustus 2015 8:39
>Aan: squid-users at lists.squid-cache.org
>Onderwerp: Re: [squid-users] debian Jessie squid with auth 
>(kerberos/ntlm/basic) ERROR type NTLM type 3
>
>On 18/08/2015 3:06 a.m., L.P.H. van Belle wrote:
>> Hai all, 
>>  
>> I have a Debian Jessie setup with squid 3.4 , all debian packages. 
>> Im using samba 4 AD as domain controllers for my kerberos 
>authentication. 
>>  
>> I've a setup as followed here : 
>> 
>http://wiki.squid-cache.org/ConfigExamples/Authenticate/Windows
>ActiveDirectory 
>>  
>> I have my kerberos auth working, so i dont type any password 
>with a "domain joined computer"  when i want to internet. 
>> I Have my Ldap auth working, for my "Non windows, non domain 
>joined" Devices. 
>>  
>> Now, i need to give users access to the internet, a non 
>domain joined, windows PC. 
>>  
>> Im getting :  ( with markus negotiate_wrapper 1.0.1  ) 
>> 2015/08/17 16:31:51 kid1| ERROR: Negotiate Authentication 
>validating user. Result: {result=BH, notes={message: 
>NT_STATUS_UNSUCCESSFUL * NT_STATUS_UNSUCCESSFUL; }
>> 2015/08/17 16:32:03| negotiate_wrapper: Got 'YR TlR....   =' 
>from squid (length: 59). 
>> 2015/08/17 16:32:03| negotiate_wrapper: Decode 'TlR... =' 
>(decoded length: 40).
>> 2015/08/17 16:32:03| negotiate_wrapper: received type 1 NTLM token
>
>Type 1 NTLM.


>
>> 2015/08/17 16:32:03| negotiate_wrapper: Return 'TT TlR......  AA= * 
>> 2015/08/17 16:32:03| negotiate_wrapper: Got 'KK TlR....  8=' 
>from squid (length: 711).
>> 2015/08/17 16:32:03| negotiate_wrapper: Decode 'TlR.....8=' 
>(decoded length: 530).
>> 2015/08/17 16:32:03| negotiate_wrapper: received type 3 NTLM token
>> 2015/08/17 16:32:03| negotiate_wrapper: Return 'BH 
>NT_STATUS_UNSUCCESSFUL * NT_STATUS_UNSUCCESSFUL
>> 2015/08/17 16:32:03 kid1| ERROR: Negotiate Authentication 
>validating user. Result: {result=BH, notes={message: 
>NT_STATUS_UNSUCCESSFUL * NT_STATUS_UNSUCCESSFUL; }} 
>>  
>>  
>>  
>> I know the following : ( and correct me if im thinking wrong here.) 
>> ## 1) Pure Kerberos. Passthrough auth for windows users with 
>windows DOMAIN JOINED pc's.
>> ##    Fallback to Ldap for NON WINDOWS NON DOMAIN JOINED Devices.
>> ##    NO NTLM. AKA, a windows pc, NOT JOINED in the domain, 
>with end up in always user popup for auth.
>> ##    Which will always fail because of NTLM TYPE 1 and TYPE 
>2, authorisations.
>> ## 2) NEGOTIATE AUTH, which will do all of above, but also 
>authenticated Windows PC's Not domain Joined.
>
>Regarding (1):
>
>* "Pure kerberos" aka "Kerberos " auth scheme is not supported 
>in Squid.
>Only Negotate/Kerberos. It was accepted by Squid-2 as an alias for
>Negotiate, but Squid-3 operates differently and it was dropped for now.
>
>* Rejecting NTLM (ie Negotiate/NTLM) is an artifact of the Squid
>kerberos-only helper rejecting NTLM tokens. Nothing more.
>
>You could reject the Negotiate/Kerberos tokens by configuring a
>NTLM-only helper in the "auth_param negotiate program".
>
>* off-domain machines only ever worked using Basic authentication or
>similar protocols called LanMan which sent passwords inside NTLM or
>Negotiate/NTLM tokens. But LanMan are so insecure they are no longer
>supported.
> NP: if you have a client that will only authenticate with LanMan (SMB
>LM) protocols you are better off security-wise not authenticating it at
>all. At least that stops it broadcasting the users password to 
>the world.
>
>
>Regarding (2):
>
>* The machine still does need to be domain joined, at least recently
>enough to have a valid Kerberos token. What can be avoided is being
>connected "live" during the handshake itself.
>
> But that is a feature of the client software not related to Squid. So
>some clients support it, most actually dont.
>
>
>> 
>> But i recieve a type 3 NTLM token...  
>>  
>
>You also received NTLM type 1 prior to it. I suspect a machine not
>joined to the domain is trying to use NTLM, which requires being on the
>domain.
>
>There is no problem with this *unless* the client machine is 
>refusing to
>fallback to Negotiate/Kerberos or Basic auth after the failure.
>
>There is no reason a popup should occur unless all forms of
>Negotiate/Kerberos Negotiate/NTLM, NTLM, and Basic which are offered by
>the proxy have failed.
>
>
>>  
>> This are the configs have tested and these 2 work. 
>> For kerberos auth 
>> auth_param negotiate program 
>/usr/lib/squid3/negotiate_kerberos_auth -s HTTP/hostname.fqdn at REALM    
>>  
>> for basic auth 
>> auth_param basic program /usr/lib/squid3/basic_ldap_auth -R \
>>     -b "dc=internal,dc=domain,dc=tld" \
>>     -D ldap-bind at internal.domain.tld -W 
>/etc/squid3/private/ldap-bind \
>>     -f (|(userPrincipalName=%s)(sAMAccountName=%s)) \
>>     -h addc.internal.domain.tld  
>> 
>> These dont work. 
>
>I assume that by the positioning of your "these" statements you meant
>the above work, and the below dont.
>
>>  
>> auth_param negotiate program 
>/usr/lib/squid3/negotiate_wrapper_auth -d \
>>     --ntlm /usr/bin/ntlm_auth --diagnostics 
>--helper-protocol=squid-2.5-ntlmssp --domain=BAZRTD \
>>     --kerberos /usr/lib/squid3/negotiate_kerberos_auth -d -s 
>GSS_C_NO_NAME
>> or 
>> auth_param negotiate program /usr/local/bin/negotiate_wrapper -d \
>>     --ntlm /usr/bin/ntlm_auth --diagnostics 
>--helper-protocol=squid-2.5-ntlmssp --domain=BAZRTD \
>>     --kerberos /usr/lib/squid3/negotiate_kerberos_auth -d -s 
>GSS_C_NO_NAME
>> 
>> tried here the supplied wrapper with squid.:     
>/usr/lib/squid3/negotiate_wrapper_auth  
>> and i have tried the negotiate_wrapper of Markus, as the 
>wiki.squid-cache.org also says  here
>> 
>http://wiki.squid-cache.org/ConfigExamples/Authenticate/Windows
>ActiveDirectory   ( Install negotiate_wrapper )  
>>  
>> the kerberos part works but not the ntlm . 
>
>One puzzling thing is why Win7 client is trying to use NTLM in 
>the first
>place. NTLM is disabled by default in Vista and later due to 
>its lack of
>security.
>
>Try adding "auth_param negotiate keep_alive off" to close connections
>when Negotiate/NTLM is used and force the client to retry with other
>auth credentials on a clean connection.
>
>
>>  
>> when i try with only: 
>>  
>> ### pure ntlm authentication
>> auth_param ntlm program /usr/bin/ntlm_auth --diagnostics 
>--helper-protocol=squid-2.5-ntlmssp --domain=EXAMPLE
>> auth_param ntlm children 10
>> auth_param ntlm keep_alive off
>>  
>> im also unable to authenticat on the proxy. 
>
>NTLM will only work with current MS software if the client is joined to
>the domain, and if NTLM is explicitly re-enabled.
>
>The 1970-80's LanMan protocols are no longer supported since 
>2006 (WinXP
>SP3). The most secure of these can be decrypted in under 50 
>milliseconds
>- ie "live".
>
>Ironically that was exactly how Squid helpers used to work for
>off-domain clients all through the 2000's. LanMan passwords being
>decrypted in real-time allowed Basic auth APIs in AD to be used. Giving
>the appearance that off-domain machines were authenticating securely,
>when in fact they were just broadcasting their passwords about. Not a
>good situation.
>
>The old 1990's NTLM v1 and v2 are also on the way out since Vista. NTLM
>v1 can be decrypted in a few seconds, v2 in a few minutes.
>
>
>HTH
>Amos
>_______________________________________________
>squid-users mailing list
>squid-users at lists.squid-cache.org
>http://lists.squid-cache.org/listinfo/squid-users
>




More information about the samba mailing list