LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 05-04-2009, 12:29 PM   #1
lievendp
Member
 
Registered: Jan 2006
Location: Belgique
Distribution: Gentoo, Debian, Redhat, Centos, (x)Ubuntu
Posts: 111

Rep: Reputation: 27
squid ntlm authentication only first logon is authenticated.


I have a squid running with ntlm authentication.

in the squid config I have:

====================================================================
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 30
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
auth_param ntlm use_ntlm_negotiate on

external_acl_type aduser %LOGIN /usr/lib/squid/wbinfo_group.pl

acl allow_group external aduser internetproxy

http_access allow nt_allow_group
======================================================================


1) When I logon to the domain with user A that is in the active directory group: "internetproxy", the ntlm authentication works.

2) Then I logout from the machine and login again with another user B that is also in the group; the authentication fails.

3) I restart the squid service

4) logon again with the B user and ntlm authentication works fine.

5) logout, logon back with user A and now this user fails the authentication.


Looks like only the first logon works and everybody after that is refused access. I only see simple TCP_DENIED\407 errors in the access.log


I can't see why it's behaving like this. Anybody has any insights here?

thanks in advance.
 
Old 05-05-2009, 07:09 AM   #2
lievendp
Member
 
Registered: Jan 2006
Location: Belgique
Distribution: Gentoo, Debian, Redhat, Centos, (x)Ubuntu
Posts: 111

Original Poster
Rep: Reputation: 27
some more troubleshooting with the wbinfo_group.pl file revealed this:

The first user who logs on to the pc can ntlm authenticate with squid and I see the first attempt with no credentials, then only the userid and then user and group:

this is an extract from the squid cache log after a squid service restart:


2009/05/05 12:51:02| 0 Objects expired.
2009/05/05 12:51:02| 0 Objects cancelled.
2009/05/05 12:51:02| 0 Duplicate URLs purged.
2009/05/05 12:51:02| 0 Swapfile clashes avoided.
2009/05/05 12:51:02| Took 0.3 seconds (4176.5 objects/sec).
2009/05/05 12:51:02| Beginning Validation Procedure
2009/05/05 12:51:02| Completed Validation Procedure
2009/05/05 12:51:02| Validated 1174 Entries
2009/05/05 12:51:02| store_swap_size = 13848k
2009/05/05 12:51:02| storeLateRelease: released 0 objects
[2009/05/05 12:51:15, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
Got NTLMSSP neg_flags=0xa2088207
[2009/05/05 12:51:15, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(662)
Got user=[userA] domain=[TESTDOM] workstation=[TEST01] len1=24 len2=24
[2009/05/05 12:51:15, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(338)
NTLMSSP Sign/Seal - Initialising with flags:
[2009/05/05 12:51:15, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
Got NTLMSSP neg_flags=0x20088235
Got userA from squid
Use of uninitialized value in concatenation (.) or string at /usr/lib/squid/wbinfo_group.pl line 67, <STDIN> line 1.
Sending to squid
Use of uninitialized value in concatenation (.) or string at /usr/lib/squid/wbinfo_group.pl line 68, <STDIN> line 1.
Got userA internetproxy from squid
group 1 : internetproxy
start van de check met userA en internetproxy
User: -userA-
Group: -internetproxy-
SID: -S-1-5-21-1301260591-4172108331-2277736389-1764-
GID: -10026-
Sending OK to squid
[2009/05/05 12:51:16, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
Got NTLMSSP neg_flags=0xa2088207
[2009/05/05 12:51:16, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(662)
Got user=[userA] domain=[TESTDOM] workstation=[TEST01] len1=24 len2=24
[2009/05/05 12:51:16, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(338)
NTLMSSP Sign/Seal - Initialising with flags:
[2009/05/05 12:51:16, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
Got NTLMSSP neg_flags=0x20088235


Then I logoff, logon with another user in the same ad groups etc and he gets the basic authentication dialog after a first unsuccessfull ntlm authentication trial:

[2009/05/05 12:55:30, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
Got NTLMSSP neg_flags=0xa2088207
[2009/05/05 12:55:30, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(662)
Got user=[userB] domain=[TESTDOM] workstation=[TEST01] len1=24 len2=24
[2009/05/05 12:55:30, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(338)
NTLMSSP Sign/Seal - Initialising with flags:
[2009/05/05 12:55:30, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
Got NTLMSSP neg_flags=0x20088235
Got userB from squid
Sending OK to squid

=> I should not get ok because no group was supplied, I added a line to show when I'm in the check subroutine but it doesn't even show up.

Now userB is presented with a basic auth popup which doesn't work either:

[2009/05/05 13:04:06, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
Got NTLMSSP neg_flags=0xa2088207
[2009/05/05 13:04:06, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(662)
Got user=[userB] domain=[TESTDOM] workstation=[TEST01] len1=24 len2=24
[2009/05/05 13:04:06, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(338)
NTLMSSP Sign/Seal - Initialising with flags:
[2009/05/05 13:04:06, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
Got NTLMSSP neg_flags=0x20088235
[2009/05/05 13:04:14, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
Got NTLMSSP neg_flags=0xa2088207
[2009/05/05 13:04:14, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(662)
Got user=[userB] domain=[TESTDOM] workstation=[TEST01] len1=24 len2=24
[2009/05/05 13:04:14, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(338)
NTLMSSP Sign/Seal - Initialising with flags:
[2009/05/05 13:04:14, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
Got NTLMSSP neg_flags=0x20088235
[2009/05/05 13:04:15, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
Got NTLMSSP neg_flags=0xa2088207
[2009/05/05 13:04:15, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(662)
Got user=[userB] domain=[TESTDOM] workstation=[TEST01] len1=24 len2=24
[2009/05/05 13:04:15, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(338)
NTLMSSP Sign/Seal - Initialising with flags:
[2009/05/05 13:04:15, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
Got NTLMSSP neg_flags=0x20088235


Did anybody have this before?

Last edited by lievendp; 05-05-2009 at 07:56 AM.
 
Old 05-05-2009, 08:50 AM   #3
lievendp
Member
 
Registered: Jan 2006
Location: Belgique
Distribution: Gentoo, Debian, Redhat, Centos, (x)Ubuntu
Posts: 111

Original Poster
Rep: Reputation: 27
Problem solved...

After some troubleshooting, I found that the problem is in the wbinfo_group.pl script that was included in my squid package.

The squid is running on a rather old server:

root@mail:/usr/lib/squid# apt-cache policy squid
squid:
Installed: 2.5.12-4ubuntu2.4
Candidate: 2.5.12-4ubuntu2.4
Version table:
*** 2.5.12-4ubuntu2.4 0
500 http://be.archive.ubuntu.com dapper-updates/main Packages
500 http://security.ubuntu.com dapper-security/main Packages
100 /var/lib/dpkg/status
2.5.12-4ubuntu2 0
500 http://be.archive.ubuntu.com dapper/main Packages


In the wbinfo_group.pl, there is a variable that holds "OK" or "ERR" to return to the squid ntlm helper. (I'm using the samba ntlm helper, not the one that came with squid because the latter was not working)

This variable was never initialized and never reset either so the first time someone authenticates it gets set to "OK" and stays like that. First one to authenticate has no problem at all.

After a logoff and logon with another user, the user opens his browser and his userid is passed to the squid without his groups. the script however sends ok but ntlm does not authenticate.


This is my changed version of wbinfo_group.pl:
+++++++++++++++++++++++++++++++++++++++++++++++++++

#!/usr/bin/perl -w
#
# external_acl helper to Squid to verify NT Domain group
# membership using wbinfo
#
# This program is put in the public domain by Jerry Murdock
# <jmurdock@itraktech.com>. It is distributed in the hope that it will
# be useful, but WITHOUT ANY WARRANTY; without even the implied warranty
# of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
#
# Author:
# Jerry Murdock <jmurdock@itraktech.com>
#
# Version history:
# 2005-12-24 Guido Serassio <guido.serassio@acmeconsulting.it>
# Fix for wbinfo from Samba 3.0.21
#
# 2005-06-28 Arno Streuli <astreuli@gmail.com>
# Add multi group check
#
# 2002-07-05 Jerry Murdock <jmurdock@itraktech.com>
# Initial release


# external_acl uses shell style lines in it's protocol
require 'shellwords.pl';

# Disable output buffering
$|=1;

sub debug {
# Uncomment this to enable debugging
print STDERR "@_\n";
}

#
# Check if a user belongs to a group
#
sub check {
&debug( "start van de check met $user en $group");
local($user, $group) = @_;
$groupSID = `wbinfo -n "$group" | cut -d" " -f1`;
chop $groupSID;
$groupGID = `wbinfo -Y "$groupSID"`;
chop $groupGID;
&debug( "User: -$user-\nGroup: -$group-\nSID: -$groupSID-\nGID: -$groupGID-");
return 'OK' if(`wbinfo -r \Q$user\E` =~ /^$groupGID$/m);
return 'ERR';
}

#
# Main loop
#
while (<STDIN>) {
chop;
#
# I initialized the $ans here and set it standard to ERR
# I also added some info to &debug to troubleshoot this.
#
$ans = 'ERR';
&debug ("Got $_ from squid");
($user, @groups) = &shellwords;
# test for each group squid send in it's request
# toevoegen groep monitor
my $i = 0;
foreach $group (@groups) {
$i+=1;
&debug( "group $i : $group" );
$ans = &check($user, $group);
last if $ans eq "OK";
}
&debug ("Sending $ans to squid");
print "$ans\n";
}

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

This probably has been fixed some time ago in a newer release. I will do a test install of squid on a newer testserver to check it out.


cheers!
 
  


Reply

Tags
ntlm, squid


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
SQUID NTLM Authentication keeps asking for a username and password rowellb Linux - Networking 15 09-22-2009 12:11 PM
Squid and NTLM authentication jean-luch Linux - Server 0 08-06-2007 04:42 AM
Squid NTLM authentication stevehh Linux - Networking 0 02-06-2007 11:06 AM
NTLM authentication. TheRealDeal Linux - Networking 4 10-12-2006 08:36 PM
Squid and NTLM Authentication codedv Linux - Networking 5 07-16-2006 04:46 AM


All times are GMT -5. The time now is 11:20 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration