LinuxQuestions.org - squid ntlm authentication only first logon is authenticated.

- Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)

- - squid ntlm authentication only first logon is authenticated. (https://www.linuxquestions.org/questions/linux-server-73/squid-ntlm-authentication-only-first-logon-is-authenticated-723587/)

squid ntlm authentication only first logon is authenticated.

I have a squid running with ntlm authentication.

in the squid config I have:

====================================================================
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 30
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
auth_param ntlm use_ntlm_negotiate on

external_acl_type aduser %LOGIN /usr/lib/squid/wbinfo_group.pl

acl allow_group external aduser internetproxy

http_access allow nt_allow_group
======================================================================

1) When I logon to the domain with user A that is in the active directory group: "internetproxy", the ntlm authentication works.

2) Then I logout from the machine and login again with another user B that is also in the group; the authentication fails.

3) I restart the squid service

4) logon again with the B user and ntlm authentication works fine.

5) logout, logon back with user A and now this user fails the authentication.

Looks like only the first logon works and everybody after that is refused access. I only see simple TCP_DENIED\407 errors in the access.log

I can't see why it's behaving like this. Anybody has any insights here?

thanks in advance.

some more troubleshooting with the wbinfo_group.pl file revealed this:

The first user who logs on to the pc can ntlm authenticate with squid and I see the first attempt with no credentials, then only the userid and then user and group:

this is an extract from the squid cache log after a squid service restart:

2009/05/05 12:51:02| 0 Objects expired.
2009/05/05 12:51:02| 0 Objects cancelled.
2009/05/05 12:51:02| 0 Duplicate URLs purged.
2009/05/05 12:51:02| 0 Swapfile clashes avoided.
2009/05/05 12:51:02| Took 0.3 seconds (4176.5 objects/sec).
2009/05/05 12:51:02| Beginning Validation Procedure
2009/05/05 12:51:02| Completed Validation Procedure
2009/05/05 12:51:02| Validated 1174 Entries
2009/05/05 12:51:02| store_swap_size = 13848k
2009/05/05 12:51:02| storeLateRelease: released 0 objects
[2009/05/05 12:51:15, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
Got NTLMSSP neg_flags=0xa2088207
[2009/05/05 12:51:15, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(662)
Got user=[userA] domain=[TESTDOM] workstation=[TEST01] len1=24 len2=24
[2009/05/05 12:51:15, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(338)
NTLMSSP Sign/Seal - Initialising with flags:
[2009/05/05 12:51:15, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
Got NTLMSSP neg_flags=0x20088235
Got userA from squid
Use of uninitialized value in concatenation (.) or string at /usr/lib/squid/wbinfo_group.pl line 67, <STDIN> line 1.
Sending to squid
Use of uninitialized value in concatenation (.) or string at /usr/lib/squid/wbinfo_group.pl line 68, <STDIN> line 1.
Got userA internetproxy from squid
group 1 : internetproxy
start van de check met userA en internetproxy
User: -userA-
Group: -internetproxy-
SID: -S-1-5-21-1301260591-4172108331-2277736389-1764-
GID: -10026-
Sending OK to squid
[2009/05/05 12:51:16, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
Got NTLMSSP neg_flags=0xa2088207
[2009/05/05 12:51:16, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(662)
Got user=[userA] domain=[TESTDOM] workstation=[TEST01] len1=24 len2=24
[2009/05/05 12:51:16, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(338)
NTLMSSP Sign/Seal - Initialising with flags:
[2009/05/05 12:51:16, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
Got NTLMSSP neg_flags=0x20088235

Then I logoff, logon with another user in the same ad groups etc and he gets the basic authentication dialog after a first unsuccessfull ntlm authentication trial:

[2009/05/05 12:55:30, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
Got NTLMSSP neg_flags=0xa2088207
[2009/05/05 12:55:30, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(662)
Got user=[userB] domain=[TESTDOM] workstation=[TEST01] len1=24 len2=24
[2009/05/05 12:55:30, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(338)
NTLMSSP Sign/Seal - Initialising with flags:
[2009/05/05 12:55:30, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
Got NTLMSSP neg_flags=0x20088235
Got userB from squid
Sending OK to squid

=> I should not get ok because no group was supplied, I added a line to show when I'm in the check subroutine but it doesn't even show up.

Now userB is presented with a basic auth popup which doesn't work either:

[2009/05/05 13:04:06, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
Got NTLMSSP neg_flags=0xa2088207
[2009/05/05 13:04:06, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(662)
Got user=[userB] domain=[TESTDOM] workstation=[TEST01] len1=24 len2=24
[2009/05/05 13:04:06, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(338)
NTLMSSP Sign/Seal - Initialising with flags:
[2009/05/05 13:04:06, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
Got NTLMSSP neg_flags=0x20088235
[2009/05/05 13:04:14, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
Got NTLMSSP neg_flags=0xa2088207
[2009/05/05 13:04:14, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(662)
Got user=[userB] domain=[TESTDOM] workstation=[TEST01] len1=24 len2=24
[2009/05/05 13:04:14, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(338)
NTLMSSP Sign/Seal - Initialising with flags:
[2009/05/05 13:04:14, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
Got NTLMSSP neg_flags=0x20088235
[2009/05/05 13:04:15, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
Got NTLMSSP neg_flags=0xa2088207
[2009/05/05 13:04:15, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(662)
Got user=[userB] domain=[TESTDOM] workstation=[TEST01] len1=24 len2=24
[2009/05/05 13:04:15, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(338)
NTLMSSP Sign/Seal - Initialising with flags:
[2009/05/05 13:04:15, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
Got NTLMSSP neg_flags=0x20088235

Did anybody have this before?

Problem solved...

After some troubleshooting, I found that the problem is in the wbinfo_group.pl script that was included in my squid package.

The squid is running on a rather old server:

root@mail:/usr/lib/squid# apt-cache policy squid
squid:
Installed: 2.5.12-4ubuntu2.4
Candidate: 2.5.12-4ubuntu2.4
Version table:
*** 2.5.12-4ubuntu2.4 0
500 http://be.archive.ubuntu.com dapper-updates/main Packages
500 http://security.ubuntu.com dapper-security/main Packages
100 /var/lib/dpkg/status
2.5.12-4ubuntu2 0
500 http://be.archive.ubuntu.com dapper/main Packages

In the wbinfo_group.pl, there is a variable that holds "OK" or "ERR" to return to the squid ntlm helper. (I'm using the samba ntlm helper, not the one that came with squid because the latter was not working)

This variable was never initialized and never reset either so the first time someone authenticates it gets set to "OK" and stays like that. First one to authenticate has no problem at all.

After a logoff and logon with another user, the user opens his browser and his userid is passed to the squid without his groups. the script however sends ok but ntlm does not authenticate.

This is my changed version of wbinfo_group.pl:
+++++++++++++++++++++++++++++++++++++++++++++++++++

#!/usr/bin/perl -w
#
# external_acl helper to Squid to verify NT Domain group
# membership using wbinfo
#
# This program is put in the public domain by Jerry Murdock
# <jmurdock@itraktech.com>. It is distributed in the hope that it will
# be useful, but WITHOUT ANY WARRANTY; without even the implied warranty
# of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
#
# Author:
# Jerry Murdock <jmurdock@itraktech.com>
#
# Version history:
# 2005-12-24 Guido Serassio <guido.serassio@acmeconsulting.it>
# Fix for wbinfo from Samba 3.0.21
#
# 2005-06-28 Arno Streuli <astreuli@gmail.com>
# Add multi group check
#
# 2002-07-05 Jerry Murdock <jmurdock@itraktech.com>
# Initial release

# external_acl uses shell style lines in it's protocol
require 'shellwords.pl';

# Disable output buffering
$|=1;

sub debug {
# Uncomment this to enable debugging
print STDERR "@_\n";
}

#
# Check if a user belongs to a group
#
sub check {
&debug( "start van de check met $user en $group");
local($user, $group) = @_;
$groupSID = `wbinfo -n "$group" | cut -d" " -f1`;
chop $groupSID;
$groupGID = `wbinfo -Y "$groupSID"`;
chop $groupGID;
&debug( "User: -$user-\nGroup: -$group-\nSID: -$groupSID-\nGID: -$groupGID-");
return 'OK' if(`wbinfo -r \Q$user\E` =~ /^$groupGID$/m);
return 'ERR';
}

#
# Main loop
#
while (<STDIN>) {
chop;
#
# I initialized the $ans here and set it standard to ERR
# I also added some info to &debug to troubleshoot this.
#
$ans = 'ERR';
&debug ("Got $_ from squid");
($user, @groups) = &shellwords;
# test for each group squid send in it's request
# toevoegen groep monitor
my $i = 0;
foreach $group (@groups) {
$i+=1;
&debug( "group $i : $group" );
$ans = &check($user, $group);
last if $ans eq "OK";
}
&debug ("Sending $ans to squid");
print "$ans\n";
}

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

This probably has been fixed some time ago in a newer release. I will do a test install of squid on a newer testserver to check it out.

cheers!