Hello Markus, This a hard one , but ill explian a bit first, because this depends on the pc im testing with. I have 2 networks within one ip range atm, and with the 2 networks i mean 2 samba (windows) domains. Im migrating the old to new and im testing in the new domain, but old 2 new is complete rebuild, setup clean. Old. samba 3 ldap, with dhcp. own dns servers and wins through dhcp. wins is assinged by dhcp here. new, samba 4 kerberos, the DCs are the DNS servers and static ips for the pc's. > I assume you have given out some AD guest accounts to the none domain PC no, this isnt done, is this needed? i was testing with a AD user. for example myself, i must be able to auth on the proxy with any device, domain joined or not. What i will do, use the kerberos and ldap fall back first, this works. Migrate the netwerk first and then redo my tests on my proxy server. setup the DHCP for the new AD servers, and take-ing notice of the wins setting your pointed me to. When i'll test, you say : u...@domain.com for user. Do you mean, user@UPN or user@REALM just to be sure. If you can confirm that the use setup below is correct, thats a nice to know. then i can put these auth files in the "working" backup-setup folder.. ;-) And thank you for your reply, very appriciated. Greetz, Louis Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens Markus Moeller Verzonden: woensdag 19 augustus 2015 0:03 Aan: squid-users@lists.squid-cache.org Onderwerp: Re: [squid-users] debian Jessie squid with auth (kerberos/ntlm/basic) ERROR type NTLM type 3
Hi Louis, When you have an offline PC do you use DHCP to give an IP ? If so can you also provide the PC with a WINS server via DHCP ? If that is possible and you run WINS you can authenticate the user with u...@domain.com when you get the authentication popup. The WINS server will point the PC to the AD server of the domain DOMAIN.COM ( I assume you have given out some AD guest accounts to the none domain PC ) Regards Markus "L.P.H. van Belle" <be...@bazuin.nl> wrote in message news:vmime.55d2d089.2ba7.1a22bdbf5ed74...@ms249-lin-003.rotterdam.bazuin.nl... Nobody any hint where the NTLM auth is going wrong, or what i can do to fix this. Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens L.P.H. van Belle Verzonden: maandag 17 augustus 2015 17:06 Aan: squid-users@lists.squid-cache.org Onderwerp: [squid-users] debian Jessie squid with auth (kerberos/ntlm/basic) ERROR type NTLM type 3 Hai all, I have a Debian Jessie setup with squid 3.4 , all debian packages. Im using samba 4 AD as domain controllers for my kerberos authentication. I've a setup as followed here : http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory I have my kerberos auth working, so i dont type any password with a "domain joined computer" when i want to internet. I Have my Ldap auth working, for my "Non windows, non domain joined" Devices. Now, i need to give users access to the internet, a non domain joined, windows PC. Im getting : ( with markus negotiate_wrapper 1.0.1 ) 2015/08/17 16:31:51 kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: NT_STATUS_UNSUCCESSFUL * NT_STATUS_UNSUCCESSFUL; } 2015/08/17 16:32:03| negotiate_wrapper: Got 'YR TlR.... =' from squid (length: 59). 2015/08/17 16:32:03| negotiate_wrapper: Decode 'TlR... =' (decoded length: 40). 2015/08/17 16:32:03| negotiate_wrapper: received type 1 NTLM token 2015/08/17 16:32:03| negotiate_wrapper: Return 'TT TlR...... AA= * 2015/08/17 16:32:03| negotiate_wrapper: Got 'KK TlR.... 8=' from squid (length: 711). 2015/08/17 16:32:03| negotiate_wrapper: Decode 'TlR.....8=' (decoded length: 530). 2015/08/17 16:32:03| negotiate_wrapper: received type 3 NTLM token 2015/08/17 16:32:03| negotiate_wrapper: Return 'BH NT_STATUS_UNSUCCESSFUL * NT_STATUS_UNSUCCESSFUL 2015/08/17 16:32:03 kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: NT_STATUS_UNSUCCESSFUL * NT_STATUS_UNSUCCESSFUL; }} I know the following : ( and correct me if im thinking wrong here.) ## 1) Pure Kerberos. Passthrough auth for windows users with windows DOMAIN JOINED pc's. ## Fallback to Ldap for NON WINDOWS NON DOMAIN JOINED Devices. ## NO NTLM. AKA, a windows pc, NOT JOINED in the domain, with end up in always user popup for auth. ## Which will always fail because of NTLM TYPE 1 and TYPE 2, authorisations. ## 2) NEGOTIATE AUTH, which will do all of above, but also authenticated Windows PC's Not domain Joined. But i recieve a type 3 NTLM token... This are the configs have tested and these 2 work. For kerberos auth auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -s HTTP/hostname.fqdn@REALM for basic auth auth_param basic program /usr/lib/squid3/basic_ldap_auth -R \ -b "dc=internal,dc=domain,dc=tld" \ -D ldap-b...@internal.domain.tld -W /etc/squid3/private/ldap-bind \ -f (|(userPrincipalName=%s)(sAMAccountName=%s)) \ -h addc.internal.domain.tld These dont work. auth_param negotiate program /usr/lib/squid3/negotiate_wrapper_auth -d \ --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=BAZRTD \ --kerberos /usr/lib/squid3/negotiate_kerberos_auth -d -s GSS_C_NO_NAME or auth_param negotiate program /usr/local/bin/negotiate_wrapper -d \ --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=BAZRTD \ --kerberos /usr/lib/squid3/negotiate_kerberos_auth -d -s GSS_C_NO_NAME tried here the supplied wrapper with squid.: /usr/lib/squid3/negotiate_wrapper_auth and i have tried the negotiate_wrapper of Markus, as the wiki.squid-cache.org also says here http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory ( Install negotiate_wrapper ) the kerberos part works but not the ntlm . when i try with only: ### pure ntlm authentication auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=EXAMPLE auth_param ntlm children 10 auth_param ntlm keep_alive off im also unable to authenticat on the proxy. all winbind test work.. I googled a lot, but i didnt find any solutions so im hoping someone here knows more. so anyone any hint where to look, i cant figure this out. Greetz, Louis _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
