Sorry, re-post in plain-text.. Hi All,
I've been following the guide at this location for Active Directory integration http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Proxy First, some versions for sanity.. Ubuntu : 14.04.3 LTS Squid : 3.3.8 (from ubuntu repositories) Samba : 4.1.6-Ubuntu DC : Windows Server 2012 R2 I am currently testing the authentication, negotiate kerberos and basic ldap are both working correctly. However ntlm is not and I don't seem to making any progress on debugging further. Here is the relevant part of squid.conf ### negotiate kerberos and ntlm authentication auth_param negotiate program /usr/lib/squid3/negotiate_wrapper_auth -d --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=DOMAIN --kerberos /usr/lib/squid3/negotiate_kerberos_auth -d -s GSS_C_NO_NAME auth_param negotiate children 10 auth_param negotiate keep_alive off ### pure ntlm authentication auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=DOMAIN auth_param ntlm children 10 auth_param ntlm keep_alive off ### provide basic authentication via ldap for clients not authenticated via kerberos/ntlm auth_param basic program /usr/lib/squid3/basic_ldap_auth -R -b "DC=domain,DC=local" -D [email protected] -W /etc/squid3/ldappass.txt -f sAMAccountName=%s -h dc1.domain.local auth_param basic children 10 auth_param basic realm Internet Proxy auth_param basic credentialsttl 30 minutes ### ldap authorisation external_acl_type memberof %LOGIN /usr/lib/squid3/ext_ldap_group_acl -R -K -S -b "DC=domain,DC=local" -D [email protected] -W /etc/squid3/ldappass.txt -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%g,OU=Proxy,DC=domain,DC=local))" -h dc1.domain.local With kerberos and ldap working correctly, this seems to cover all my users, except for non-domain joined internet explorer, which unfortunately I still need to cater for. For testing I have allowed the proxy user to login. The following commands work successfully as proxy user wbinfo -p wbinfo -u wbinfo -g wbinfo -t does not run successfully as proxy user, but does run as root. testing ntlm_auth at the command line works correctly. ntlm_auth --helper-protocol=squid-2.5-basic DOMAIN\user password OK When a non-domain joined user with internet explorer attempt to use the proxy, they are continually prompted for credentials. In /var/log/cache.log, I see: 2015/10/20 12:33:19| negotiate_wrapper: Got 'YR TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGA4AlAAAADw==' from squid (length: 59). 2015/10/20 12:33:19| negotiate_wrapper: Decode 'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGA4AlAAAADw==' (decoded length: 40). 2015/10/20 12:33:19| negotiate_wrapper: received type 1 NTLM token 2015/10/20 12:33:19| negotiate_wrapper: Return 'TT TlRMTVNTUAACAAAAEAAQADgAAAAVgoninreK53QrtdEAAAAAAAAAADgAOABIAAAABgEAAAAAAA9JAE4AUwBFAEMAVQBSAEUAAgAQAEkATgBTAEUAQwBVAFIARQABAAoAUABSAE8AWABZAAQAAAADAAoAcAByAG8AeAB5AAAAAAA= ' 2015/10/20 12:33:19| negotiate_wrapper: Got 'KK TlRMTVNTUAADAAAAGAAYAHQAAADYANgAjAAAABAAEABYAAAACAAIAGgAAAAEAAQAcAAAABAAEABkAQAAFYKI4gYDgCUAAAAP4J12bZve1C56VHP1YUJ5N2kAbgBzAGUAYwB1AHIAZQBiAHIAYQBkAEkATwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAI1+mUr3xj8iMVIytXIZcbAQEAAAAAAADgQryt3wrRAStLKXVkL/kDAAAAAAIAEABJAE4AUwBFAEMAVQBSAEUAAQAKAFAAUgBPAFgAWQAEAAAAAwAKAHAAcgBvAHgAeQAIADAAMAAAAAAAAAABAAAAABAAALfe6ZoORXwOZjR0QdSusCHwlNUGYo79byijLZDZARCDCgAQAAAAAAAAAAAAAAAAAAAAAAAJACQASABUAFQAUAAvADEANwAyAC4AMgA4AC4AMgA5AC4AMQA0ADcAAAAAAAAAAACEC4x7NJBCdMLgU3gJ6QTq' from squid (length: 499). 2015/10/20 12:33:19| negotiate_wrapper: Decode 'TlRMTVNTUAADAAAAGAAYAHQAAADYANgAjAAAABAAEABYAAAACAAIAGgAAAAEAAQAcAAAABAAEABkAQAAFYKI4gYDgCUAAAAP4J12bZve1C56VHP1YUJ5N2kAbgBzAGUAYwB1AHIAZQBiAHIAYQBkAEkATwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAI1+mUr3xj8iMVIytXIZcbAQEAAAAAAADgQryt3wrRAStLKXVkL/kDAAAAAAIAEABJAE4AUwBFAEMAVQBSAEUAAQAKAFAAUgBPAFgAWQAEAAAAAwAKAHAAcgBvAHgAeQAIADAAMAAAAAAAAAABAAAAABAAALfe6ZoORXwOZjR0QdSusCHwlNUGYo79byijLZDZARCDCgAQAAAAAAAAAAAAAAAAAAAAAAAJACQASABUAFQAUAAvADEANwAyAC4AMgA4AC4AMgA5AC4AMQA0ADcAAAAAAAAAAACEC4x7NJBCdMLgU3gJ6QTq' (decoded length: 372). 2015/10/20 12:33:19| negotiate_wrapper: received type 3 NTLM token 2015/10/20 12:33:19| negotiate_wrapper: Return 'BH NT_STATUS_UNSUCCESSFUL NT_STATUS_UNSUCCESSFUL ' 2015/10/20 12:33:19| ERROR: Negotiate Authentication validating user. Error returned 'BH NT_STATUS_UNSUCCESSFUL NT_STATUS_UNSUCCESSFUL' Can anyone give me any pointers on what I am doing incorrectly? Thank you. Ilias _______________________________________________ squid-users mailing list [email protected] http://lists.squid-cache.org/listinfo/squid-users
