samba - Aug 2015 - [squid-users] debian Jessie squid with auth (kerberos/ntlm/basic) ERROR type NTLM type 3

... sorry wrong list..  
but you can read it and learn from it..  :-))  


Greetz, 
Louis

>-----Oorspronkelijk bericht-----
>Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
>L.P.H. van Belle
>Verzonden: dinsdag 18 augustus 2015 9:45
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] [squid-users] debian Jessie squid with 
>auth (kerberos/ntlm/basic) ERROR type NTLM type 3
>
>Hai Amos, 
>
>Thank you for your very clear responce.. few small questions..
>
>Is there a way to setup the proxy for the following.
>1) use negotiate kerberos for auth, ( which is working already 
>for all domain joined machines )
>2) use a fall back that works, for now basic ldap works for 
>non windows machines, and domain joined machines.
>3) use any other fallback way for authentication users on 
>windows machines, that are not in the domain.
>	and without modify-ing anything in windows. as these 
>are often guest machines. 
>
>Is a link to a radius server an option, dont have a radus jet, 
>but can be installed. 
>and radius is also comming for my wifi authentication. 
>whould that fix my problem (3) above, in a authentication 
>fallback setup. 
>
>
>>One puzzling thing is why Win7 client is trying to use NTLM in 
>>the first
>>place. NTLM is disabled by default in Vista and later due to 
>>its lack of
>>security.
>>
>>Try adding "auth_param negotiate keep_alive off" to close
connections
>>when Negotiate/NTLM is used and force the client to retry with other
>>auth credentials on a clean connection.
>
>these : 
>>> auth_param negotiate program 
>/usr/lib/squid3/negotiate_kerberos_auth -s HTTP/hostname.fqdn at REALM    
>and 
>>> auth_param negotiate program /usr/local/bin/negotiate_wrapper
>These lines, work both for negotiate kerberos.  
>The last, when useing : /usr/local/bin/negotiate_wrapper was 
>tested with the parameter 
>negotiate keep_alive off. 
>
>Above works fine with the domain joined pc, but not with the 
>"non domain joined" PC. 
>the negotiate kerberos works very good, but the fall back not. 
>( as you explained ) 
>
>I found that if i setup with only basic_ldap_auth, against the 
>AD, then i can use both,
>domain joined and not domain joined, but the first time it 
>always gives a popup for authenticating. 
>If once authenticated, it keeps it authenticated, aka 
>windows/IE keeps the login and password. 
>even if i clear the history. 
>
>Why i dont want this... 
>If a user is logging in the domain, and kerberos auth is used, 
>then when going on internet, 
>the "correct" aka logged in user, is always used. 
>but when i use basic_ldap_auth, then it gives the user to put 
>in an other username/password at popup, 
>then it remembers the login and a user now is internetting 
>with an other users name. 
>
>So, when im right, a fallback for all is not possible, due to 
>NTLM auth? 
>
>And a big thank you for your responce. 
>
>
>Greetz, 
>
>Louis
>
>
>>-----Oorspronkelijk bericht-----
>>Van: squid-users 
>>[mailto:squid-users-bounces at lists.squid-cache.org] Namens 
>Amos Jeffries
>>Verzonden: dinsdag 18 augustus 2015 8:39
>>Aan: squid-users at lists.squid-cache.org
>>Onderwerp: Re: [squid-users] debian Jessie squid with auth 
>>(kerberos/ntlm/basic) ERROR type NTLM type 3
>>
>>On 18/08/2015 3:06 a.m., L.P.H. van Belle wrote:
>>> Hai all, 
>>>  
>>> I have a Debian Jessie setup with squid 3.4 , all debian packages. 
>>> Im using samba 4 AD as domain controllers for my kerberos 
>>authentication. 
>>>  
>>> I've a setup as followed here : 
>>> 
>>http://wiki.squid-cache.org/ConfigExamples/Authenticate/Windows
>>ActiveDirectory 
>>>  
>>> I have my kerberos auth working, so i dont type any password 
>>with a "domain joined computer"  when i want to internet. 
>>> I Have my Ldap auth working, for my "Non windows, non domain 
>>joined" Devices. 
>>>  
>>> Now, i need to give users access to the internet, a non 
>>domain joined, windows PC. 
>>>  
>>> Im getting :  ( with markus negotiate_wrapper 1.0.1  ) 
>>> 2015/08/17 16:31:51 kid1| ERROR: Negotiate Authentication 
>>validating user. Result: {result=BH, notes={message: 
>>NT_STATUS_UNSUCCESSFUL * NT_STATUS_UNSUCCESSFUL; }
>>> 2015/08/17 16:32:03| negotiate_wrapper: Got 'YR TlR....  
='
>>from squid (length: 59). 
>>> 2015/08/17 16:32:03| negotiate_wrapper: Decode 'TlR... =' 
>>(decoded length: 40).
>>> 2015/08/17 16:32:03| negotiate_wrapper: received type 1 NTLM token
>>
>>Type 1 NTLM.
>
>
>>
>>> 2015/08/17 16:32:03| negotiate_wrapper: Return 'TT TlR...... 
AA= *
>>> 2015/08/17 16:32:03| negotiate_wrapper: Got 'KK TlR.... 
8='
>>from squid (length: 711).
>>> 2015/08/17 16:32:03| negotiate_wrapper: Decode 'TlR.....8='
>>(decoded length: 530).
>>> 2015/08/17 16:32:03| negotiate_wrapper: received type 3 NTLM token
>>> 2015/08/17 16:32:03| negotiate_wrapper: Return 'BH 
>>NT_STATUS_UNSUCCESSFUL * NT_STATUS_UNSUCCESSFUL
>>> 2015/08/17 16:32:03 kid1| ERROR: Negotiate Authentication 
>>validating user. Result: {result=BH, notes={message: 
>>NT_STATUS_UNSUCCESSFUL * NT_STATUS_UNSUCCESSFUL; }} 
>>>  
>>>  
>>>  
>>> I know the following : ( and correct me if im thinking wrong here.)
>>> ## 1) Pure Kerberos. Passthrough auth for windows users with 
>>windows DOMAIN JOINED pc's.
>>> ##    Fallback to Ldap for NON WINDOWS NON DOMAIN JOINED Devices.
>>> ##    NO NTLM. AKA, a windows pc, NOT JOINED in the domain, 
>>with end up in always user popup for auth.
>>> ##    Which will always fail because of NTLM TYPE 1 and TYPE 
>>2, authorisations.
>>> ## 2) NEGOTIATE AUTH, which will do all of above, but also 
>>authenticated Windows PC's Not domain Joined.
>>
>>Regarding (1):
>>
>>* "Pure kerberos" aka "Kerberos " auth scheme is not
supported
>>in Squid.
>>Only Negotate/Kerberos. It was accepted by Squid-2 as an alias for
>>Negotiate, but Squid-3 operates differently and it was 
>dropped for now.
>>
>>* Rejecting NTLM (ie Negotiate/NTLM) is an artifact of the Squid
>>kerberos-only helper rejecting NTLM tokens. Nothing more.
>>
>>You could reject the Negotiate/Kerberos tokens by configuring a
>>NTLM-only helper in the "auth_param negotiate program".
>>
>>* off-domain machines only ever worked using Basic authentication or
>>similar protocols called LanMan which sent passwords inside NTLM or
>>Negotiate/NTLM tokens. But LanMan are so insecure they are no longer
>>supported.
>> NP: if you have a client that will only authenticate with LanMan (SMB
>>LM) protocols you are better off security-wise not 
>authenticating it at
>>all. At least that stops it broadcasting the users password to 
>>the world.
>>
>>
>>Regarding (2):
>>
>>* The machine still does need to be domain joined, at least recently
>>enough to have a valid Kerberos token. What can be avoided is being
>>connected "live" during the handshake itself.
>>
>> But that is a feature of the client software not related to Squid. So
>>some clients support it, most actually dont.
>>
>>
>>> 
>>> But i recieve a type 3 NTLM token...  
>>>  
>>
>>You also received NTLM type 1 prior to it. I suspect a machine not
>>joined to the domain is trying to use NTLM, which requires 
>being on the
>>domain.
>>
>>There is no problem with this *unless* the client machine is 
>>refusing to
>>fallback to Negotiate/Kerberos or Basic auth after the failure.
>>
>>There is no reason a popup should occur unless all forms of
>>Negotiate/Kerberos Negotiate/NTLM, NTLM, and Basic which are 
>offered by
>>the proxy have failed.
>>
>>
>>>  
>>> This are the configs have tested and these 2 work. 
>>> For kerberos auth 
>>> auth_param negotiate program 
>>/usr/lib/squid3/negotiate_kerberos_auth -s 
>HTTP/hostname.fqdn at REALM    
>>>  
>>> for basic auth 
>>> auth_param basic program /usr/lib/squid3/basic_ldap_auth -R \
>>>     -b "dc=internal,dc=domain,dc=tld" \
>>>     -D ldap-bind at internal.domain.tld -W 
>>/etc/squid3/private/ldap-bind \
>>>     -f (|(userPrincipalName=%s)(sAMAccountName=%s)) \
>>>     -h addc.internal.domain.tld  
>>> 
>>> These dont work. 
>>
>>I assume that by the positioning of your "these" statements
you meant
>>the above work, and the below dont.
>>
>>>  
>>> auth_param negotiate program 
>>/usr/lib/squid3/negotiate_wrapper_auth -d \
>>>     --ntlm /usr/bin/ntlm_auth --diagnostics 
>>--helper-protocol=squid-2.5-ntlmssp --domain=BAZRTD \
>>>     --kerberos /usr/lib/squid3/negotiate_kerberos_auth -d -s 
>>GSS_C_NO_NAME
>>> or 
>>> auth_param negotiate program /usr/local/bin/negotiate_wrapper -d \
>>>     --ntlm /usr/bin/ntlm_auth --diagnostics 
>>--helper-protocol=squid-2.5-ntlmssp --domain=BAZRTD \
>>>     --kerberos /usr/lib/squid3/negotiate_kerberos_auth -d -s 
>>GSS_C_NO_NAME
>>> 
>>> tried here the supplied wrapper with squid.:     
>>/usr/lib/squid3/negotiate_wrapper_auth  
>>> and i have tried the negotiate_wrapper of Markus, as the 
>>wiki.squid-cache.org also says  here
>>> 
>>http://wiki.squid-cache.org/ConfigExamples/Authenticate/Windows
>>ActiveDirectory   ( Install negotiate_wrapper )  
>>>  
>>> the kerberos part works but not the ntlm . 
>>
>>One puzzling thing is why Win7 client is trying to use NTLM in 
>>the first
>>place. NTLM is disabled by default in Vista and later due to 
>>its lack of
>>security.
>>
>>Try adding "auth_param negotiate keep_alive off" to close
connections
>>when Negotiate/NTLM is used and force the client to retry with other
>>auth credentials on a clean connection.
>>
>>
>>>  
>>> when i try with only: 
>>>  
>>> ### pure ntlm authentication
>>> auth_param ntlm program /usr/bin/ntlm_auth --diagnostics 
>>--helper-protocol=squid-2.5-ntlmssp --domain=EXAMPLE
>>> auth_param ntlm children 10
>>> auth_param ntlm keep_alive off
>>>  
>>> im also unable to authenticat on the proxy. 
>>
>>NTLM will only work with current MS software if the client is 
>joined to
>>the domain, and if NTLM is explicitly re-enabled.
>>
>>The 1970-80's LanMan protocols are no longer supported since 
>>2006 (WinXP
>>SP3). The most secure of these can be decrypted in under 50 
>>milliseconds
>>- ie "live".
>>
>>Ironically that was exactly how Squid helpers used to work for
>>off-domain clients all through the 2000's. LanMan passwords being
>>decrypted in real-time allowed Basic auth APIs in AD to be 
>used. Giving
>>the appearance that off-domain machines were authenticating securely,
>>when in fact they were just broadcasting their passwords about. Not a
>>good situation.
>>
>>The old 1990's NTLM v1 and v2 are also on the way out since 
>Vista. NTLM
>>v1 can be decrypted in a few seconds, v2 in a few minutes.
>>
>>
>>HTH
>>Amos
>>_______________________________________________
>>squid-users mailing list
>>squid-users at lists.squid-cache.org
>>http://lists.squid-cache.org/listinfo/squid-users
>>
>
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>