-
Notifications
You must be signed in to change notification settings - Fork 40
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ntlm or kerberos authentication for single sign on #65
Comments
The main reason is most probably inability of squid negotiate wrapper/authenticator to cope with bad stdin in cygwin - see nodejs/node-v0.x-archive#6459. We must wait for the CygWin team to close the issue. |
As a workaround, you could use the following .NET alternative, which is a native (non-Cygwin) app that handles Cygwin's async stdin properly. (To avoid large forks of the squid binary, you could use a stub.) Oh, and since it's using SSPI, there is no need for any keytab or configuration whatsoever, |
Meitinger- Can you provide a link to the .NET alternative helper? Thanks! |
Hi. I am also need the helper. Thanks! |
This is the link to the source file: https://gist.githubusercontent.com/Meitinger/bb254e85fd2a3469945a/raw/726a29dbbd34e07271d65315acbc17d68a942d69/x_sspi_auth.cs |
I compiled the program and start using it, but I have some problem. When I was using basic_ldap_auth access log says: 1494010982.672 1 192.168.11.88 TCP_DENIED/403 4484 GET http://www.google.com.br/url? tobias HIER_NONE/- text/html When using ntlm_sspi_auth access log says: www.google.com.br:443 TROMM\\tobias HIER_DIRECT/216.58.202.163 - Please note that on the first I have only tobias as username, and on the second TROMM\\tobias (with double '\', which is wrong, but ok... This cause the helper ext_ldap_group_acl to stop working, since it need only username. See what cache log says: '(&(objectclass=person)(sAMAccountName=TROMM\5ctobias)(memberof=CN=g-internet-padrao,OU=TROMM,DC=TROMM,DC=local))', searchbase 'DC=TROMM,DC=local' He wont find the user, because it expect the user name only instead of DOMAIN\user (and note that the second '\' cause a problem here recognized as '\5'. Can you modify the helper to send the username only? Is that possible? Thanks. |
OK, I got it to working by changing these lines:
Now, I have another problem... When using basic_ldap_auth on old systems (like Windows NT 4) can authenticate, but with ntlm_sspi_auth these system keep asking for user and password. Here is log file when these system try to log on proxy: 2017/05/05 22:26:24 kid1| WARNING: no_suid: setuid(0): (22) Invalid argument Can you help me here to support these old system? |
Let's first address the double-backslash "issue": The helper returns only one backslash, squid simply logs two. The Now onto NT4: Are these clients able to access a simple SMB share on the same server where the proxy is installed on? If not, then you might have some (group) policy set (and there are quite a few), which harden NTLM security of your server and prevent access from old clients. |
Yes, Windows NT 4 can access Windows 2008 R2 shares without problem. The same server have two versions of squid running (the old and working 2.7.STABLE8 where NT 4 can sucefully access the server with authentication on port 3128 and the new one, who I am trying to make work at port 3129, squid/3.5.25). You can check the code from the old SSPI here: http://squid.acmeconsulting.it/download/squid-2.7.STABLE8.tar.gz -under squid-2.7.STABLE8\helpers\ntlm_auth\mswin_sspi\ntlm_auth.c). I remove ASC_REQ_REPLAY_DETECT (it appear two times) from the code and compiled program again:
Change squid.conf to the new helper compiled:
This is the log (I don't know why, but if I try several times it authenticate, but just after several times typing username and password): 2017/05/06 15:38:26 kid1| helperOpenServers: Starting 5/5 'C:\SquidNovo\lib\squid\ext_ldap_group_acl.exe' processes |
Is it possible to provide single sign on with squid for Windows? Ntlm_auth does not seem to be there in the library and although negotiate_kerberos does it doesn't seem to work even with a key tab just get invalid proxy when running negotiate_kerberos_test
Thanks
James
The text was updated successfully, but these errors were encountered: