Ntlm or kerberos authentication for single sign on #65
Comments
|
The main reason is most probably inability of squid negotiate wrapper/authenticator to cope with bad stdin in cygwin - see nodejs/node-v0.x-archive#6459. We must wait for the CygWin team to close the issue. |
|
As a workaround, you could use the following .NET alternative, which is a native (non-Cygwin) app that handles Cygwin's async stdin properly. (To avoid large forks of the squid binary, you could use a stub.) Oh, and since it's using SSPI, there is no need for any keytab or configuration whatsoever, |
|
Meitinger- Can you provide a link to the .NET alternative helper? Thanks! |
|
Hi. I am also need the helper. Thanks! |
|
This is the link to the source file: https://gist.githubusercontent.com/Meitinger/bb254e85fd2a3469945a/raw/726a29dbbd34e07271d65315acbc17d68a942d69/x_sspi_auth.cs |
|
I compiled the program and start using it, but I have some problem. When I was using basic_ldap_auth access log says: 1494010982.672 1 192.168.11.88 TCP_DENIED/403 4484 GET http://www.google.com.br/url? tobias HIER_NONE/- text/html When using ntlm_sspi_auth access log says: www.google.com.br:443 TROMM\\tobias HIER_DIRECT/216.58.202.163 - Please note that on the first I have only tobias as username, and on the second TROMM\\tobias (with double '\', which is wrong, but ok... This cause the helper ext_ldap_group_acl to stop working, since it need only username. See what cache log says: '(&(objectclass=person)(sAMAccountName=TROMM\5ctobias)(memberof=CN=g-internet-padrao,OU=TROMM,DC=TROMM,DC=local))', searchbase 'DC=TROMM,DC=local' He wont find the user, because it expect the user name only instead of DOMAIN\user (and note that the second '\' cause a problem here recognized as '\5'. Can you modify the helper to send the username only? Is that possible? Thanks. |
|
OK, I got it to working by changing these lines:
Now, I have another problem... When using basic_ldap_auth on old systems (like Windows NT 4) can authenticate, but with ntlm_sspi_auth these system keep asking for user and password. Here is log file when these system try to log on proxy: 2017/05/05 22:26:24 kid1| WARNING: no_suid: setuid(0): (22) Invalid argument Can you help me here to support these old system? |
|
Let's first address the double-backslash "issue": The helper returns only one backslash, squid simply logs two. The Now onto NT4: Are these clients able to access a simple SMB share on the same server where the proxy is installed on? If not, then you might have some (group) policy set (and there are quite a few), which harden NTLM security of your server and prevent access from old clients. |
|
Yes, Windows NT 4 can access Windows 2008 R2 shares without problem. The same server have two versions of squid running (the old and working 2.7.STABLE8 where NT 4 can sucefully access the server with authentication on port 3128 and the new one, who I am trying to make work at port 3129, squid/3.5.25). You can check the code from the old SSPI here: http://squid.acmeconsulting.it/download/squid-2.7.STABLE8.tar.gz -under squid-2.7.STABLE8\helpers\ntlm_auth\mswin_sspi\ntlm_auth.c). I remove ASC_REQ_REPLAY_DETECT (it appear two times) from the code and compiled program again:
Change squid.conf to the new helper compiled:
This is the log (I don't know why, but if I try several times it authenticate, but just after several times typing username and password): 2017/05/06 15:38:26 kid1| helperOpenServers: Starting 5/5 'C:\SquidNovo\lib\squid\ext_ldap_group_acl.exe' processes |
Is it possible to provide single sign on with squid for Windows? Ntlm_auth does not seem to be there in the library and although negotiate_kerberos does it doesn't seem to work even with a key tab just get invalid proxy when running negotiate_kerberos_test
Thanks
James
The text was updated successfully, but these errors were encountered: