Ntlm or kerberos authentication for single sign on
pinguthepenguin opened this issue · 9 comments
Is it possible to provide single sign on with squid for Windows? Ntlm_auth does not seem to be there in the library and although negotiate_kerberos does it doesn't seem to work even with a key tab just get invalid proxy when running negotiate_kerberos_test
Thanks
James
The main reason is most probably inability of squid negotiate wrapper/authenticator to cope with bad stdin in cygwin - see nodejs/node-v0.x-archive#6459. We must wait for the CygWin team to close the issue.
As a workaround, you could use the following .NET alternative, which is a native (non-Cygwin) app that handles Cygwin's async stdin properly. (To avoid large forks of the squid binary, you could use a stub.) Oh, and since it's using SSPI, there is no need for any keytab or configuration whatsoever, -AllowGroups and -DenyGroups are supported.
Meitinger- Can you provide a link to the .NET alternative helper? Thanks!
Hi. I am also need the helper. Thanks!
This is the link to the source file: https://gist.githubusercontent.com/Meitinger/bb254e85fd2a3469945a/raw/726a29dbbd34e07271d65315acbc17d68a942d69/x_sspi_auth.cs
Compile for negotiate: csc /debug:pdbonly /optimize /define:Negotiate /out:negotiate_sspi_auth.exe x_sspi_auth.cs
Compile for ntlm: csc /debug:pdbonly /optimize /define:NTLM /out:ntlm_sspi_auth.exe x_sspi_auth.cs
I compiled the program and start using it, but I have some problem.
When I was using basic_ldap_auth access log says:
1494010982.672 1 192.168.11.88 TCP_DENIED/403 4484 GET http://www.google.com.br/url? tobias HIER_NONE/- text/html
When using ntlm_sspi_auth access log says:
www.google.com.br:443 TROMM\\tobias HIER_DIRECT/216.58.202.163 -
1494010368.942 4700 192.168.11.88 TCP_TUNNEL/200 96550 CONNECT
Please note that on the first I have only tobias as username, and on the second TROMM\\tobias (with double '\', which is wrong, but ok...
This cause the helper ext_ldap_group_acl to stop working, since it need only username. See what cache log says:
'(&(objectclass=person)(sAMAccountName=TROMM\5ctobias)(memberof=CN=g-internet-padrao,OU=TROMM,DC=TROMM,DC=local))', searchbase 'DC=TROMM,DC=local'
He wont find the user, because it expect the user name only instead of DOMAIN\user (and note that the second '\' cause a problem here recognized as '\5'.
Can you modify the helper to send the username only? Is that possible?
Thanks.
OK, I got it to working by changing these lines:
//Remove Domain from username
var userName = identity.Name.Split('\\')[1];
return string.Format("OK token=\"{0}\" user={1}", response.Length > 0 ? Convert.ToBase64String(response) : string.Empty, Uri.EscapeDataString(userName));
Now, I have another problem... When using basic_ldap_auth on old systems (like Windows NT 4) can authenticate, but with ntlm_sspi_auth these system keep asking for user and password. Here is log file when these system try to log on proxy:
2017/05/05 22:26:24 kid1| WARNING: no_suid: setuid(0): (22) Invalid argument
2017/05/05 22:27:05| FATAL: ntlm_sspi_auth_mod (10068): System.ComponentModel.Win32Exception (0x80004005): O nome da rede especificado não está mais disponível
2017/05/05 22:27:05| FATAL: ntlm_sspi_auth_mod (10068): em Program.StdStream.Do(Byte[] buffer, Int32 offset, Int32 count, Boolean read)
2017/05/05 22:27:05| FATAL: ntlm_sspi_auth_mod (10068): em Program.StdStream.Read(Byte[] buffer, Int32 offset, Int32 count)
2017/05/05 22:27:05| FATAL: ntlm_sspi_auth_mod (10068): em System.IO.StreamReader.ReadBuffer()
2017/05/05 22:27:05| FATAL: ntlm_sspi_auth_mod (10068): em System.IO.StreamReader.ReadLine()
2017/05/05 22:27:05| FATAL: ntlm_sspi_auth_mod (10068): em Program.Main(String[] args)
Can you help me here to support these old system?
Let's first address the double-backslash "issue": The helper returns only one backslash, squid simply logs two. The \5c in your query string is actually the proper way to escape a backslash in ldap, so TROMM \5c tobias equals TROMM\tobias.
But you are right, querying sAMAccountName requires only the user name. Yet if you only want to check group membership: This can be done with the helper as well, no need for ext_ldap_group_acl. Use -A to specify allowed groups and -D to list denied groups. This - unlike your ldap query - checks every group the user belongs to, not just the primary groups.
Now onto NT4: Are these clients able to access a simple SMB share on the same server where the proxy is installed on? If not, then you might have some (group) policy set (and there are quite a few), which harden NTLM security of your server and prevent access from old clients.
You can also try removing ASC_REQ_REPLAY_DETECT and compile the helper with debug information and enable debug logging with -d.
The log that you posted is actually more likely an indication that squid no longer has an open pipe to the helper.
Yes, Windows NT 4 can access Windows 2008 R2 shares without problem.
The same server have two versions of squid running (the old and working 2.7.STABLE8 where NT 4 can sucefully access the server with authentication on port 3128 and the new one, who I am trying to make work at port 3129, squid/3.5.25).
You can check the code from the old SSPI here: http://squid.acmeconsulting.it/download/squid-2.7.STABLE8.tar.gz -under squid-2.7.STABLE8\helpers\ntlm_auth\mswin_sspi\ntlm_auth.c).
I remove ASC_REQ_REPLAY_DETECT (it appear two times) from the code and compiled program again:
C:\Windows\Microsoft.NET\Framework\v4.0.30319>csc /debug:pdbonly /optimize /defi ne:NTLM /out:c:\temp\ntlm_sspi_auth_debug.exe c:\temp\temp2.cs
Change squid.conf to the new helper compiled:
auth_param ntlm program C:\SquidNovo\lib\squid\ntlm_sspi_auth_debug.exe -d
This is the log (I don't know why, but if I try several times it authenticate, but just after several times typing username and password):
2017/05/06 15:38:26 kid1| helperOpenServers: Starting 5/5 'C:\SquidNovo\lib\squid\ext_ldap_group_acl.exe' processes
2017/05/06 15:38:26 kid1| WARNING: no_suid: setuid(0): (22) Invalid argument
2017/05/06 15:38:26 kid1| WARNING: no_suid: setuid(0): (22) Invalid argument
2017/05/06 15:38:26 kid1| WARNING: no_suid: setuid(0): (22) Invalid argument
2017/05/06 15:38:26 kid1| WARNING: no_suid: setuid(0): (22) Invalid argument
2017/05/06 15:38:26 kid1| WARNING: no_suid: setuid(0): (22) Invalid argument
2017/05/06 15:38:26 kid1| Logfile: opening log daemon:/var/log/squid/access.log
2017/05/06 15:38:26 kid1| Logfile Daemon: opening log /var/log/squid/access.log
2017/05/06 15:38:26 kid1| WARNING: no_suid: setuid(0): (22) Invalid argument
2017/05/06 15:38:26 kid1| Store logging disabled
2017/05/06 15:38:26 kid1| Swap maxSize 0 + 262144 KB, estimated 20164 objects
2017/05/06 15:38:26 kid1| Target number of buckets: 1008
2017/05/06 15:38:26 kid1| Using 8192 Store buckets
2017/05/06 15:38:26 kid1| Max Mem size: 262144 KB
2017/05/06 15:38:26 kid1| Max Swap size: 0 KB
2017/05/06 15:38:26 kid1| Using Least Load store dir selection
2017/05/06 15:38:26 kid1| Set Current Directory to /var/cache/squid
2017/05/06 15:38:26 kid1| Finished loading MIME types and icons.
2017/05/06 15:38:26 kid1| HTCP Disabled.
2017/05/06 15:38:26 kid1| Squid plugin modules loaded: 0
2017/05/06 15:38:26 kid1| Adaptation support is off.
2017/05/06 15:38:26 kid1| Accepting HTTP Socket connections at local=[::]:3129 remote=[::] FD 20 flags=9
2017/05/06 15:38:27 kid1| storeLateRelease: released 0 objects
2017/05/06 15:38:31 kid1| Starting new ntlmauthenticator helpers...
2017/05/06 15:38:31 kid1| helperOpenServers: Starting 1/5 'C:\SquidNovo\lib\squid\ntlm_sspi_auth_debug.exe' processes
2017/05/06 15:38:31 kid1| WARNING: no_suid: setuid(0): (22) Invalid argument
2017/05/06 15:38:31| ntlm_sspi_auth_debug (9104): starting with
2017/05/06 15:38:31| ntlm_sspi_auth_debug (9104): allowed groups =
2017/05/06 15:38:31| ntlm_sspi_auth_debug (9104): denied groups =
2017/05/06 15:38:32| ntlm_sspi_auth_debug (9104): received 'YR TlRMTVNTUAABAAAAB7IAAAUABQAlAAAABQAFACAAAABQQ0NDQ0dSVVBP'
2017/05/06 15:38:32| ntlm_sspi_auth_debug (9104): acquired credentials 421643568:173256368 expiring on 9223371172854800383
2017/05/06 15:38:32| ntlm_sspi_auth_debug (9104): AcceptSecurityContext returned
2017/05/06 15:38:32| ntlm_sspi_auth_debug (9104): result = A função foi concluída com êxito, mas deve ser chamada novamente para concluir o contexto
2017/05/06 15:38:32| ntlm_sspi_auth_debug (9104): flags = 0x00000900
2017/05/06 15:38:32| ntlm_sspi_auth_debug (9104): context handle = 421643568:173528448
2017/05/06 15:38:32| ntlm_sspi_auth_debug (9104): token length = 212
2017/05/06 15:38:32| ntlm_sspi_auth_debug (9104): token buffer = 0x421645360
2017/05/06 15:38:32| ntlm_sspi_auth_debug (9104): sending 'TT TlRMTVNTUAACAAAACgAKADgAAAAFgoEC7nMsduWmO8IAAAAAAAAAAJIAkgBCAAAABgGxHQAAAA9UAFIATwBNAE0AAgAKAFQAUgBPAE0ATQABABAAUwBFAFIAVgBJAEQATwBSAAQAFgB0AHIAbwBtAG0ALgBsAG8AYwBhAGwAAwAoAFMARQBSAFYASQBEAE8AUgAuAHQAcgBvAG0AbQAuAGwAbwBjAGEAbAAFABYAdAByAG8AbQBtAC4AbABvAGMAYQBsAAcACACdEz72l8bSAQAAAAA='
2017/05/06 15:38:32| ntlm_sspi_auth_debug (9104): received 'KK TlRMTVNTUAADAAAAGAAYAG4AAAAYABgAhgAAAAoACgBAAAAAGgAaAEoAAAAKAAoAZAAAAAAAAACeAAAABYKBAFAAQwBDAEMAQwBBAGQAbQBpAG4AaQBzAHQAcgBhAGQAbwByAFAAQwBDAEMAQwDSj5A/am5FazRr5kIXoP5se8WwxMuAQBGNa2m7rArzcrYPlB2OgCMBp7BVuP9TT9w='
2017/05/06 15:38:32| ntlm_sspi_auth_debug (9104): AcceptSecurityContext returned
2017/05/06 15:38:32| ntlm_sspi_auth_debug (9104): result = Falha na tentativa de logon
2017/05/06 15:38:32| ntlm_sspi_auth_debug (9104): flags = 0x00004000
2017/05/06 15:38:32| ntlm_sspi_auth_debug (9104): context handle = 421643568:173528448
2017/05/06 15:38:32| ntlm_sspi_auth_debug (9104): token length = 0
2017/05/06 15:38:32| ntlm_sspi_auth_debug (9104): token buffer = 0x0
2017/05/06 15:38:32| ntlm_sspi_auth_debug (9104): sending 'ERR token="" message=Falha%20na%20tentativa%20de%20logon'
2017/05/06 15:39:00| ntlm_sspi_auth_debug (9104): received 'YR TlRMTVNTUAABAAAAB5IAAAUABQAgAAAAAAAAAAAAAABHUlVQTwAAAAAA'
2017/05/06 15:39:00| ntlm_sspi_auth_debug (9104): freeing context 421643568:173528448
2017/05/06 15:39:00| ntlm_sspi_auth_debug (9104): AcceptSecurityContext returned
2017/05/06 15:39:00| ntlm_sspi_auth_debug (9104): result = A função foi concluída com êxito, mas deve ser chamada novamente para concluir o contexto
2017/05/06 15:39:00| ntlm_sspi_auth_debug (9104): flags = 0x00000900
2017/05/06 15:39:00| ntlm_sspi_auth_debug (9104): context handle = 421643568:199729184
2017/05/06 15:39:00| ntlm_sspi_auth_debug (9104): token length = 212
2017/05/06 15:39:00| ntlm_sspi_auth_debug (9104): token buffer = 0x421645360
2017/05/06 15:39:00| ntlm_sspi_auth_debug (9104): sending 'TT TlRMTVNTUAACAAAACgAKADgAAAAFgoECkAN48it1ClMAAAAAAAAAAJIAkgBCAAAABgGxHQAAAA9UAFIATwBNAE0AAgAKAFQAUgBPAE0ATQABABAAUwBFAFIAVgBJAEQATwBSAAQAFgB0AHIAbwBtAG0ALgBsAG8AYwBhAGwAAwAoAFMARQBSAFYASQBEAE8AUgAuAHQAcgBvAG0AbQAuAGwAbwBjAGEAbAAFABYAdAByAG8AbQBtAC4AbABvAGMAYQBsAAcACADPa0AHmMbSAQAAAAA='
2017/05/06 15:39:00| ntlm_sspi_auth_debug (9104): received 'KK TlRMTVNTUAADAAAAGAAYAGAAAAAYABgAeAAAAAoACgBAAAAADAAMAEoAAAAKAAoAVgAAAAAAAACQAAAABYKBAFQAUgBPAE0ATQB0AG8AYgBpAGEAcwBQAEMAQwBDAEMAOA7gNrAV2h/1zPF2lxsicMDj6QJ6ilLJRyHbiPlU8KnXtNvMdhZ6lIkfvx1EyFOT'
2017/05/06 15:39:00| ntlm_sspi_auth_debug (9104): AcceptSecurityContext returned
2017/05/06 15:39:00| ntlm_sspi_auth_debug (9104): result = A operação foi concluída com êxito
2017/05/06 15:39:00| ntlm_sspi_auth_debug (9104): flags = 0x00000000
2017/05/06 15:39:00| ntlm_sspi_auth_debug (9104): context handle = 421643568:199729184
2017/05/06 15:39:00| ntlm_sspi_auth_debug (9104): token length = 0
2017/05/06 15:39:00| ntlm_sspi_auth_debug (9104): token buffer = 0x0
2017/05/06 15:39:00| ntlm_sspi_auth_debug (9104): sending 'OK token="" user=tobias'
ext_ldap_group_acl.cc(584): pid=7616 :Connected OK
ext_ldap_group_acl.cc(727): pid=7616 :group filter '(&(objectclass=person)(sAMAccountName=tobias)(memberof=CN=g-internet-padrao,OU=TROMM,DC=TROMM,DC=local))', searchbase 'DC=TROMM,DC=local'
2017/05/06 15:39:13| FATAL: ntlm_sspi_auth_debug (9104): System.ComponentModel.Win32Exception (0x80004005): O nome da rede especificado não está mais disponível
2017/05/06 15:39:13| FATAL: ntlm_sspi_auth_debug (9104): em Program.StdStream.Do(Byte[] buffer, Int32 offset, Int32 count, Boolean read)
2017/05/06 15:39:13| FATAL: ntlm_sspi_auth_debug (9104): em Program.StdStream.Read(Byte[] buffer, Int32 offset, Int32 count)
2017/05/06 15:39:13| FATAL: ntlm_sspi_auth_debug (9104): em System.IO.StreamReader.ReadBuffer()
2017/05/06 15:39:13| FATAL: ntlm_sspi_auth_debug (9104): em System.IO.StreamReader.ReadLine()
2017/05/06 15:39:13| FATAL: ntlm_sspi_auth_debug (9104): em Program.Main(String[] args)