+ Post New Thread
Page 1 of 3 123 LastLast
Results 1 to 15 of 34
*nix Thread, Squid Proxy, Debian and NTLM - Need Help in Technical; ...
  1. #1
    JonThompson's Avatar
    Join Date
    Nov 2011
    Location
    Leicester
    Posts
    177
    Thank Post
    18
    Thanked 26 Times in 19 Posts
    Rep Power
    10

    Squid Proxy, Debian and NTLM - Need Help

    Help!

    We have a squid3 proxy server running in a Hyper-V Debian machine. We set the server up in March and following a guide on the internet we got it to authenticate using your AD credentials and work using security groups (Internet Allowed, Internet Not Allowed etc.)

    The server has been up and running for the last month without any problems. On Friday my colleague installed the latest batch of security updates on the windows server and on the Debian machine.

    When we came back on Monday, every time a user opens a browser window (IE, FF Chrome) squid prompted for user credentials - no matter which way you entered your AD credentials it refused them.

    After tinkering with it today, I have restored it to a 'working' snapshot; I have turned off the Firewall through Webmin and I have re-joined it to the domain.
    Now, whilst the server initially refused all requests from all browsers, it now seems that it’s working through Firefox (I can browse the web and posted this!), but still prompts for authentication in Chrome and IE.

    Has anybody else had this issue before? Anybody have any ideas what could be causing this to stop working overnight?

    Thanks.

  2. #2

    jinnantonnixx's Avatar
    Join Date
    Mar 2011
    Location
    In the Calamatorium.
    Posts
    2,016
    Thank Post
    118
    Thanked 512 Times in 346 Posts
    Blog Entries
    2
    Rep Power
    288
    Try
    wbinfo -u
    from the terminal.
    THis should list AD users
    If you get a problem, check your squid logs (in /var/log/squid) - look for Unspecified GSS failure - classic sign of Winbind going wrong.

    Probably a Samba problem - I've seen this a few times.

    First, simple thing to check - permissions OK?

    chmod 750 /var/lib/samba/winbindd_privileged
    chmod 600 /etc/squid/HTTP.keytab
    chown squid:squid /etc/squid/HTTP.keytab


    If all these pass muster, check your NTLM authenticator with this command (note, you might have a different auth program - check your squid.conf)
    /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
    Type in the following - replacing DOMAIN, username, and PASSWORD with the relevant details:
    DOMAIN+username PASSWORD
    (hit return)

    It should either come back with an OK or ERR message, along with some other diagnostic info?
    Last edited by jinnantonnixx; 20th May 2014 at 04:48 PM.

  3. #3
    JonThompson's Avatar
    Join Date
    Nov 2011
    Location
    Leicester
    Posts
    177
    Thank Post
    18
    Thanked 26 Times in 19 Posts
    Rep Power
    10
    Thanks for the quick reply.

    I ran wbinfo -u and it returned a load of users from AD.

    I ran chmod 750 /var/lib/samba/winbindd_privileged and it couldn't find it?

    I ran chmod 600 /etc/squid/HTTP.keytab (It's called PROXY.keytab on our system) this worked.

    I ran chown squid:squid /etc/squid/HTTP.keytab as root:root as we haven't got a squid user and this worked.

    I ran /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic DOMAIN+username PASSWORD replacing the relevant sections, and pressed enter. The command is still running as I type and hasn't returned anything to the console as yet, but I'm guessing that this should return something eventually?

  4. #4

    jinnantonnixx's Avatar
    Join Date
    Mar 2011
    Location
    In the Calamatorium.
    Posts
    2,016
    Thank Post
    118
    Thanked 512 Times in 346 Posts
    Blog Entries
    2
    Rep Power
    288
    I often had weird problems like this after Squid upgrades.

    Try this first:
    Assign privileges to the WinBind socket with the command:
    chmod 750 /var/lib/samba/winbindd_privileged



    Check the trust secret between the computer and AD
    wbinfo -t

    This should be OK as you're seeing AD users, but check nevertheless.


    You should see OK or ERR from the ntlm_auth program (immediately). Something wrong there. Look at your squid.conf file (in /etc/squid) and find the line that mentions ntlm_auth - make sure the path is OK.
    Perhaps your winbind separator isn't '+'. Try it with a '\'
    so you'd type DOMAIN\\<username> <password> <- Note you must use two backslashes



    Add the following line to the ‘Global Settings’ section of the file /etc/samba/smb.conf
    winbind refresh tickets = yes
    Last edited by jinnantonnixx; 21st May 2014 at 09:15 AM.

  5. #5
    cpjitservices's Avatar
    Join Date
    Jul 2010
    Location
    Hessle
    Posts
    2,525
    Thank Post
    522
    Thanked 293 Times in 269 Posts
    Rep Power
    83
    you may also need to issue: ntpdate *dcservername or IP* to make sure the clocks are synced. also have a look at the command *klist* see if you kerberos sessions has timed out. If it has use *kinit* and then Administrative account to create a new ticket. Also, you should be able to see your Debian machine in AD.

    you can also use *getent group* to make sure the groups of users in AD have been synced. If all above is correct then it should just work.
    Last edited by cpjitservices; 21st May 2014 at 11:26 AM.

  6. #6

    jinnantonnixx's Avatar
    Join Date
    Mar 2011
    Location
    In the Calamatorium.
    Posts
    2,016
    Thank Post
    118
    Thanked 512 Times in 346 Posts
    Blog Entries
    2
    Rep Power
    288
    Good point about the clocks being in sync. Well worth checking and using an NTP service (even internally)

    I presume he's just using NTLM rather than Kerberos (though it's perfectly normal to have both running concurrently, the preference determined by their order in squid.conf) so I suspect the klist and kinit are out of the picture. But that's an assumption.....
    Last edited by jinnantonnixx; 21st May 2014 at 11:31 AM.

  7. #7
    cpjitservices's Avatar
    Join Date
    Jul 2010
    Location
    Hessle
    Posts
    2,525
    Thank Post
    522
    Thanked 293 Times in 269 Posts
    Rep Power
    83
    Quote Originally Posted by jinnantonnixx View Post
    Good point about the clocks being in sync.

    I presume he's just using NTLM rather than Kerberos (though it's perfectly normal to have both running concurrently, the preference determined by their order in squid.conf) so I suspect the klist and kinit are out of the picture. But that's an assumption.....
    I've got a samba server here which authenticates via AD, if one of the servers gets rebooted either the DC or the CentOS server for updates I have to issue the ntpdate command otherwise users got the login box.

    example : ntpdate dcserver.domain.local

    if you get an error when running that command, stop the ntp service and run it again.
    Last edited by cpjitservices; 21st May 2014 at 11:34 AM.

  8. #8

    jinnantonnixx's Avatar
    Join Date
    Mar 2011
    Location
    In the Calamatorium.
    Posts
    2,016
    Thank Post
    118
    Thanked 512 Times in 346 Posts
    Blog Entries
    2
    Rep Power
    288
    Quote Originally Posted by cpjitservices View Post
    I've got a samba server here which authenticates via AD, if one of the servers gets rebooted either the DC or the CentOS server for updates I have to issue the ntpdate command otherwise users got the login box.

    example : ntpdate dcserver.domain.local
    Possibly out on a limb, but I think you can get around that with the 'tinker panic 0' directive in ntp.conf (which allows for massive drift correction).

  9. Thanks to jinnantonnixx from:

    cpjitservices (21st May 2014)

  10. #9
    JonThompson's Avatar
    Join Date
    Nov 2011
    Location
    Leicester
    Posts
    177
    Thank Post
    18
    Thanked 26 Times in 19 Posts
    Rep Power
    10
    Quote Originally Posted by jinnantonnixx View Post
    I often had weird problems like this after Squid upgrades.

    Try this first:
    Assign privileges to the WinBind socket with the command:
    chmod 750 /var/lib/samba/winbindd_privileged

    Check the trust secret between the computer and AD
    wbinfo -t

    This should be OK as you're seeing AD users, but check nevertheless.

    You should see OK or ERR from the ntlm_auth program (immediately). Something wrong there. Look at your squid.conf file (in /etc/squid) and find the line that mentions ntlm_auth - make sure the path is OK.
    Perhaps your winbind separator isn't '+'. Try it with a '\'
    so you'd type DOMAIN\\<username> <password> <- Note you must use two backslashes

    Add the following line to the ‘Global Settings’ section of the file /etc/samba/smb.conf
    winbind refresh tickets = yes
    I've tried chmod 750 /var/lib/samba/winbindd_privileged but it says 'No such file or directory..'

    wbinfo -t returns that the trust secret for our domain via RPC calls succeeded.

    I've checked the path to our ntlm_auth and I've also tried it with \\ and it still hangs there doing nothing. Our ntlm_auth has -ntlmssp instead of basic.

    I've added that line to our samba conf file.

    Our Squid Config runs kerberos and ntlm then pure ntlm then basic authentication. We haven't got a time server installed on the server. If it helps Im sure that this was the guide that we used Active Directory Integrated Squid Proxy - Bit Binary Wiki

    If it helps I can post our Squid Config file?

  11. #10

    jinnantonnixx's Avatar
    Join Date
    Mar 2011
    Location
    In the Calamatorium.
    Posts
    2,016
    Thank Post
    118
    Thanked 512 Times in 346 Posts
    Blog Entries
    2
    Rep Power
    288
    Ah that's an entirely different kettle of fish. You're running Kerberos, and as it's first in the list you'll hit any Kerberos errors first.

    Elementary check is that of 'kinit Administrator' and 'klist' as mentioned by @cpjitservices

    Quite often 'authconfig --update' will fix things.

    A common error is that of using the same computer account to create your Samba connection and Kerberos connection. You should use two different computer accounts. Also, you can specify that the computer account does not expire. (--dont-expire-password parameter of msktutil)

    I'd recommend you look at this article as it covers most of the detail you need to know.
    http://blog.stefan-macke.com/2011/04...erver-2008-r2/
    Last edited by jinnantonnixx; 21st May 2014 at 02:47 PM.

  12. #11
    JonThompson's Avatar
    Join Date
    Nov 2011
    Location
    Leicester
    Posts
    177
    Thank Post
    18
    Thanked 26 Times in 19 Posts
    Rep Power
    10
    Quote Originally Posted by jinnantonnixx View Post
    Ah that's an entirely different kettle of fish. You're running Kerberos, and as it's first in the list you'll hit any Kerberos errors first.

    Elementary check is that of 'kinit' and 'klist' as mentioned by @cpjitservices
    I've ran kinit and used my username and password. When I then run klist it returns a ticket. Our error log states squid_kerb_auth: ERROR: gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information.

    Then it's negotiate_wrapper: Return 'BH gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information.

  13. #12

    jinnantonnixx's Avatar
    Join Date
    Mar 2011
    Location
    In the Calamatorium.
    Posts
    2,016
    Thank Post
    118
    Thanked 512 Times in 346 Posts
    Blog Entries
    2
    Rep Power
    288
    I would delete the Kerberos account for the Debian server from AD and recreate it.

    How did you create the Kerberos account? msktutil?

    Scratch that - look at the article in my above post and see if that helps.
    Last edited by jinnantonnixx; 21st May 2014 at 02:53 PM.

  14. #13
    JonThompson's Avatar
    Join Date
    Nov 2011
    Location
    Leicester
    Posts
    177
    Thank Post
    18
    Thanked 26 Times in 19 Posts
    Rep Power
    10
    Quote Originally Posted by jinnantonnixx View Post
    I would delete the Kerberos account for the Debian server from AD and recreate it.

    How did you create the Kerberos account? msktutil?

    Scratch that - look at the article in my above post and see if that helps.
    I used the following command to add it into AD - msktutil --auto-update --verbose --computer-name squidproxy-k

    The problem is it doesn't seem to work anymore!

  15. #14

    jinnantonnixx's Avatar
    Join Date
    Mar 2011
    Location
    In the Calamatorium.
    Posts
    2,016
    Thank Post
    118
    Thanked 512 Times in 346 Posts
    Blog Entries
    2
    Rep Power
    288
    What, msktutil doesn't work? Any error message?

    I would add the following parameters to the msktutil command.

    --dont-expire-password --enctypes 28

    Delete the account squidproxy-k from AD. Give it time to percolate through if you have multiple DCs. <<< Important!!! Then try the msktutil again.
    Last edited by jinnantonnixx; 21st May 2014 at 03:03 PM.

  16. #15
    JonThompson's Avatar
    Join Date
    Nov 2011
    Location
    Leicester
    Posts
    177
    Thank Post
    18
    Thanked 26 Times in 19 Posts
    Rep Power
    10
    Quote Originally Posted by jinnantonnixx View Post
    What, msktutil doesn't work? Any error message?

    I would add the following parameters to the msktutil command.

    --dont-expire-password --enctypes 28

    When I run msktutil --auto-update --verbose --computer-name squidproxy-k it complains that

    Delete the account squidproxy-k from AD. Give it time to percolate through if you have multiple DCs. <<< Important!!! Then try the msktutil again.
    When I run msktutil --auto-update --verbose --computer-name squidproxy-k it complains that mskutil command not found yet it previously worked?

    Thanks for your help so far.

SHARE:
+ Post New Thread
Page 1 of 3 123 LastLast

Similar Threads

  1. Squid Proxy. Forward IP of computer and not proxy?
    By dany2010 in forum Internet Related/Filtering/Firewall
    Replies: 3
    Last Post: 29th October 2012, 08:40 AM
  2. [Ubuntu] Squid and NTLM
    By localzuk in forum *nix
    Replies: 7
    Last Post: 28th July 2010, 07:09 PM
  3. Squid Proxy Server and you tube video
    By wellscs in forum *nix
    Replies: 1
    Last Post: 15th April 2009, 03:47 PM
  4. Replies: 19
    Last Post: 15th October 2008, 02:44 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •