Bug #2984

Web proxy: Active Directory authentication not working

Added by Giacomo Sanchietti over 6 years ago. Updated over 6 years ago.

Status:CLOSEDStart date:
Priority:NormalDue date:
Assignee:-% Done:

100%

Category:nethserver-squid
Target version:v6.6
Security class: Resolution:
Affected version:v6.5-final NEEDINFO:No

Description

Windows client can't authenticate to proxy after join to a domain.

Steps to reproduce:
  • Join the proxy server to an existing Active Directory domain
  • Configure the proxy in authenticated mode
  • Login with a domain user to a Windows machine joined to the same domain
  • Set the proxy address and port inside web browser
  • Try to open a non-https page
  • The web browser opens a popup requesting authentication
Expected behavior:
  • Windows client should be able to surf the internet without password request

Associated revisions

Revision 740f4d20
Added by Giacomo Sanchietti over 6 years ago

squid.conf: fix authentication for AD users. Refs #2984

Revision c4999044
Added by Giacomo Sanchietti over 6 years ago

authentication: add missing condition. Refs #2984

History

#1 Updated by Giacomo Sanchietti over 6 years ago

  • Status changed from NEW to TRIAGED
  • % Done changed from 0 to 20
The bug is confirmed and it's caused by the squid configuration: both basic and kerberos authentication methods are enabled, but they are are in wrong order.
Accordingly to Squid documentation (http://wiki.squid-cache.org/Features/Authentication), the order should be:
  1. negotiate
  2. ntlm
  3. digest
  4. basic
Modification needed:
  • remove basic authentication when Samba is in AD mode and add NTLM authentication for old clients (Windows XP)
  • add basic authentication only when in PDC mode or Samba is disabled

Also Windows clients MUST configure the proxy using the FQDN and not with the IP address.

Note
When AD mode is enabled, Linux client can't authenticate to the proxy, you can create a bypass to workaround the problem.

Template custom which fixes the problem (20acl_10_auth):

{
   use esmith::NetworksDB;
   my $ndb = esmith::NetworksDB->open_ro();
   my $green_mode = $squid{'GreenMode'} || "manual";
   my $blue_mode = $squid{'BlueMode'} || "manual";
   my $fqdn = "$SystemName.$DomainName";
   if ($green_mode eq 'authenticated' || (defined($ndb->blue()) && $blue_mode eq 'authenticated')) {
       $OUT .= "# Authentication required\n\n";

       # Samba 
       if(defined $smb && $smb{'status'} eq 'enabled' && $smb{'ServerRole'} eq 'ADS') {
       $OUT .= "\n# GSSAPI auth in ADS mode\n";
           $OUT .= "auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth\n";
           $OUT .= "auth_param negotiate children 10\n";
           $OUT .= "auth_param negotiate keep_alive on\n";

           $OUT .= "\n# Additional NTLM auth for Windows XP clients in ADS mode\n";
           $OUT .= "auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp\n";
           $OUT .= "auth_param ntlm children 30\n";
       }
       if(defined $smb && $smb{'status'} eq 'enabled' && $smb{'ServerRole'} eq 'PDC') {
           $OUT .= "\n# NTLM auth in PDC mode\n";
           $OUT .= "auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp\n";
           $OUT .= "auth_param ntlm children 30\n";

           $OUT .= "\n# BASIC (LDAP) in PDC mode\n";
           $OUT .= "auth_param basic program /usr/lib64/squid/basic_ldap_auth -b ou=People,dc=directory,dc=nh localhost\n";
           $OUT .= "auth_param basic children 5\n";
           $OUT .= "auth_param basic realm $fqdn\n";
           $OUT .= "auth_param basic credentialsttl 1 hours\n";
           $OUT .= "auth_param basic casesensitive on\n";
       } 

       # Use BASIC/LDAP auth if we have slapd and Samba is disabled
       if ((!defined $smb || $smb{'status'} eq 'disabled') && defined $slapd && $slapd{'status'} eq 'enabled') {
           $OUT .= "\n# BASIC (LDAP)\n";
           $OUT .= "auth_param basic program /usr/lib64/squid/basic_ldap_auth -b ou=People,dc=directory,dc=nh localhost\n";
           $OUT .= "auth_param basic children 5\n";
           $OUT .= "auth_param basic realm $fqdn\n";
           $OUT .= "auth_param basic credentialsttl 1 hours\n";
           $OUT .= "auth_param basic casesensitive on\n";
       } 

       $OUT.="acl authenticated proxy_auth REQUIRED\n";
   }
}

Debug option for Squid authentication:

debug_options ALL,1 29,5

#2 Updated by Giacomo Sanchietti over 6 years ago

  • Category set to nethserver-squid

#3 Updated by Giacomo Sanchietti over 6 years ago

  • Status changed from TRIAGED to ON_DEV
  • Assignee set to Giacomo Sanchietti
  • % Done changed from 20 to 30

#4 Updated by Giacomo Sanchietti over 6 years ago

  • Status changed from ON_DEV to MODIFIED
  • % Done changed from 30 to 60

#5 Updated by Giacomo Sanchietti over 6 years ago

  • Status changed from MODIFIED to ON_QA
  • Assignee deleted (Giacomo Sanchietti)
  • % Done changed from 60 to 70
Package in nethserver-testing:
  • nethserver-squid-1.3.0-1.0git740f4d20.ns6.noarch.rpm
Test case
  • Check the bug is not reproducibile

#6 Updated by Nicola Rauso over 6 years ago

  • Assignee set to Nicola Rauso

#7 Updated by Nicola Rauso over 6 years ago

  • Status changed from ON_QA to TRIAGED
  • Assignee deleted (Nicola Rauso)
  • % Done changed from 70 to 20

Bug is still reproducibile.

Testing systems were configured as documented (Windows client joined to AD, NethServer as proxy web server with squid testing package), dns and reverse look up queries worked correctly and Windows client web proxy configuration was set as requested.
With this configuration the web browser opens continuously a popup requesting authentication and web pages are unreachable (even https ones).

In "/var/log/squid/access.log" system logs:

Wed Jan 28 15:09:22 2015.638      0 192.168.5.27 TCP_DENIED/407 3805 CONNECT clients4.google.com:443 - HIER_NONE/- text/html
Wed Jan 28 15:09:22 2015.638      0 192.168.5.27 TCP_DENIED/407 3825 CONNECT translate.googleapis.com:443 - HIER_NONE/- text/html
Wed Jan 28 15:09:22 2015.703     56 192.168.5.27 TCP_DENIED/407 3908 CONNECT clients4.google.com:443 - HIER_NONE/- text/html
Wed Jan 28 15:09:22 2015.704     55 192.168.5.27 TCP_DENIED/407 3928 CONNECT translate.googleapis.com:443 - HIER_NONE/- text/html
Wed Jan 28 15:09:22 2015.810      1 192.168.5.27 TCP_DENIED/407 3781 CONNECT www.google.it:443 - HIER_NONE/- text/html
Wed Jan 28 15:09:22 2015.811      0 192.168.5.27 TCP_DENIED/407 3789 CONNECT ssl.gstatic.com:443 - HIER_NONE/- text/html
Wed Jan 28 15:09:22 2015.811      0 192.168.5.27 TCP_DENIED/407 3789 CONNECT ssl.gstatic.com:443 - HIER_NONE/- text/html
Wed Jan 28 15:09:22 2015.812      0 192.168.5.27 TCP_DENIED/407 3781 CONNECT www.google.it:443 - HIER_NONE/- text/html
Wed Jan 28 15:09:22 2015.812      0 192.168.5.27 TCP_DENIED/407 3781 CONNECT www.google.it:443 - HIER_NONE/- text/html
Wed Jan 28 15:09:22 2015.813      0 192.168.5.27 TCP_DENIED/407 3781 CONNECT www.google.it:443 - HIER_NONE/- text/html
Wed Jan 28 15:09:22 2015.813      0 192.168.5.27 TCP_DENIED/407 3781 CONNECT www.google.it:443 - HIER_NONE/- text/html
Wed Jan 28 15:09:22 2015.814      0 192.168.5.27 TCP_DENIED/407 3781 CONNECT www.google.it:443 - HIER_NONE/- text/html
Wed Jan 28 15:09:22 2015.814      0 192.168.5.27 TCP_DENIED/407 3789 CONNECT www.gstatic.com:443 - HIER_NONE/- text/html
Wed Jan 28 15:09:22 2015.815      0 192.168.5.27 TCP_DENIED/407 3789 CONNECT www.gstatic.com:443 - HIER_NONE/- text/html
Wed Jan 28 15:09:22 2015.820      0 192.168.5.27 TCP_DENIED/407 3884 CONNECT www.google.it:443 - HIER_NONE/- text/html
Wed Jan 28 15:09:22 2015.821      0 192.168.5.27 TCP_DENIED/407 3884 CONNECT www.google.it:443 - HIER_NONE/- text/html
Wed Jan 28 15:09:22 2015.909      0 192.168.5.27 TCP_DENIED/407 3985 GET http://www.gstatic.com/chrome/profile_avatars/NothingToDownload - HIER_NONE/- text/html
Wed Jan 28 15:09:22 2015.916      0 192.168.5.27 TCP_DENIED/407 4088 GET http://www.gstatic.com/chrome/profile_avatars/NothingToDownload - HIER_NONE/- text/html
Wed Jan 28 15:09:23 2015.015      0 192.168.5.27 TCP_DENIED/407 3781 CONNECT www.google.it:443 - HIER_NONE/- text/html
Wed Jan 28 15:09:23 2015.017      0 192.168.5.27 TCP_DENIED/407 3884 CONNECT www.google.it:443 - HIER_NONE/- text/html
Wed Jan 28 15:09:23 2015.104      0 192.168.5.27 TCP_DENIED/407 3781 CONNECT www.google.it:443 - HIER_NONE/- text/html
Wed Jan 28 15:09:23 2015.113      0 192.168.5.27 TCP_DENIED/407 3884 CONNECT www.google.it:443 - HIER_NONE/- text/html
Wed Jan 28 15:09:26 2015.421      0 192.168.5.27 TCP_DENIED/407 3785 CONNECT www.google.com:443 - HIER_NONE/- text/html
Wed Jan 28 15:09:26 2015.424      0 192.168.5.27 TCP_DENIED/407 3888 CONNECT www.google.com:443 - HIER_NONE/- text/html
Wed Jan 28 15:09:31 2015.487      0 192.168.5.27 TCP_DENIED/407 3789 CONNECT ssl.gstatic.com:443 - HIER_NONE/- text/html
Wed Jan 28 15:09:31 2015.491      1 192.168.5.27 TCP_DENIED/407 3892 CONNECT ssl.gstatic.com:443 - HIER_NONE/- text/html
Wed Jan 28 15:09:33 2015.032      0 192.168.5.27 TCP_DENIED/407 3781 CONNECT www.google.it:443 - HIER_NONE/- text/html
Wed Jan 28 15:09:33 2015.038      1 192.168.5.27 TCP_DENIED/407 3884 CONNECT www.google.it:443 - HIER_NONE/- text/html
Wed Jan 28 15:10:21 2015.533      1 192.168.5.27 TCP_DENIED/407 3781 CONNECT www.google.it:443 - HIER_NONE/- text/html
Wed Jan 28 15:10:21 2015.535      0 192.168.5.27 TCP_DENIED/407 3884 CONNECT www.google.it:443 - HIER_NONE/- text/html
Wed Jan 28 15:10:21 2015.555      0 192.168.5.27 TCP_DENIED/407 3781 CONNECT www.google.it:443 - HIER_NONE/- text/html
Wed Jan 28 15:10:21 2015.556      0 192.168.5.27 TCP_DENIED/407 3884 CONNECT www.google.it:443 - HIER_NONE/- text/html

in "/var/log/squid/cache.log" (with debug enabled) system logs:

2015/01/28 15:09:22 kid1| Starting new negotiateauthenticator helpers...
2015/01/28 15:09:22 kid1| helperOpenServers: Starting 1/10 'negotiate_kerberos_auth' processes
2015/01/28 15:09:22 kid1| Starting new negotiateauthenticator helpers...
2015/01/28 15:09:22 kid1| helperOpenServers: Starting 1/10 'negotiate_kerberos_auth' processes
2015/01/28 15:09:22 kid1| ERROR: Negotiate Authentication validating user. Error returned 'BH received type 1 NTLM token'
2015/01/28 15:09:22 kid1| ERROR: Negotiate Authentication validating user. Error returned 'BH received type 1 NTLM token'
2015/01/28 15:09:22 kid1| ERROR: Negotiate Authentication validating user. Error returned 'BH received type 1 NTLM token'
2015/01/28 15:09:22 kid1| ERROR: Negotiate Authentication validating user. Error returned 'BH received type 1 NTLM token'
2015/01/28 15:09:22 kid1| ERROR: Negotiate Authentication validating user. Error returned 'BH received type 1 NTLM token'
2015/01/28 15:09:23 kid1| ERROR: Negotiate Authentication validating user. Error returned 'BH received type 1 NTLM token'
2015/01/28 15:09:23 kid1| ERROR: Negotiate Authentication validating user. Error returned 'BH received type 1 NTLM token'
2015/01/28 15:09:26 kid1| ERROR: Negotiate Authentication validating user. Error returned 'BH received type 1 NTLM token'
2015/01/28 15:09:31 kid1| ERROR: Negotiate Authentication validating user. Error returned 'BH received type 1 NTLM token'
2015/01/28 15:09:33 kid1| ERROR: Negotiate Authentication validating user. Error returned 'BH received type 1 NTLM token'

#8 Updated by Giacomo Sanchietti over 6 years ago

  • Target version changed from v6.5 to v6.6-rc1

#9 Updated by Giacomo Sanchietti over 6 years ago

  • Target version changed from v6.6-rc1 to v6.6

#10 Updated by Giacomo Sanchietti over 6 years ago

  • Status changed from TRIAGED to MODIFIED
  • % Done changed from 20 to 60

#11 Updated by Giacomo Sanchietti over 6 years ago

  • Status changed from MODIFIED to ON_QA
  • % Done changed from 60 to 70

#12 Updated by Giacomo Sanchietti over 6 years ago

  • Status changed from ON_QA to VERIFIED
  • % Done changed from 70 to 90

It's working on two other installations.
The behavior mostly depends on Windows AD and client configurations.

#13 Updated by Giacomo Sanchietti over 6 years ago

  • Status changed from VERIFIED to CLOSED
  • % Done changed from 90 to 100
Released in nethserver-base:
  • nethserver-squid-1.3.1-1.ns6.noarch.rpm

Also available in: Atom PDF