Bug #2984
Web proxy: Active Directory authentication not working
Status: | CLOSED | Start date: | ||
---|---|---|---|---|
Priority: | Normal | Due date: | ||
Assignee: | - | % Done: | 100% | |
Category: | nethserver-squid | |||
Target version: | v6.6 | |||
Security class: | Resolution: | |||
Affected version: | v6.5-final | NEEDINFO: | No |
Description
Windows client can't authenticate to proxy after join to a domain.
Steps to reproduce:- Join the proxy server to an existing Active Directory domain
- Configure the proxy in authenticated mode
- Login with a domain user to a Windows machine joined to the same domain
- Set the proxy address and port inside web browser
- Try to open a non-https page
- The web browser opens a popup requesting authentication
- Windows client should be able to surf the internet without password request
Associated revisions
squid.conf: fix authentication for AD users. Refs #2984
authentication: add missing condition. Refs #2984
History
#1 Updated by Giacomo Sanchietti over 6 years ago
- Status changed from NEW to TRIAGED
- % Done changed from 0 to 20
Accordingly to Squid documentation (http://wiki.squid-cache.org/Features/Authentication), the order should be:
- negotiate
- ntlm
- digest
- basic
- remove basic authentication when Samba is in AD mode and add NTLM authentication for old clients (Windows XP)
- add basic authentication only when in PDC mode or Samba is disabled
Also Windows clients MUST configure the proxy using the FQDN and not with the IP address.
Note
When AD mode is enabled, Linux client can't authenticate to the proxy, you can create a bypass to workaround the problem.
Template custom which fixes the problem (20acl_10_auth
):
{ use esmith::NetworksDB; my $ndb = esmith::NetworksDB->open_ro(); my $green_mode = $squid{'GreenMode'} || "manual"; my $blue_mode = $squid{'BlueMode'} || "manual"; my $fqdn = "$SystemName.$DomainName"; if ($green_mode eq 'authenticated' || (defined($ndb->blue()) && $blue_mode eq 'authenticated')) { $OUT .= "# Authentication required\n\n"; # Samba if(defined $smb && $smb{'status'} eq 'enabled' && $smb{'ServerRole'} eq 'ADS') { $OUT .= "\n# GSSAPI auth in ADS mode\n"; $OUT .= "auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth\n"; $OUT .= "auth_param negotiate children 10\n"; $OUT .= "auth_param negotiate keep_alive on\n"; $OUT .= "\n# Additional NTLM auth for Windows XP clients in ADS mode\n"; $OUT .= "auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp\n"; $OUT .= "auth_param ntlm children 30\n"; } if(defined $smb && $smb{'status'} eq 'enabled' && $smb{'ServerRole'} eq 'PDC') { $OUT .= "\n# NTLM auth in PDC mode\n"; $OUT .= "auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp\n"; $OUT .= "auth_param ntlm children 30\n"; $OUT .= "\n# BASIC (LDAP) in PDC mode\n"; $OUT .= "auth_param basic program /usr/lib64/squid/basic_ldap_auth -b ou=People,dc=directory,dc=nh localhost\n"; $OUT .= "auth_param basic children 5\n"; $OUT .= "auth_param basic realm $fqdn\n"; $OUT .= "auth_param basic credentialsttl 1 hours\n"; $OUT .= "auth_param basic casesensitive on\n"; } # Use BASIC/LDAP auth if we have slapd and Samba is disabled if ((!defined $smb || $smb{'status'} eq 'disabled') && defined $slapd && $slapd{'status'} eq 'enabled') { $OUT .= "\n# BASIC (LDAP)\n"; $OUT .= "auth_param basic program /usr/lib64/squid/basic_ldap_auth -b ou=People,dc=directory,dc=nh localhost\n"; $OUT .= "auth_param basic children 5\n"; $OUT .= "auth_param basic realm $fqdn\n"; $OUT .= "auth_param basic credentialsttl 1 hours\n"; $OUT .= "auth_param basic casesensitive on\n"; } $OUT.="acl authenticated proxy_auth REQUIRED\n"; } }
Debug option for Squid authentication:
debug_options ALL,1 29,5
#2 Updated by Giacomo Sanchietti over 6 years ago
- Category set to nethserver-squid
#3 Updated by Giacomo Sanchietti over 6 years ago
- Status changed from TRIAGED to ON_DEV
- Assignee set to Giacomo Sanchietti
- % Done changed from 20 to 30
#4 Updated by Giacomo Sanchietti over 6 years ago
- Status changed from ON_DEV to MODIFIED
- % Done changed from 30 to 60
#5 Updated by Giacomo Sanchietti over 6 years ago
- Status changed from MODIFIED to ON_QA
- Assignee deleted (
Giacomo Sanchietti) - % Done changed from 60 to 70
- nethserver-squid-1.3.0-1.0git740f4d20.ns6.noarch.rpm
- Check the bug is not reproducibile
#6 Updated by Nicola Rauso over 6 years ago
- Assignee set to Nicola Rauso
#7 Updated by Nicola Rauso over 6 years ago
- Status changed from ON_QA to TRIAGED
- Assignee deleted (
Nicola Rauso) - % Done changed from 70 to 20
Bug is still reproducibile.
Testing systems were configured as documented (Windows client joined to AD, NethServer as proxy web server with squid testing package), dns and reverse look up queries worked correctly and Windows client web proxy configuration was set as requested.
With this configuration the web browser opens continuously a popup requesting authentication and web pages are unreachable (even https ones).
In "/var/log/squid/access.log"
system logs:
Wed Jan 28 15:09:22 2015.638 0 192.168.5.27 TCP_DENIED/407 3805 CONNECT clients4.google.com:443 - HIER_NONE/- text/html Wed Jan 28 15:09:22 2015.638 0 192.168.5.27 TCP_DENIED/407 3825 CONNECT translate.googleapis.com:443 - HIER_NONE/- text/html Wed Jan 28 15:09:22 2015.703 56 192.168.5.27 TCP_DENIED/407 3908 CONNECT clients4.google.com:443 - HIER_NONE/- text/html Wed Jan 28 15:09:22 2015.704 55 192.168.5.27 TCP_DENIED/407 3928 CONNECT translate.googleapis.com:443 - HIER_NONE/- text/html Wed Jan 28 15:09:22 2015.810 1 192.168.5.27 TCP_DENIED/407 3781 CONNECT www.google.it:443 - HIER_NONE/- text/html Wed Jan 28 15:09:22 2015.811 0 192.168.5.27 TCP_DENIED/407 3789 CONNECT ssl.gstatic.com:443 - HIER_NONE/- text/html Wed Jan 28 15:09:22 2015.811 0 192.168.5.27 TCP_DENIED/407 3789 CONNECT ssl.gstatic.com:443 - HIER_NONE/- text/html Wed Jan 28 15:09:22 2015.812 0 192.168.5.27 TCP_DENIED/407 3781 CONNECT www.google.it:443 - HIER_NONE/- text/html Wed Jan 28 15:09:22 2015.812 0 192.168.5.27 TCP_DENIED/407 3781 CONNECT www.google.it:443 - HIER_NONE/- text/html Wed Jan 28 15:09:22 2015.813 0 192.168.5.27 TCP_DENIED/407 3781 CONNECT www.google.it:443 - HIER_NONE/- text/html Wed Jan 28 15:09:22 2015.813 0 192.168.5.27 TCP_DENIED/407 3781 CONNECT www.google.it:443 - HIER_NONE/- text/html Wed Jan 28 15:09:22 2015.814 0 192.168.5.27 TCP_DENIED/407 3781 CONNECT www.google.it:443 - HIER_NONE/- text/html Wed Jan 28 15:09:22 2015.814 0 192.168.5.27 TCP_DENIED/407 3789 CONNECT www.gstatic.com:443 - HIER_NONE/- text/html Wed Jan 28 15:09:22 2015.815 0 192.168.5.27 TCP_DENIED/407 3789 CONNECT www.gstatic.com:443 - HIER_NONE/- text/html Wed Jan 28 15:09:22 2015.820 0 192.168.5.27 TCP_DENIED/407 3884 CONNECT www.google.it:443 - HIER_NONE/- text/html Wed Jan 28 15:09:22 2015.821 0 192.168.5.27 TCP_DENIED/407 3884 CONNECT www.google.it:443 - HIER_NONE/- text/html Wed Jan 28 15:09:22 2015.909 0 192.168.5.27 TCP_DENIED/407 3985 GET http://www.gstatic.com/chrome/profile_avatars/NothingToDownload - HIER_NONE/- text/html Wed Jan 28 15:09:22 2015.916 0 192.168.5.27 TCP_DENIED/407 4088 GET http://www.gstatic.com/chrome/profile_avatars/NothingToDownload - HIER_NONE/- text/html Wed Jan 28 15:09:23 2015.015 0 192.168.5.27 TCP_DENIED/407 3781 CONNECT www.google.it:443 - HIER_NONE/- text/html Wed Jan 28 15:09:23 2015.017 0 192.168.5.27 TCP_DENIED/407 3884 CONNECT www.google.it:443 - HIER_NONE/- text/html Wed Jan 28 15:09:23 2015.104 0 192.168.5.27 TCP_DENIED/407 3781 CONNECT www.google.it:443 - HIER_NONE/- text/html Wed Jan 28 15:09:23 2015.113 0 192.168.5.27 TCP_DENIED/407 3884 CONNECT www.google.it:443 - HIER_NONE/- text/html Wed Jan 28 15:09:26 2015.421 0 192.168.5.27 TCP_DENIED/407 3785 CONNECT www.google.com:443 - HIER_NONE/- text/html Wed Jan 28 15:09:26 2015.424 0 192.168.5.27 TCP_DENIED/407 3888 CONNECT www.google.com:443 - HIER_NONE/- text/html Wed Jan 28 15:09:31 2015.487 0 192.168.5.27 TCP_DENIED/407 3789 CONNECT ssl.gstatic.com:443 - HIER_NONE/- text/html Wed Jan 28 15:09:31 2015.491 1 192.168.5.27 TCP_DENIED/407 3892 CONNECT ssl.gstatic.com:443 - HIER_NONE/- text/html Wed Jan 28 15:09:33 2015.032 0 192.168.5.27 TCP_DENIED/407 3781 CONNECT www.google.it:443 - HIER_NONE/- text/html Wed Jan 28 15:09:33 2015.038 1 192.168.5.27 TCP_DENIED/407 3884 CONNECT www.google.it:443 - HIER_NONE/- text/html Wed Jan 28 15:10:21 2015.533 1 192.168.5.27 TCP_DENIED/407 3781 CONNECT www.google.it:443 - HIER_NONE/- text/html Wed Jan 28 15:10:21 2015.535 0 192.168.5.27 TCP_DENIED/407 3884 CONNECT www.google.it:443 - HIER_NONE/- text/html Wed Jan 28 15:10:21 2015.555 0 192.168.5.27 TCP_DENIED/407 3781 CONNECT www.google.it:443 - HIER_NONE/- text/html Wed Jan 28 15:10:21 2015.556 0 192.168.5.27 TCP_DENIED/407 3884 CONNECT www.google.it:443 - HIER_NONE/- text/html
in "/var/log/squid/cache.log"
(with debug enabled) system logs:
2015/01/28 15:09:22 kid1| Starting new negotiateauthenticator helpers... 2015/01/28 15:09:22 kid1| helperOpenServers: Starting 1/10 'negotiate_kerberos_auth' processes 2015/01/28 15:09:22 kid1| Starting new negotiateauthenticator helpers... 2015/01/28 15:09:22 kid1| helperOpenServers: Starting 1/10 'negotiate_kerberos_auth' processes 2015/01/28 15:09:22 kid1| ERROR: Negotiate Authentication validating user. Error returned 'BH received type 1 NTLM token' 2015/01/28 15:09:22 kid1| ERROR: Negotiate Authentication validating user. Error returned 'BH received type 1 NTLM token' 2015/01/28 15:09:22 kid1| ERROR: Negotiate Authentication validating user. Error returned 'BH received type 1 NTLM token' 2015/01/28 15:09:22 kid1| ERROR: Negotiate Authentication validating user. Error returned 'BH received type 1 NTLM token' 2015/01/28 15:09:22 kid1| ERROR: Negotiate Authentication validating user. Error returned 'BH received type 1 NTLM token' 2015/01/28 15:09:23 kid1| ERROR: Negotiate Authentication validating user. Error returned 'BH received type 1 NTLM token' 2015/01/28 15:09:23 kid1| ERROR: Negotiate Authentication validating user. Error returned 'BH received type 1 NTLM token' 2015/01/28 15:09:26 kid1| ERROR: Negotiate Authentication validating user. Error returned 'BH received type 1 NTLM token' 2015/01/28 15:09:31 kid1| ERROR: Negotiate Authentication validating user. Error returned 'BH received type 1 NTLM token' 2015/01/28 15:09:33 kid1| ERROR: Negotiate Authentication validating user. Error returned 'BH received type 1 NTLM token'
#8 Updated by Giacomo Sanchietti over 6 years ago
- Target version changed from v6.5 to v6.6-rc1
#9 Updated by Giacomo Sanchietti over 6 years ago
- Target version changed from v6.6-rc1 to v6.6
#10 Updated by Giacomo Sanchietti over 6 years ago
- Status changed from TRIAGED to MODIFIED
- % Done changed from 20 to 60
#11 Updated by Giacomo Sanchietti over 6 years ago
- Status changed from MODIFIED to ON_QA
- % Done changed from 60 to 70
#12 Updated by Giacomo Sanchietti over 6 years ago
- Status changed from ON_QA to VERIFIED
- % Done changed from 70 to 90
It's working on two other installations.
The behavior mostly depends on Windows AD and client configurations.
#13 Updated by Giacomo Sanchietti over 6 years ago
- Status changed from VERIFIED to CLOSED
- % Done changed from 90 to 100
- nethserver-squid-1.3.1-1.ns6.noarch.rpm