Opened 5 years ago
Last modified 4 years ago
#1205 new Bug / Defect
inline login and password with NTLM squid + samba proxy
| Reported by: | krzee king | Owned by: | |
|---|---|---|---|
| Priority: | minor | Milestone: | |
| Component: | Networking | Version: | OpenVPN 2.4.7 (Community Ed) |
| Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | |
| Cc: | Steffan Karger |
Description (last modified by )
I setup a squid proxy for corp using NTLM which works for IE/chrome but not openvpn. Apparently this was worked on awhile back but may not have been merged: mail thread
Date: Sun, 18 Dec 2016 17:46:55 +0100 From: Steffan Karger <steffan@karger.me> Subject: Re: [Openvpn-devel] [PATCHv2 1/2] Get NTLMv1 and NTLMv2 up and running
here is my squid.conf:
acl localnet src 0.0.0.0/0 #allow whole internet acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 30 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes # ntlm_auth from Samba 3 supports NTLM NEGOTIATE packet auth_param ntlm use_ntlm_negotiate on auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwd auth_param basic children 5 auth_param basic realm Squid Basic Authentication auth_param basic credentialsttl 2 hours acl auth_users proxy_auth REQUIRED http_access allow all auth_users http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager http_access deny all http_port 3169 coredump_dir /var/spool/squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880 refresh_pattern . 0 20% 4320
and my smb.conf
# Global parameters
[global]
dns forwarder = 127.0.0.53
netbios name = OVPNTEST
realm = TEST.OVPNTEST
server role = active directory domain controller
dns forwarder = 8.8.8.8
workgroup = OVPNTESTNET
bind interfaces only = yes
interfaces = lo
winbind separator = +
winbind use default domain = yes
[netlogon]
path = /var/lib/samba/sysvol/test.ovpntest/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
and client.conf
client dev tun proto tcp # this port is actually blocked, but our proxy gets us past that remote IP_ADDRESS 5150 persist-key persist-tun compress nobind verb 4 key-direction 1 # In the following line i also tried forcing ntlm and ntlm2, neither helped http-proxy IP_ADDRESS PROXY_PORT auto-nct # I also tried DOMAIN\user and DOMAIN\\user but neither worked. # winbind seperator is + so I expect that to work, but chrome and IE both # wanted DOMAIN\user <http-proxy-user-pass> DOMAIN+user SAMBAPASS </http-proxy-user-pass>
Change History (8)
comment:1 Changed 5 years ago by
| Cc: | Steffan Karger added |
|---|
comment:2 Changed 5 years ago by
| Cc: | Steffan Karger removed |
|---|---|
| Description: | modified (diff) |
comment:3 Changed 5 years ago by
kitsune worked with me in #openvpn-devel on this, and openvpn expects a \ as seperator
So I removed winbind seperator from smb.conf and restarted samba. then it still wouldnt work using \ or
as seperator.
he suggested i not use inline, so instead i used
http-proxy 165.227.88.203 3169 ntlmauth ntlm2
and made a file named ntlmauth, line1 DOMAIN\user line2: password
and now ntlm is working.
I will leave this open in case it is decided the inline password issue is a bug.
comment:4 Changed 5 years ago by
| Summary: | NTLM squid + samba proxy → inline login and password with NTLM squid + samba proxy |
|---|
comment:5 Changed 5 years ago by
Was the inlined username and password lines terminated by something other than a single LF ('\n') ?
One difference I've noticed between inline and file for parsing of username/password is that the former just uses '\n' as the delimiter, the latter does remove both CR and LF at line ends. May fail on Windows for example. As inlined user/pass is only used with proxy, not well tested, I suppose.
comment:7 Changed 4 years ago by
apparently i removed Steffan's cc 12 months ago, that was an accident, im not sure how to properly add it back :/
comment:8 Changed 4 years ago by
| Cc: | Steffan Karger added |
|---|
Thanks for having a test config. We need to revive this old old patch.