Opened 16 months ago

Last modified 8 weeks ago

#1205 new Bug / Defect

inline login and password with NTLM squid + samba proxy

Reported by: krzee king Owned by:
Priority: minor Milestone:
Component: Networking Version: OpenVPN 2.4.7 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc: Steffan Karger

Description (last modified by krzee king)

I setup a squid proxy for corp using NTLM which works for IE/chrome but not openvpn. Apparently this was worked on awhile back but may not have been merged: mail thread

Date: Sun, 18 Dec 2016 17:46:55 +0100                                           
From: Steffan Karger <steffan@karger.me>                                        
Subject: Re: [Openvpn-devel] [PATCHv2 1/2] Get NTLMv1 and NTLMv2 up and running

here is my squid.conf:

acl localnet src 0.0.0.0/0  #allow whole internet
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 30
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
# ntlm_auth from Samba 3 supports NTLM NEGOTIATE packet
auth_param ntlm use_ntlm_negotiate on
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic realm Squid Basic Authentication
auth_param basic credentialsttl 2 hours
acl auth_users proxy_auth REQUIRED
http_access allow all auth_users
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access deny all
http_port 3169
coredump_dir /var/spool/squid
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern (Release|Packages(.gz)*)$      0       20%     2880
refresh_pattern .               0       20%     4320

and my smb.conf

# Global parameters
[global]
        dns forwarder = 127.0.0.53
        netbios name = OVPNTEST
        realm = TEST.OVPNTEST
        server role = active directory domain controller
        dns forwarder = 8.8.8.8
        workgroup = OVPNTESTNET
        bind interfaces only = yes
        interfaces = lo
        winbind separator = +
        winbind use default domain = yes
[netlogon]
        path = /var/lib/samba/sysvol/test.ovpntest/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

and client.conf

client
dev tun
proto tcp
# this port is actually blocked, but our proxy gets us past that
remote IP_ADDRESS 5150
persist-key
persist-tun
compress
nobind
verb 4
key-direction 1
# In the following line i also tried forcing ntlm and ntlm2, neither helped
http-proxy IP_ADDRESS PROXY_PORT auto-nct
# I also tried DOMAIN\user and DOMAIN\\user but neither worked.
# winbind seperator is + so I expect that to work, but chrome and IE both
# wanted DOMAIN\user
<http-proxy-user-pass>
DOMAIN+user
SAMBAPASS
</http-proxy-user-pass>

Change History (8)

comment:1 Changed 16 months ago by Gert Döring

Cc: Steffan Karger added

Thanks for having a test config. We need to revive this old old patch.

comment:2 Changed 16 months ago by krzee king

Cc: Steffan Karger removed
Description: modified (diff)

comment:3 Changed 16 months ago by krzee king

kitsune worked with me in #openvpn-devel on this, and openvpn expects a \ as seperator
So I removed winbind seperator from smb.conf and restarted samba. then it still wouldnt work using \ or
as seperator.
he suggested i not use inline, so instead i used

http-proxy 165.227.88.203 3169 ntlmauth ntlm2

and made a file named ntlmauth, line1 DOMAIN\user line2: password

and now ntlm is working.

I will leave this open in case it is decided the inline password issue is a bug.

comment:4 Changed 16 months ago by krzee king

Summary: NTLM squid + samba proxyinline login and password with NTLM squid + samba proxy

comment:5 Changed 15 months ago by Selva Nair

Was the inlined username and password lines terminated by something other than a single LF ('\n') ?
One difference I've noticed between inline and file for parsing of username/password is that the former just uses '\n' as the delimiter, the latter does remove both CR and LF at line ends. May fail on Windows for example. As inlined user/pass is only used with proxy, not well tested, I suppose.

comment:6 Changed 4 months ago by krzee king

sorry for the year delay, no it was linux style LF line endings

comment:7 Changed 4 months ago by krzee king

apparently i removed Steffan's cc 12 months ago, that was an accident, im not sure how to properly add it back :/

comment:8 Changed 8 weeks ago by Gert Döring

Cc: Steffan Karger added
Note: See TracTickets for help on using tickets.