Opened 5 years ago

Last modified 4 years ago

#1205 new Bug / Defect

NTLM squid + samba proxy — at Initial Version

Reported by: krzee king Owned by:
Priority: minor Milestone:
Component: Networking Version: OpenVPN 2.4.7 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc: Steffan Karger

Description

I setup a squid proxy for corp using NTLM which works for IE/chrome but not openvpn. Apparently this was worked on awhile back but may not have been merged: mail thread

here is my squid.conf:

acl localnet src 0.0.0.0/0  #allow whole internet
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 30
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
# ntlm_auth from Samba 3 supports NTLM NEGOTIATE packet
auth_param ntlm use_ntlm_negotiate on
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic realm Squid Basic Authentication
auth_param basic credentialsttl 2 hours
acl auth_users proxy_auth REQUIRED
http_access allow all auth_users
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access deny all
http_port 3169
coredump_dir /var/spool/squid
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern (Release|Packages(.gz)*)$      0       20%     2880
refresh_pattern .               0       20%     4320

and my smb.conf

# Global parameters
[global]
        dns forwarder = 127.0.0.53
        netbios name = OVPNTEST
        realm = TEST.OVPNTEST
        server role = active directory domain controller
        dns forwarder = 8.8.8.8
        workgroup = OVPNTESTNET
        bind interfaces only = yes
        interfaces = lo
        winbind separator = +
        winbind use default domain = yes
[netlogon]
        path = /var/lib/samba/sysvol/test.ovpntest/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

and client.conf

client
dev tun
proto tcp
# this port is actually blocked, but our proxy gets us past that
remote IP_ADDRESS 5150
persist-key
persist-tun
compress
nobind
verb 4
key-direction 1
# In the following line i also tried forcing ntlm and ntlm2, neither helped
http-proxy IP_ADDRESS PROXY_PORT auto-nct
# I also tried DOMAIN\user and DOMAIN\\user but neither worked.
# winbind seperator is + so I expect that to work, but chrome and IE both
# wanted DOMAIN\user
<http-proxy-user-pass>
DOMAIN+user
SAMBAPASS
</http-proxy-user-pass>

Change History (0)

Note: See TracTickets for help on using tickets.