Opened 5 years ago
Last modified 4 years ago
#1205 new Bug / Defect
NTLM squid + samba proxy — at Initial Version
Reported by: | krzee king | Owned by: | |
---|---|---|---|
Priority: | minor | Milestone: | |
Component: | Networking | Version: | OpenVPN 2.4.7 (Community Ed) |
Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | |
Cc: | Steffan Karger |
Description
I setup a squid proxy for corp using NTLM which works for IE/chrome but not openvpn. Apparently this was worked on awhile back but may not have been merged: mail thread
here is my squid.conf:
acl localnet src 0.0.0.0/0 #allow whole internet acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 30 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes # ntlm_auth from Samba 3 supports NTLM NEGOTIATE packet auth_param ntlm use_ntlm_negotiate on auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwd auth_param basic children 5 auth_param basic realm Squid Basic Authentication auth_param basic credentialsttl 2 hours acl auth_users proxy_auth REQUIRED http_access allow all auth_users http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager http_access deny all http_port 3169 coredump_dir /var/spool/squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880 refresh_pattern . 0 20% 4320
and my smb.conf
# Global parameters [global] dns forwarder = 127.0.0.53 netbios name = OVPNTEST realm = TEST.OVPNTEST server role = active directory domain controller dns forwarder = 8.8.8.8 workgroup = OVPNTESTNET bind interfaces only = yes interfaces = lo winbind separator = + winbind use default domain = yes [netlogon] path = /var/lib/samba/sysvol/test.ovpntest/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No
and client.conf
client dev tun proto tcp # this port is actually blocked, but our proxy gets us past that remote IP_ADDRESS 5150 persist-key persist-tun compress nobind verb 4 key-direction 1 # In the following line i also tried forcing ntlm and ntlm2, neither helped http-proxy IP_ADDRESS PROXY_PORT auto-nct # I also tried DOMAIN\user and DOMAIN\\user but neither worked. # winbind seperator is + so I expect that to work, but chrome and IE both # wanted DOMAIN\user <http-proxy-user-pass> DOMAIN+user SAMBAPASS </http-proxy-user-pass>
Note: See
TracTickets for help on using
tickets.