RE: [squid-users] NTLM & Domain Membership Issue

From: Serassio Guido <guido.serassio@dont-contact.us>
Date: Wed, 30 Jul 2003 21:53:20 +0200

Hi Jay,

Sorry for the delayed response, but now I'm very busy.

At 07.16 27/07/2003, Jay Turner wrote:

> > -----Original Message-----
> > From: Serassio Guido [mailto:guido.serassio@acmeconsulting.it]
> > Sent: Saturday, 26 July 2003 3:20 PM
> > To: jturner@bsis.com.au
> > Cc: squid-users@squid-cache.org
> > Subject: Re: [squid-users] NTLM & Domain Membership Issue
> >
> >
> > Hi,
> >
> > At 08.05 26/07/2003, Jay Turner wrote:
> >
> > >Hi All,
> > >
> > >I am experiencing an unusual problem with NTLM and Domain Membership..
> > >
> > >Environment:
> > >Red Hat 7.3
> > >Squid2.5-STABLE2
> > >Samba 2.2.7-3.7.3 (Red Hat)
> > >Windows 2000 AD server (Native Mode with Pre-2000 compatibility)
> > >WinXP SP1, IE6 SP1 + all current patches applied
> > >
> > >Background:
> > >I have deployed Squid and NTLM a number of times now so I have a bit of
> > >experience installing & trouble shooting it.
> > >Winbindd is working correctly from the command line with wbinfo -t, -u,
> > >-g, -r and -a all performing correctly.
> > >wb_auth from the command line also works correctly and so does wb_group
> > >So from what I can see Winbindd is working fine.
> > >
> > >If have a client computer (Win2000 or WinXP) that is on the network, but
> > >not a member of the domain and I access the
> > >proxy, I receive an authentication window. This is correct as NTLM will
> > >fail as it is not a member of the domain and fall
> > >back to Basic. I can enter a valid username/password/domain and then
> > >access the proxy correctly. Cache and access.log all report the correct
> > >behaviour as I expect.
> > >
> > >As soon as I add this client computer to become a member of the domain,
> > >everything stops working.
> > >NTLM authentication does not work, and neither does Basic
> > authentication.
> > >The browser sits there for a second then displays
> > >the standard IE 'Page cannot be found'.
> > >
> > >I have increased debugging on Authentication in squid.conf and run
> > >winbindd in debug mode (winbindd -i -d 3) to try and establish the
> > >problem. When a client on the domain requests a page cache.log reports
> > >"authenticateValidateUser: Validating Auth_user request '0x8413238'"
> > >"authenticateValidateUser: Validated Auth_user request '0x8413238'"
> > >"User not fully authenticated"
> > >
> > >But nothing is being recorded by Winbindd (as opposed to when it works).
> > >
> > >This message could hold the key, but I'm not entirely sure where
> > I should
> > >look next for this.
> > >
> > >
> > >
> > >I have reams of log files with debugging turned right up which I
> > can post
> > >specific sections of if required, but I'm not going to post all of them
> > >now for people to wade through.
> > >
> > >I commented out wb_ntlmauth in squid.conf and tried using just
> > wb_auth to
> > >see if I could get the basic auth to work and that did the same thing..
> > >
> > >The interesting thing is that I brought this server back to my
> > office and
> > >changed it's IP address and made it a member of our Windows NT4
> > domain and
> > >then using the same Win XP client from the other network (it's a laptop)
> > >it works perfectly!!
> > >
> > >This leads me to believe that there must be something in the way
> > their AD
> > >is setup that might be causing this problem??
> > >
> > >Any advice will be greatly appreciated.
> >
> > Some tips:
> >
> > - Do You have restarted Squid after disabling NTLM authentication ?
> > - an AD replication problem ? Samba should use always the DC that acts as
> > PDC emulator
> > - some strange behaviour of DNS caching
> >
> > Hoping to help you
> >
> > Regards
> >
> > Guido
>
>Hi Guido,
>
>1)I don't specifically remember restarting Squid, but I would have
>definately issued a 'squid -k reconfigure'.
>Is it necessary when dealing with winbind to actually issue 'service squid
>restart'?

If I'm not wrong, when the authentication schema are changed, squid should
be restarted.

>2)I'm not a Windows 2000 admin (which makes this harder) so while I
>understand what you are saying, I'm not sure how
> it might affect me and this install. I believe there is only one AD server
>that authenticates user logins in this network
> but I will follow that up
>
>3) It's funny you mention DNS caching because I did notice some strange DNS
>behaviour onsite.

It's not so funny, AD domains are DNS based and Microsoft DNS sometimes is
very strange ....

>While trying to isolate the problem I noticed by using netstat that
>connections were being opened from the Squid server webcache port to the
>netbios name of the computer that *wasn't* a member of the domain without a
>problem. It was correctly identifying it's netbios name and it returing
>responses.
>
>When the other computer *was* a member of the domain (at this point I had
>one 2000 machine that *wasn't* a member of the domain working, in
>conjunction with another computer that was WinXP and *was* on the domain and
>not working) netstat was showing connections being opened from the Squid
>webcache port to a computer with a netbios name that doesn't even exist
>anymore.
>The Win2000 admin removed this old entry from the DNS cache but it didn't
>seem to make a difference. Perhaps we didn't allow enough time for it to
>replicate? The strange thing was that from the Squid server command line you
>could not ping the netbios named computer because it said it could not
>resolve the host name, yet Squid was still trying to establish connections
>to it. (the connection netstat status was TIME_WAIT from memory).
>
>In an attempt to combat a possible DNS issue I statically assigned the IP
>address of the working Win2000 machine to the not working domain member
>WinXP machine, but still no good. I also changed the IP address of the Squid
>server as the IP address it had originally was an old IP address that still
>had a DNS entry for the server that used to have this addresses name.

Do You use WINS too on your network ? And if the answer is Yes, do You have
WINS lookup enabled in your DNS ?

If the WINS database is consistent, see Netbios Domain Name object 1Ch,
Samba can use it, see smb,conf.

Regards

Guido

-
========================================================
Guido Serassio
Acme Consulting S.r.l.
Via Gorizia, 69 10136 - Torino - ITALY
Tel. : +39.011.3249426 Fax. : +39.011.3293665
Email: guido.serassio@acmeconsulting.it
WWW: http://www.acmeconsulting.it/
Received on Wed Jul 30 2003 - 13:54:56 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:18:21 MST