New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
e2guardian + CNTLM 0.92.3 issue #46
Comments
I don't know cntlm, you speak about this http://cntlm.sourceforge.net/ ? |
Yes I speak about http://cntlm.sourceforge.net. |
Thank, it's just to know if there is a problem about NTLM authplugin in E2. |
CNTLM works fine with direct connection to Squid |
Ok, please can you get the HTTP header ? For example with http://livehttpheaders.mozdev.org/ (for firefox) |
The output of livehttpheaders with CNTLM using Squid : http://cadol.es/paste/2944/ When I setup CNTLM to use e2guardian I don't have any output in livehttpheaders |
The ouput of e2guardian (debug mode) : http://cadol.es/paste/2945/ |
Good choices of websites. To the best of my knowledge this should be something like: Maybe I missed something, but the account (and password) seems good to me and if you activate basic plugin E2 should works. FYI squid/3.1.20 is deprecead |
Our distribution is based on Ubuntu 12.04 (maybe we have a lot of deprecated software, but ubuntu don't care :) Witch log talks about "Basic c2NyaWJlcGVkYWdvXGFkbWluOmVvbGU=" For the passwords it's an testing virtual machine with a never used in production password :) |
http://cadol.es/paste/2944/ I saw only basic auth So we need to compare with a NTLM connection who works (I mean compare HTTP header) to see if there is NTLMSSP somewhere, but your trace is only about BASIC Auth |
With CNTLM the browser allways do a "Basic Auth" CNTLM deals with the NTLM authentification. |
Is "Basic Auth" enabled in e2guardian? |
So the browser should receive a Basic auth, no ? |
nerijus yes |
In HTTPHeader.cpp This method HTTPHeader::authRequired waits a code 407 in my case it receives a 200 |
That's mean that the identification was not made by the browser. You can easily check
The first packet returns should be a 407 (RFC compliant) and the browser pop-up appears So CNTLM is a kind of "linker" to windows active directory ? I think the interest is very limited if the password is converted to basic, you have an encrypted password broken before it goes to the lan, without any security. But maybe I miss something, if not, my advice is to using the standard Squid helper to update your lan security. If the 407 is "removed" by CNTLM there are nothing we can do, please open a bug at CNTLM project. |
In HTTPHeader.cpp This method HTTPHeader::authRequired waits a code 407 in my case it receives a 200 Change this part of code could break ident or creates unexpected behavior. |
fredbcode: So CNTLM is a kind of "linker" to windows active directory ? No, we use cNTLM for browser that didn't support natively NTLM. cNTLM generate NTLM authentification but force basic authentification in the browser. |
Upon consideration of this issue, there is something strange in your comment |
The popup is allready passed when I have this 200. |
FYI: You can use two simultaneous methods in Squid, for example I'm using Digest and Basic, the browser negotiates. (For example wget can't works with digest and "deal" with squid in Basic) So ok, it's not a problem with NTLM but basic authentication, it's more simple. Between Squid and cNTLM only, if I understand right but force basic authentification in the browser That's the point, the basic authentication seems strange but maybe there is a mistake in the comment before because 407 is needed. |
cNTLM don't interact with Squid but with e2guardian and e2guardian talks to squid. |
Hum I don't know scribe, but e2guardian doesn't makes any identification If you speak about this http://fr.wikipedia.org/wiki/Scribe_%28serveur%29 I guess this is an openldap and E2 can't "talks" to him. To be clear E2/DG can just check if the user is identified to a proxy (no matter the kind of proxy squid, bluecoat, etc) and for this it just reads the headers From DG documentation: In some (but not all) cases DansGuardian subcontracts fetching the authentication information to the local proxy (probably Squid). DansGuardian ultimately cares only about the username, even when it subcontracts fetching the authentication to the local proxy which then goes much further. DansGuardian never knows or cares anything about the password (not even whether or not the password is correct). This does not lead to any problem because Squid won't return web content that DansGuardian can filter until after the password has proved correct. So DansGuardian can simply assume if it's here, it must be okay |
e2guardian is "placed" before the Proxy ? So the "client" connect to e2guardian and not directly to the Squid, am I right ? In this case the "Client" connects to CNTLM, and CNTLM deals with "is proxy" e2guardian witch deals with Squid. |
e2guardian is "placed" before the Proxy ? So the "client" connect to e2guardian and not directly to the Squid, am I right ? Yes In this case the "Client" connects to CNTLM with "is proxy" e2guardian witch deals with Squid. In your case where is CNTLM before or after Squid ? but I guess no matter Here an example As you can see CNTLM return the 407 through the squid and DG to browser, after that DG just read the result (ok or ko) DansGuardian doesn't makes any identification, just check if there is a problem. After that e2guardianf1.conf should be used with groupmode = 1 (or all groups are denied) |
We can reduce the problem like this, the basic credential through DG is RFC compliant ? |
In this case the "Client" connects to CNTLM with "is proxy" e2guardian witch deals with Squid. It's not like this, the credential method goes from the proxy to browser. browser -> CNTLM -> e2guardian -> squid -> net ? In this case there is NTLM between CNTLM and squid, so E2 should be configured to read NTLM If browser -> e2guardian -> CNTLM -> squid -> net In this case it's a basic identification Perhaps switch your config could resolve your problem ? |
In this case it's : browser -> CNTLM -> e2guardian -> squid -> net |
Ok it's more clear, who check the Ldap ? I guess Squid ? In this case we deal with NTLM between squid and CNTLM |
I try more debug and the result is : With CNTLM 0.35 it works, the debug : http://cadol.es/paste/2963/ Some capture on network : CNTLM 35 : http://cadol.es/paste/2960/ We continue to debug. |
With CNTLM 35 after the first request, I don't see anymore the ProxyAuth NTLM XXXX in the logs |
Yes normal, here a complete handshake: http://msdn.microsoft.com/en-us/library/dd925287%28v=office.12%29.aspx and http://squid.sourceforge.net/ntlm/client_proxy_protocol.html I think for a good debug we need a complete wireshark trace between the proxies without e2guardian to compare if there is a difference in HTTP Header with 0.35 and 0.92 (of course I'm speaking about a capture at first cnx with the 407 and the Handshake after) Proxy-Authorization: NTLM TlRMTVNTUAABAAAABrIAAAwADAAkAAAABAAEACAAAABBTU9OU0NSSUJFUEVEQUdP TlRMTVNTUA is constant in both version ? I saw something about in NTLM documentation but not in proxy mode, are you seeing exactly the same line with both ? |
yes same TlRMTVNTUA in both logs |
Ok, make a complete network trace with header, there must be a difference somewhere. |
This should help you: (port and eth depend of your config) |
We run this to get the headers with cntlm/e2guardian/squid.
|
I have found something in HTTPHeader.cpp. With the "working" cntlm version e2guardian opens a tunnel for POST Data : Opening tunnel for POST data With the "non-working" cntlm version e2guardian never opens the tunnel : Opening tunnel for POST data |
Yes, the documentation say it's the good end - open tunnel - after the identification was checked What's the trace says ? http://cadol.es/paste/2961/ is not enough detailed There is something missing (or added) at the answer of request from CNTLM 92 |
I'm reading CNTLM 92 code to see if something is wrong. For now I just saw to much HTTP/1.1 does e2guardian support HTTP/1.1 ? |
Yes, |
No more time to find out, I open a Bug on CNTLM to : https://sourceforge.net/p/cntlm/bugs/69/ |
Ok, so I close now, please feel free to reopen it. |
We have more informations about this, can we re-open this issue ? |
Of course yes |
We have some informations about this bug. For example, home page of the browser is an internal website, CNTLM force NTLM authentification, e2guardian manage the authentification session but squid allow access without authentification. If the homepage need authentification in squid, all works fine. I think e2guardian should access non authentificate connexion even if an NTLM authentification is started and not terminated. |
Maybe I'm misunderstanding, but: The problem is that CNTLM force authentification even if destination web site didn't need authentification. There is a big difference between this two headers Proxy-Authorization: NTLM : As you can see this not the same HTTP header CNTLM should reads NTLM Proxy-Authorization: NTLM authentication because this is his job. I think e2guardian should access non authenticate connexion even if an NTLM authentification is started and not terminated. E2guardian takes care only about proxy authentication, a complete and permanent NTLM proxy identification is needed otherwise this is a security breach, sorry but we can't allow that. Your config above-mentioned: In your case E2 takes only care about the identification (Proxy-Authorization:) configured in Squid Proxy-Authorization: BASIC for each requests FYI: Website with NTLM identification should doesn't works through web proxy - in usual case - because NTLM mean NT LAN Manager, however Squid can uses ConnPin for this http://wiki.squid-cache.org/Features/ConnPin this could be useful in local network. And I don't know if NTLM website can pass through E2, but Microsoft no longer support NTLM in applications. |
Maybe it will be more clear with PCAP file (I send it with png extension because pcap file are not allowed). Here is 2 PCAP file with this architecture: cntlm (port 3127) > e2guardian (port 3128) > squid (port 8080) My wgetrc file: http_proxy = http://10.2.3.1:3127/ use_proxy = onwget command: wget http://www.monip.org -O /dev/null -t 1 My default squid configuration: auth_param ntlm program /usr/lib/squid3/ntlm_smb_lm_auth -a rah/pouet http_access allow noauthAll work fine without CNTLM. In first case, www.monip.org is not in noauth ACL (): Frame 1 to 5: basic authentification to CNTLM If I add www.monip.org to my noauth ACL in squid (: Frame 1 to 5: basic authentification to CNTLM e2guardian is not unable to send my webpage. |
Ah, c'est beaucoup plus clair maintenant :) I will take a look next week, where I can see the pcap file ? browser -> e2guardian -> cntlm -> squid -> net browser -> e2guardian -> cntlm = BASIC I guess this should also reduce the load for e2 because BASIC ident code is more simpler |
First one: https://cloud.githubusercontent.com/assets/150240/5681840/28771ab0-981c-11e4-9e90-ad5716ed0daf.png What do you think about switch e2 with CNTLM No, because CNTLM is use only for a set of computer (mainly mobile workstation integrated to an other windows domain). |
I watched quickly (sorry very quickly) If I understand right the packet 18 is a FIN, ACK from e2 to CNTLM, so where is the communication between Squid and e2 ? We don't know why E2 close this cnx Same thing to the other trace packet 24,25,25 are answer from port 3128 to randomly source port (42952 in this case) so I guess the answer from e2 to CNTLM , but nothing for squid to e2 Maybe I missed something, in this case tell me, I will take a look later |
Oh I forgot, in trace - normally - without identification, why there is a NTLM negotiation (packet 9) ? But in this case there is a NTLM negociation: If the problem is CNTLM is buggy and force NTLM identification, unfortunately we can't change that with e2. This is too dangerous for security The squid answer should be very interesting ... And a comparison between the both CNTLM version too. |
Sorry, i forgot port 8080 in my tshark filter. Here are new captures: https://cloud.githubusercontent.com/assets/150240/5701900/99e065b6-9a52-11e4-8bd2-9a678fe72b23.png |
Ok the problem is that CNTLM try to negotiate with Squid a NTLM when this is not needed Proxy identification works like this:
Your problem is that the "client" uses a NTLM secure identification. E2 waits the NTLM Message Type: NTLMSSP_CHALLENGE but it never come. Can you make a trace with CNTLM 0.35 to see the difference ? Just with noauth acl Also can you try this, in authplugins/proxy-digest.conf add noauthdomains = '/yourpath/test/' and add your domain in test file |
In fact, we have quite same problem with cNTLM 0.35. In this version, ntlm authentification are only tried one time. Se we have an error, we just have to refresh page to access to the website.
No difference with this configuration. |
OK, unfortunately I see no answer with e2 for this problem. Personally, I'm using simultaneous auth methods (ACL) with squid, for example wget negotiates BASIC identification automatically (transparent for user), recent browser DIGEST, and for some others no AUTH at all. |
I understand, thanks for your help. |
Using e2guardian 3.0.4 and cntlm 0.92.3 authentification don't work. Using the same version of e2guardian with an older version of cntlm (0.35) works fine.
I'm debugging and looking for more informations if somebody have any idea please let me know.
(PS: Same problem with dansguardian)
The text was updated successfully, but these errors were encountered: