Search squid archive

Re: The Famous "NTLMSSP command 3, expected 1"

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 19/04/11 23:54, Go Wow wrote:

Hi,

I meant 3.1.11

How do I check which user-agent is giving this issue? As I told 70%
people use IE here (different versions) some use IE 8, IE 7 and IE 6.
20-25% use firefox 3.6 or firefox 4 and rest use google chrome.


It may be in your logs as a client which gets a lot of NTLM denials.

If not, adding a log to record which agents are failing is easy:

  logformat agentTokens %{Proxy-Authentication}>h "%{User-Agent}>h"

(mind the wrap that is one line)

  acl failedAuth http_status 407
  access_log /some/file.log agentTokens failedAuth
This logs the auth tokens and user-agents sending them. One of the tokens should appear in cache.log next to the error message. 



Can you please point me to some doc to use that negotiate wrapper. I
tried squid_kerb_auth and failed miserably and I'm not planning to go
near it until my squid is stable.

I have made  a GPO for all users to use NTML as preferred auth method,
let's see if that makes a difference. I did it by adding
"LmCompatibilityLevel" to "1" in registry.
"1" is not a good value for that. Probably "4" is what you need. "5" if possible. 

see this for what each level apparently means:

http://technet.microsoft.com/en-nz/magazine/2006.08.securitywatch%28en-us%29.aspx
It seems to be an old article, so things may have changed a little. I'm not sure how Kerberos integrates with those for example in IE 7/8. 



Cheers

On 19 April 2011 14:08, Amos Jeffries wrote:

On 19/04/11 20:09, Go Wow wrote:


Hi,

I use NTLM to authenticate my AD users with Squid 3.11. My cache logs


You mean 3.1.1? we are only up to 3.2 series so far.


have these entries at random times. I know that the client is sending
a kerberos reply instead of NTLM auth. I want to know whether
something can be done about this or not.

libsmb/ntlmssp.c:335(ntlmssp_update)  got NTLMSSP command 3, expected 1

I tried moving to Kerberos but it didnt work for me. My client envirno
is IE 8, Chrome and Firefox 3.6 or 4


For the record which User-Agent is broken and sending Kerberos when offered
NTLM? and are you offering Negotiate?

The new negotiate_wrapper helper from Markus Moeller may help. We have
tested it of use in "auth_param negotiate", but I'm not sure of the effect
if its used in "auth_param ntlm".



Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.12
  Beta testers wanted for 3.2.0.7 and 3.1.12.1
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux