On 15/07/2012 9:13 p.m., Mike wrote:
Hi all,
Has the subject says, I'm having problems with NTLM in *some* users.
At first I tough this was related to a problem in some Windows 7 Laptops
that don't have the reg key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa - DWORD
LmCompatibilityLevel -> set to 1 to use LM NTLM and NTLMv2.
The key was missing in the 2 laptops giving me the problem, but adding
it and rebooting didn't solve the problem
In general all works, most users don't complain, and indeed the ones with the problem were missing this key in the registry.
When the user opens IE/site (ntlm auth) I see this on cache.log:
NTLMSSP challenge
2012/07/13 11:23:11.043| ConnStateData::swanSong: FD 33
Got 'YR
TlRMTVNTUAADAAAAGAAYAJQAAAAYABgArAAAAAoACgBYAAAAGgAaAGIAAAAYABgAfAAAAAAAAADEAAAABYKIogYBsR0AAAAPHKcl6C2DGcPhZg1gFNMQqUMAQQBMAEUATQBDAGEAcgBsAGEAQwBhAHIAdgBhAGwAaABvAFcARABMAEgAUAA2ADMAMABOAEwAMAAyAJ3X1msrdlsCAAAAAAAAAAAAAAAAAAAAAL0k3O/g5/bRhTcU9HDH3PpqgbCc4abP4w=='
from squid (length: 267).
got NTLMSSP packet:
got NTLMSSP command 3, expected 1
NTLMSSP NT_STATUS_INVALID_PARAMETER
2012/07/13 11:23:11.256| ConnStateData::swanSong: FD 33
Client is sending a Kerberos ticket ("command 3") to Squid ....
Kerberos is the default authentication system for Windows 7 and later.
NTLM was deprecated in Vista.
This is when I send the "basic auth"
Got 'YR TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==' from
squid (length: 59).
got NTLMSSP packet:
Got NTLMSSP neg_flags=0xa2088207
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_NEGOTIATE_OEM
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_NTLM2
Client is sending a NTLMv2 response to Squid.
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_56
NTLMSSP challenge
2012/07/13 11:23:33.226| ConnStateData::swanSong: FD 13
Got 'YR
TlRMTVNTUAADAAAAGAAYAJQAAAAYABgArAAAAAoACgBYAAAAGgAaAGIAAAAYABgAfAAAAAAAAADEAAAABYKIogYBsR0AAAAP0dxfDL0xcw63QgT5XihRs0MAQQBMAEUATQBDAGEAcgBsAGEAQwBhAHIAdgBhAGwAaABvAFcARABMAEgAUAA2ADMAMABOAEwAMAAyAHncwjOdiQMNAAAAAAAAAAAAAAAAAAAAAGh+wPIBTsJQcYCTWvqvSQWmEPgrgyxOnw=='
from squid (length: 267).
got NTLMSSP packet:
got NTLMSSP command 3, expected 1
NTLMSSP NT_STATUS_INVALID_PARAMETER
2012/07/13 11:23:39.436| ConnStateData::swanSong: FD 13
2012/07/13 11:23:40.451| ConnStateData::swanSong: FD 13
More info about my setup:
squid -v
Squid Cache: Version 3.1.19
configure options: '--sysconfdir=/usr/pkg/etc/squid'
'--localstatedir=/var/squid' '--datarootdir=/usr/pkg/share/squid'
'--enable-auth=basic,digest,ntlm' '--enable-cachemgr-hostname=localhost'
'--enable-delay-pools' '--enable-icmp'
'--enable-removal-policies=lru,heap' '--enable-poll'
'--enable-storeio=ufs diskd' '--with-aio'
'--disable-strict-error-checking' '--enable-icap-client'
'--with-default-user=squid' '--with-pidfile=/var/run/squid.pid'
'--enable-ipf-transparent' '--enable-carp' '--enable-snmp'
'--enable-ssl' '--with-openssl=/usr'
'--enable-basic-auth-helpers=getpwnam MSNT NCSA YP PAM'
'--enable-digest-auth-helpers=password'
'--enable-ntlm-auth-helpers=fakeauth'
'--enable-external-acl-helpers=ip_user unix_group' '--prefix=/usr/pkg'
'--build=x86_64--netbsd' '--host=x86_64--netbsd' '--mandir=/usr/pkg/man'
'build_alias=x86_64--netbsd' 'host_alias=x86_64--netbsd' 'CC=gcc'
'CFLAGS=-O2 -I/usr/include' 'LDFLAGS=-L/usr/lib -Wl,-R/usr/lib
-Wl,-R/usr/pkg/lib' 'LIBS=' 'CPPFLAGS=-I/usr/include' 'CXX=c++'
'CXXFLAGS=-O2 -I/usr/include'
--with-squid=/scratch/www/squid31/work/squid-3.1.19
--enable-ltdl-convenience
Samba Version 3.6.5
OS: netbsd-6, samba and squid installed from pkgsrc
At this moment I'm not sure if I missed something installing squid/samba or if its indeed a problem with this particular windows client.
Thanks
Note: I do not have kerbuerus auth set up, because this is no easy task
on netbsd, I still need to research on this.
Time to start. :)
NetBSD apparently ships with a system implementation:
http://www.netbsd.org/docs/network/#kerberos
Samba, Winbind, and a few other FOSS tools also support Kerberos management.
Amos
