Dear Francesco, I have never used the helper provided by Samba, and I am not willing to start using it. I don't want to install Samba on a proxy server, maintain a smb.conf and TDB databases there, join a domain, see hundreds of winbindd processes etc. The ntlm_auth plugin has always been sufficient for my needs. I hoped it would continue to be usable, but something is broken in it. I would be glad to migrate to Kerberos though, if I can only make browsers use it. No success so far. If anybody can help with it, I would greatly appreciate. Kinkie wrote: > er.. are you not using the helper provided by Samba? That is the most > reliable way to do NTLM authentication in squid (and most other Linux > software) > > On Mon, Oct 6, 2014 at 11:08 AM, Victor Sudakov > <sudakov@xxxxxxxxxxxxxxxx> wrote: > > Francesco, > > > > What do you mean by "client"? Absolutely everything in this lab setup > > is the same, including the browser. > > > > The only difference is the ntlm plugin binary (ntlm_auth taken from > > the old squid and ntlm_smb_lm_auth from the new one). > > > > In fact, I replaced the binary and restarted squid. > > > > Kinkie wrote: > >> Whoops, sorry for the empty message. > >> This seems like a broken client. Can you check whether the client > >> sending that was a legitimate one? > >> > >> On Mon, Oct 6, 2014 at 10:24 AM, Victor Sudakov > >> <sudakov@xxxxxxxxxxxxxxxx> wrote: > >> > Colleagues, > >> > > >> > The NTLM (LM) plugin in squid27 worked perfectly while the NTLM plugin in > >> > squid34 is obviously broken. > >> > > >> > I am attaching two log files, one of the old plugin and the other of > >> > the new one. Could someone please have a look at bad-ntlm.log to see > >> > why ntlm_smb_lm_auth does not work any more after upgrading to 34? > >> > > >> > What does this failure > >> > > >> > ntlmssp: bad ascii: ffffffab > >> > No auth at all. Returning no-auth > >> > ntlm_smb_lm_auth.cc(531): pid=16346 :sending 'NA Logon Failure' to squid > >> > > >> > actually mean? > >> > > >> > I know that LM is bad and insecure, but I cannot give it up for the > >> > present in the production environment until I make Kerberos > >> > (negotiate) work. > >> > > >> > -- > >> > Victor Sudakov, VAS4-RIPE, VAS47-RIPN > >> > sip:sudakov@xxxxxxxxxxxxxxxx > >> > > >> > _______________________________________________ > >> > squid-users mailing list > >> > squid-users@xxxxxxxxxxxxxxxxxxxxx > >> > http://lists.squid-cache.org/listinfo/squid-users > >> > > >> > >> > >> > >> -- > >> Francesco > > > > -- > > Victor Sudakov, VAS4-RIPE, VAS47-RIPN > > sip:sudakov@xxxxxxxxxxxxxxxx > > > > -- > Francesco -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:sudakov@xxxxxxxxxxxxxxxx _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
