RE: [squid-users] SQUID NTLM pop up password

Hi everybody.
I'm experiencing the same strange window pop-up in NTLM authentication.
I'm using (a patched version of) SMB authenticator with the following
parameters:
...
auth_param ntlm program /usr/lib/squid/ntmulti_ntlm -d
auth_param ntlm children 1
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
...
I've forced the number of children to 1 to increase the probability of the
pop-up.
The "-d" parameter causes the helper to debug some useful info: added
below.

In the "debug trace" there is only one user accessing "www.google.com".

Troubleshooting the behaviour of squid/helper it looks like 2 different
authentication streams got mixed up.
Starting from lines 21-28 we see the first step in the NTLM authentication
handshake between squid and helper. (URL1)
In lines 29-36 we see another one: that is another "first step in NTLM
handshake". This is for a different URL from the previous one. (URL2)
In lines 37-43 we see the second step relating to URL1.
In lines 44-49 we see the second step relating to URL2.

Lines 37-43 end up in a failure authentication because the NT challenge
"stored" in the helper is changed due to URL2 "first step ..." in lines
29-36.
At this time the pop-up appers.
Lines 44-49 end up in a success authentication because the NT challenge is
the same: they refer to the same URL (URL2).

I've used the word "URL" instead of "TCP connection".

In my opinion squid shouldn't had asked for authenticating URL2 (lines
29-36) before complete authentication of URL1 (lines 37-43).
I've also a sniffer trace of squid-browser traffic that confirm the
sequence of the two handshakes. Browser behaves well.

Can anyone (Henrik, Robert, ...) give some notice?
Is "src/auth/ntlm/auth_ntlm.c" the right place to look for this strange
behaviour?

Thanks
Michele

THE TRACE WITH ONE USER ACCESSING WWW.GOOGLE.COM
--------------------------------------------------------------------------------
1 : ntlm-auth[7591](ntmulti_ntlm.c:415): managing request
2 : ntlm-auth[7591](ntmulti_ntlm.c:421): ntlm authenticator. Got 'YR TlRMTVNTUAABAAAAB7IIoAgACAAoAAAACAAIACAAAABQTElUMDEzNklUWk5UUDAx' from Squid
3 : ntlm-auth[7591](ntmulti_ntlm.c:368): obtain_challenge: selecting ITZNTP01\PLITP022 (attempt #1)
4 : ntlm-auth[7591](ntmulti_ntlm.c:380): attempting challenge retrieval
5 : ntlm-auth[7591](libntlmssp.c:150): Connecting to server PLITP022 domain ITZNTP01
6 : ntlm-auth[7591](ntmulti_ntlm.c:382): make_challenge retuned 0x8057980
7 : ntlm-auth[7591](ntmulti_ntlm.c:384): Got it
8 : ntlm-auth[7591](ntmulti_ntlm.c:590): sending 'TT TlRMTVNTUAACAAAACAAIACgAAACCgkEAh4zw1jEXpA8AAAAAAAAAAElUWk5UUDAx' to squid

9 : ntlm-auth[7591](ntmulti_ntlm.c:415): managing request
10: ntlm-auth[7591](ntmulti_ntlm.c:421): ntlm authenticator. Got 'KK
TlRMTVNTUAADAAAAGAAYAFsAAAAYABgAcwAAAAgACABAAAAACwALAEgAAAAIAAgAUwAAAAAAAACLAAAABoIAAElUWk5UUDAxSVRaRlBJQ0NPTE9QTElUMDEzNnYqOBORqFZDJusoMH+zRnym3FEipWh+9mTuZjx3B7G2uG/UC2AurJFPu0eZbOtxmA
==' from Squid
11: ntlm-auth[7591](libntlmssp.c:303): checking domain: 'ITZNTP01', user: 'ITZFPICCOLO'
12: ntlm-auth[7591](libntlmssp.c:306): Login attempt had result 0
13: ntlm-auth[7591](libntlmssp.c:314): credentials: ITZNTP01\ITZFPICCOLO
14: ntlm-auth[7591](ntmulti_ntlm.c:558): sending 'AF itzntp01\itzfpiccolo' to squid

15: ntlm-auth[7591](ntmulti_ntlm.c:415): managing request
16: ntlm-auth[7591](ntmulti_ntlm.c:421): ntlm authenticator. Got 'KK
TlRMTVNTUAADAAAAGAAYAFsAAAAYABgAcwAAAAgACABAAAAACwALAEgAAAAIAAgAUwAAAAAAAACLAAAABoIAAElUWk5UUDAxSVRaRlBJQ0NPTE9QTElUMDEzNnYqOBORqFZDJusoMH+zRnym3FEipWh+9mTuZjx3B7G2uG/UC2AurJFPu0eZbOtxmG
==' from Squid
17: ntlm-auth[7591](libntlmssp.c:303): checking domain: 'ITZNTP01', user: 'ITZFPICCOLO'
18: ntlm-auth[7591](libntlmssp.c:306): Login attempt had result 0
19: ntlm-auth[7591](libntlmssp.c:314): credentials: ITZNTP01\ITZFPICCOLO
20: ntlm-auth[7591](ntmulti_ntlm.c:558): sending 'AF itzntp01\itzfpiccolo' to squid

21: ntlm-auth[7591](ntmulti_ntlm.c:415): managing request
22: ntlm-auth[7591](ntmulti_ntlm.c:421): ntlm authenticator. Got 'YR TlRMTVNTUAABAAAAB7IIoAgACAAoAAAACAAIACAAAABQTElUMDEzNklUWk5UUDAx' from Squid
23: ntlm-auth[7591](ntmulti_ntlm.c:368): obtain_challenge: selecting ITZNTP01\PLITP022 (attempt #1)
24: ntlm-auth[7591](ntmulti_ntlm.c:380): attempting challenge retrieval
25: ntlm-auth[7591](libntlmssp.c:150): Connecting to server PLITP022 domain ITZNTP01
26: ntlm-auth[7591](ntmulti_ntlm.c:382): make_challenge retuned 0x8057980
27: ntlm-auth[7591](ntmulti_ntlm.c:384): Got it
28: ntlm-auth[7591](ntmulti_ntlm.c:590): sending 'TT TlRMTVNTUAACAAAACAAIACgAAACCgkEAG8LMcl1BQ2kAAAAAAAAAAElUWk5UUDAx' to squid

29: ntlm-auth[7591](ntmulti_ntlm.c:415): managing request
30: ntlm-auth[7591](ntmulti_ntlm.c:421): ntlm authenticator. Got 'YR TlRMTVNTUAABAAAAB7IIoAgACAAoAAAACAAIACAAAABQTElUMDEzNklUWk5UUDAx' from Squid
31: ntlm-auth[7591](ntmulti_ntlm.c:368): obtain_challenge: selecting ITZNTP01\PLITP022 (attempt #1)
32: ntlm-auth[7591](ntmulti_ntlm.c:380): attempting challenge retrieval
33: ntlm-auth[7591](libntlmssp.c:150): Connecting to server PLITP022 domain ITZNTP01
34: ntlm-auth[7591](ntmulti_ntlm.c:382): make_challenge retuned 0x8057980
35: ntlm-auth[7591](ntmulti_ntlm.c:384): Got it
36: ntlm-auth[7591](ntmulti_ntlm.c:590): sending 'TT TlRMTVNTUAACAAAACAAIACgAAACCgkEAP6a/u/RlfrkAAAAAAAAAAElUWk5UUDAx' to squid

37: ntlm-auth[7591](ntmulti_ntlm.c:415): managing request
38: ntlm-auth[7591](ntmulti_ntlm.c:421): ntlm authenticator. Got 'KK
TlRMTVNTUAADAAAAGAAYAFsAAAAYABgAcwAAAAgACABAAAAACwALAEgAAAAIAAgAUwAAAAAAAACLAAAABoIAAElUWk5UUDAxSVRaRlBJQ0NPTE9QTElUMDEzNggtzxhJxssQZkhH1f6wzguY/njzzx5w8cr0TUAX129/QB2rYTMnyI16paCj2ZebMW
==' from Squid
39: ntlm-auth[7591](libntlmssp.c:303): checking domain: 'ITZNTP01', user: 'ITZFPICCOLO'
40: ntlm-auth[7591](libntlmssp.c:306): Login attempt had result -1
41: ntlm-auth[7591](ntmulti_ntlm.c:490): No creds. SMBlib error 1, SMB error class 1, SMB error code 5, NB error 0
42: ntlm-auth[7591](ntmulti_ntlm.c:511): DOS error
43: ntlm-auth[7591](ntmulti_ntlm.c:516): sending 'NA Access denied' to squid

44: ntlm-auth[7591](ntmulti_ntlm.c:415): managing request
45: ntlm-auth[7591](ntmulti_ntlm.c:421): ntlm authenticator. Got 'KK
TlRMTVNTUAADAAAAGAAYAFsAAAAYABgAcwAAAAgACABAAAAACwALAEgAAAAIAAgAUwAAAAAAAACLAAAABoIAAElUWk5UUDAxSVRaRlBJQ0NPTE9QTElUMDEzNvd8sLZxBsRZGzl8JUmLz4qrjjqkdwx3I86QDIEdxXp+d0w0u5ewANnXVYwG+Z6Kxm
==' from Squid
46: ntlm-auth[7591](libntlmssp.c:303): checking domain: 'ITZNTP01', user: 'ITZFPICCOLO'
47: ntlm-auth[7591](libntlmssp.c:306): Login attempt had result 0
48: ntlm-auth[7591](libntlmssp.c:314): credentials: ITZNTP01\ITZFPICCOLO
49: ntlm-auth[7591](ntmulti_ntlm.c:558): sending 'AF itzntp01\itzfpiccolo' to squid
Received on Wed Apr 16 2003 - 10:44:16 MDT