[squid-users] NTLM popups from James Zuelow on 2008-08-07 (squid-users)

From: James Zuelow <James_Zuelow_at_ci.juneau.ak.us>
Date: Thu, 7 Aug 2008 15:26:15 -0800

I see this issue coming and going, dating back to at least 2006. So
this is just a bump I guess, unless there are any new developments.

I have users that will occasionally (rarely, and mostly unpredictably)
get NTLM authentication popups.

I have not personally gotten one until today. I noted the time,
although I see that I did not note it with enough precision, and checked
the logs.

There were two odd things in the logs at about the time I got the popup:

The first is a "got NTLMSSP command 1, expected 3" error that I've seen
mentioned in the archives:

========================================================================
========
[2008/08/07 10:36:36, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(672)
  Got user=[James_Zuelow] domain=[JUNEAU_NT] workstation=[MIS-JZ-WXP]
len1=24
len2=24
[2008/08/07 10:36:36, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(338)
  NTLMSSP Sign/Seal - Initialising with flags:
[2008/08/07 10:36:36, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
  Got NTLMSSP neg_flags=0xa2088205
[2008/08/07 10:36:36, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
  Got NTLMSSP neg_flags=0xa208b207
[2008/08/07 10:36:36, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
  Got NTLMSSP neg_flags=0xa208b207
[2008/08/07 10:36:36, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
  Got NTLMSSP neg_flags=0xa208b207
[2008/08/07 10:36:36, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
  Got NTLMSSP neg_flags=0xa208b207
[2008/08/07 10:36:36, 1] libsmb/ntlmssp.c:ntlmssp_update(267)
  got NTLMSSP command 1, expected 3
[2008/08/07 10:36:36, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
  Got NTLMSSP neg_flags=0xa208b207
[2008/08/07 10:36:36, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
  Got NTLMSSP neg_flags=0xa208b207
[2008/08/07 10:36:36, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
  Got NTLMSSP neg_flags=0xa208b207
[2008/08/07 10:36:36, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(672)
  Got user=[Bonnie_Chaney] domain=[JUNEAU_NT] workstation=[FIN-BC-WXP]
len1=24
len2=24
========================================================================
==========

The second is a change in my username and disappearance of my domain
name:

========================================================================
==========
[2008/08/07 10:36:57, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(338)
  NTLMSSP Sign/Seal - Initialising with flags:
[2008/08/07 10:36:57, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
  Got NTLMSSP neg_flags=0xa2088205
[2008/08/07 10:36:58, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
  Got NTLMSSP neg_flags=0xa208b207
[2008/08/07 10:36:59, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(672)
  Got user=[James_Zuelow] domain=[JUNEAU_NT] workstation=[MIS-JZ-WXP]
len1=24
len2=24
[2008/08/07 10:36:59, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(672)
  Got user=[james_zuelow] domain=[] workstation=[MIS-JZ-WXP] len1=24
len2=24
[2008/08/07 10:36:59, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(672)
  Got user=[james_zuelow] domain=[] workstation=[MIS-JZ-WXP] len1=24
len2=24
[2008/08/07 10:36:59, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(338)
  NTLMSSP Sign/Seal - Initialising with flags:
[2008/08/07 10:36:59, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
  Got NTLMSSP neg_flags=0xa2088205
[2008/08/07 10:36:59, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(338)
  NTLMSSP Sign/Seal - Initialising with flags:
[2008/08/07 10:36:59, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
  Got NTLMSSP neg_flags=0x00088205
[2008/08/07 10:36:59, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(338)
  NTLMSSP Sign/Seal - Initialising with flags:
[2008/08/07 10:36:59, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
  Got NTLMSSP neg_flags=0x00088205
========================================================================
==========

I notice my username went from James_Zuelow to james_zuelow, and the
domain just disappeared.

Now I don't know which of these events was actually the popup. I just
remembered "10:36" and these both fall into that minute. However, I was
given a popup and then typed my name and password into it. So I would
guess that the popup was generated at 10:36:36, and I pressed enter with
my name at 10:36:59. It didn't work, so I hit cancel and the page
finished loading.

Steps to reproduce: This is hard. I was using Firefox and had just
opened up four tabs. In addition, the tab that gave me the popup was
trying to load content from a third server (an ad I think). Other users
that have complained have been doing things like using Google Maps with
the imagery turned on. I'm thinking that it has to do with many
simultaneous or nearly simultaneous requests.

I have 100 ntlm_auth helpers listening, supporting about 300 users.
Cachemgr.cgi says only the top 21 listeners have any hits, with almost
all of those on the top five listeners.

Squid is version 2.6STABLE5 on Debian Etch (2.6.5-1 to be precise) and
Winbind is 3.0.24.

James Zuelow....................CBJ MIS (907)586-0236
Network Specialist...Registered Linux User No. 186591
Received on Thu Aug 07 2008 - 23:26:17 MDT

This archive was generated by hypermail 2.2.0 : Tue Aug 12 2008 - 12:00:03 MDT