Re: [squid-users] The Famous "NTLMSSP command 3, expected 1" from Amos Jeffries on 2011-04-19 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 20 Apr 2011 00:50:05 +1200

On 19/04/11 23:54, Go Wow wrote:
> Hi,
>
> I meant 3.1.11
>
> How do I check which user-agent is giving this issue? As I told 70%
> people use IE here (different versions) some use IE 8, IE 7 and IE 6.
> 20-25% use firefox 3.6 or firefox 4 and rest use google chrome.

It may be in your logs as a client which gets a lot of NTLM denials.

If not, adding a log to record which agents are failing is easy:

logformat agentTokens %{Proxy-Authentication}>h "%{User-Agent}>h"

(mind the wrap that is one line)

acl failedAuth http_status 407
access_log /some/file.log agentTokens failedAuth

This logs the auth tokens and user-agents sending them. One of the
tokens should appear in cache.log next to the error message.

>
> Can you please point me to some doc to use that negotiate wrapper. I
> tried squid_kerb_auth and failed miserably and I'm not planning to go
> near it until my squid is stable.
>
> I have made a GPO for all users to use NTML as preferred auth method,
> let's see if that makes a difference. I did it by adding
> "LmCompatibilityLevel" to "1" in registry.

"1" is not a good value for that. Probably "4" is what you need. "5" if
possible.

see this for what each level apparently means:

http://technet.microsoft.com/en-nz/magazine/2006.08.securitywatch%28en-us%29.aspx

It seems to be an old article, so things may have changed a little. I'm
not sure how Kerberos integrates with those for example in IE 7/8.

>
> Cheers
>
> On 19 April 2011 14:08, Amos Jeffries wrote:
>> On 19/04/11 20:09, Go Wow wrote:
>>>
>>> Hi,
>>>
>>> I use NTLM to authenticate my AD users with Squid 3.11. My cache logs
>>
>> You mean 3.1.1? we are only up to 3.2 series so far.
>>
>>> have these entries at random times. I know that the client is sending
>>> a kerberos reply instead of NTLM auth. I want to know whether
>>> something can be done about this or not.
>>>
>>> libsmb/ntlmssp.c:335(ntlmssp_update) got NTLMSSP command 3, expected 1
>>>
>>> I tried moving to Kerberos but it didnt work for me. My client envirno
>>> is IE 8, Chrome and Firefox 3.6 or 4
>>
>> For the record which User-Agent is broken and sending Kerberos when offered
>> NTLM? and are you offering Negotiate?
>>
>> The new negotiate_wrapper helper from Markus Moeller may help. We have
>> tested it of use in "auth_param negotiate", but I'm not sure of the effect
>> if its used in "auth_param ntlm".

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.12
   Beta testers wanted for 3.2.0.7 and 3.1.12.1

Received on Tue Apr 19 2011 - 12:50:12 MDT

This archive was generated by hypermail 2.2.0 : Tue Apr 19 2011 - 12:00:04 MDT