Re: [squid-users] The Famous "NTLMSSP command 3, expected 1"

On 20/04/11 01:20, Go Wow wrote:
> I'm completely noob in this. How do I set the below setting?
>
> Ensure that persistent connections are ON to clients (default in 3.1).
> That will have the biggest impact.
>

In 3.0 and older:
  client_persistent_connections on

In 3.1 ensure that the directive is not set anywhere in squid.conf.

> On 19 April 2011 17:17, Amos Jeffries wrote:
>> On 20/04/11 01:04, Go Wow wrote:
>>>
>>> I have seen the increasing the number of auth children decreases the
>>> error in cache.log. What is the optimal amount of children that we
>>> should use, supposing squid is serving 500 users.
>>>
>>> I will try your suggestions and inform you.
>>>
>>
>> Hmm, that sounds like it may actually be NTLM, but failing some other way.
>>
>> Number of auth children has a max of 256 connections to the DC. Each child
>> will consume one.
>> If you have much RAM used by Squid there are also sometimes limits to how
>> many children it can spawn/fork before you get out-of-memory problems.
>>
>> Ensure that persistent connections are ON to clients (default in 3.1). That
>> will have the biggest impact.
>>
>>>
>>> Regards
>>>
>>> On 19 April 2011 16:50, Amos Jeffries wrote:
>>>>
>>>> On 19/04/11 23:54, Go Wow wrote:
>>>>>
>>>>> Hi,
>>>>>
>>>>> I meant 3.1.11
>>>>>
>>>>> How do I check which user-agent is giving this issue? As I told 70%
>>>>> people use IE here (different versions) some use IE 8, IE 7 and IE 6.
>>>>> 20-25% use firefox 3.6 or firefox 4 and rest use google chrome.
>>>>
>>>> It may be in your logs as a client which gets a lot of NTLM denials.
>>>>
>>>> If not, adding a log to record which agents are failing is easy:
>>>>
>>>> logformat agentTokens %{Proxy-Authentication}>h "%{User-Agent}>h"
>>>>
>>>> (mind the wrap that is one line)
>>>>
>>>> acl failedAuth http_status 407
>>>> access_log /some/file.log agentTokens failedAuth
>>>>
>>>> This logs the auth tokens and user-agents sending them. One of the tokens
>>>> should appear in cache.log next to the error message.
>>>>
>>>>>
>>>>> Can you please point me to some doc to use that negotiate wrapper. I
>>>>> tried squid_kerb_auth and failed miserably and I'm not planning to go
>>>>> near it until my squid is stable.
>>>>>
>>>>> I have made a GPO for all users to use NTML as preferred auth method,
>>>>> let's see if that makes a difference. I did it by adding
>>>>> "LmCompatibilityLevel" to "1" in registry.
>>>>
>>>> "1" is not a good value for that. Probably "4" is what you need. "5" if
>>>> possible.
>>>>
>>>> see this for what each level apparently means:
>>>>
>>>>
>>>> http://technet.microsoft.com/en-nz/magazine/2006.08.securitywatch%28en-us%29.aspx
>>>>
>>>> It seems to be an old article, so things may have changed a little. I'm
>>>> not
>>>> sure how Kerberos integrates with those for example in IE 7/8.
>>>>
>>>>>
>>>>> Cheers
>>>>>
>>>>> On 19 April 2011 14:08, Amos Jeffries wrote:
>>>>>>
>>>>>> On 19/04/11 20:09, Go Wow wrote:
>>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> I use NTLM to authenticate my AD users with Squid 3.11. My cache logs
>>>>>>
>>>>>> You mean 3.1.1? we are only up to 3.2 series so far.
>>>>>>
>>>>>>> have these entries at random times. I know that the client is sending
>>>>>>> a kerberos reply instead of NTLM auth. I want to know whether
>>>>>>> something can be done about this or not.
>>>>>>>
>>>>>>> libsmb/ntlmssp.c:335(ntlmssp_update) got NTLMSSP command 3, expected
>>>>>>> 1
>>>>>>>
>>>>>>> I tried moving to Kerberos but it didnt work for me. My client envirno
>>>>>>> is IE 8, Chrome and Firefox 3.6 or 4
>>>>>>
>>>>>> For the record which User-Agent is broken and sending Kerberos when
>>>>>> offered
>>>>>> NTLM? and are you offering Negotiate?
>>>>>>
>>>>>> The new negotiate_wrapper helper from Markus Moeller may help. We have
>>>>>> tested it of use in "auth_param negotiate", but I'm not sure of the
>>>>>> effect
>>>>>> if its used in "auth_param ntlm".

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.12
   Beta testers wanted for 3.2.0.7 and 3.1.12.1