Re: [squid-users] Squid-Cache-Error with NTLM: "got NTLMSSP command 3, expected 1"

From: Tom Tux <tomtux80_at_gmail.com>
Date: Fri, 25 Jun 2010 08:10:30 +0200

Hi Jorge

Is it possible to have ad-group-permissions with kerb_auth like I can
do it with ntlm_auth?
What are the disadvantages using ntlm_auth?

I don't understand exactly, if it's possible or not (with kerb_auth)
to have an ad-group with all users, who have squid-permissions. Does
the kerberos-authentication works without user-interaction (no prompt
for username/password)?

Kind regards,
Tom

2010/6/24 Jorge Armando Medina <jmedina_at_e-compugraf.com>:
> Tom Tux wrote:
>> I didn't configured kerberos-helper like squid_kerb_auth. I'm just
>> using ntlm_auth. So why do I have this message?
>>
> If you want to use ntlm_auth ( NTLMv1?) you need to change some
> compatibility settings in windows, specially windows vista and 7 are
> configure by default to only use NTLMv2 honoring kerberos, you need to
> edit windows registry and change/create
>
> *HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\LmCompatibilityLevel*
>
> *DWORD value 1
>
> You can automate this with a logon script o with a group policy
> Security:LAN Manager Authentication Level
>
> Anyway, I think is time to migrate to kerb_auth.
>
> Best regards.
> *
>> 2010/6/24 Amos Jeffries <squid3_at_treenet.co.nz>:
>>
>>> On Wed, 23 Jun 2010 09:28:38 +0200, Tom Tux <tomtux80_at_gmail.com> wrote:
>>>
>>>> Hi
>>>>
>>>> A few days ago, I already wrote a post concerning the following
>>>> messages in the cache.log (squid 3.1.3):
>>>>
>>>> [2010/06/23 09:13:46,  1] libsmb/ntlmssp.c:335(ntlmssp_update)
>>>>   got NTLMSSP command 3, expected 1
>>>> [2010/06/23 09:13:46,  1] libsmb/ntlmssp.c:335(ntlmssp_update)
>>>>   got NTLMSSP command 3, expected 1
>>>> [2010/06/23 09:13:46,  1] libsmb/ntlmssp.c:335(ntlmssp_update)
>>>>   got NTLMSSP command 3, expected 1
>>>>
>>>>
>>>> Our authentication is ntlm-based.
>>>>
>>> http://markmail.org/message/aumkxcehqmlnuhbu?q=NTLMSSP+command+3+expected+1
>>>
>>> Amos
>>>
>>>
>
>
> --
> Jorge Armando Medina
> Computación Gráfica de México
> Web: http://www.e-compugraf.com
> Tel: 55 51 40 72, Ext: 124
> Email: jmedina_at_e-compugraf.com
> GPG Key: 1024D/28E40632 2007-07-26
> GPG Fingerprint: 59E2 0C7C F128 B550 B3A6  D3AF C574 8422 28E4 0632
>
>
>
Received on Fri Jun 25 2010 - 06:10:39 MDT

This archive was generated by hypermail 2.2.0 : Fri Jun 25 2010 - 12:00:04 MDT