Re: [squid-users] Squid-Cache-Error with NTLM: "got NTLMSSP command 3, expected 1"

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sat, 26 Jun 2010 00:36:19 +1200

Tom Tux wrote:
> Hi Jorge
>
> Is it possible to have ad-group-permissions with kerb_auth like I can
> do it with ntlm_auth?
> What are the disadvantages using ntlm_auth?

* Weak security algorithms. Which can be broken in near real-time today.
* It's officially being obsoleted by MS.
* requires an HTTP-level handshake to setup credentials key exchange
(wastes bandwidth and fills logs with 407 responses).
* does not fit with HTTP/1.0
* winbind helpers are locked during handshake and are capped at a low
number of parallel requests being authenticated.

>
> I don't understand exactly, if it's possible or not (with kerb_auth)
> to have an ad-group with all users, who have squid-permissions. Does

Users and groups work identical in Kerberos as NTLM. Indeed the concept
works the same in all auth protocols that consider groups.

> the kerberos-authentication works without user-interaction (no prompt
> for username/password)?

The prompt is a browser feature. It only appears if the browser has no
known credentials to pass to the proxy. Even Basic auth does not prompt
if the browser password manager already knows the username/password to send.

Kerberos is just an upgraded version of NTLM. Which has been altered to:
  * use stronger encryption algorithms
  * omit the resource-hungry challenge handshake (type 1 and 2 NTLM
commands)
The system configuration is quite different since Kerberos requires you
to install a KeyTab which essentially contains a pre-seeded handshake
response (type 3 NTLM command) to send with authentication credentials.

>
> 2010/6/24 Jorge Armando Medina <jmedina_at_e-compugraf.com>:
>> Tom Tux wrote:
>>> I didn't configured kerberos-helper like squid_kerb_auth. I'm just
>>> using ntlm_auth. So why do I have this message?
>>>
>> If you want to use ntlm_auth ( NTLMv1?) you need to change some
>> compatibility settings in windows, specially windows vista and 7 are
>> configure by default to only use NTLMv2 honoring kerberos, you need to
>> edit windows registry and change/create
>>
>> *HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\LmCompatibilityLevel*
>>
>> *DWORD value 1
>>
>> You can automate this with a logon script o with a group policy
>> Security:LAN Manager Authentication Level
>>
>> Anyway, I think is time to migrate to kerb_auth.
>>
>> Best regards.
>> *
>>> 2010/6/24 Amos Jeffries <squid3_at_treenet.co.nz>:
>>>
>>>> On Wed, 23 Jun 2010 09:28:38 +0200, Tom Tux <tomtux80_at_gmail.com> wrote:
>>>>
>>>>> Hi
>>>>>
>>>>> A few days ago, I already wrote a post concerning the following
>>>>> messages in the cache.log (squid 3.1.3):
>>>>>
>>>>> [2010/06/23 09:13:46, 1] libsmb/ntlmssp.c:335(ntlmssp_update)
>>>>> got NTLMSSP command 3, expected 1
>>>>> [2010/06/23 09:13:46, 1] libsmb/ntlmssp.c:335(ntlmssp_update)
>>>>> got NTLMSSP command 3, expected 1
>>>>> [2010/06/23 09:13:46, 1] libsmb/ntlmssp.c:335(ntlmssp_update)
>>>>> got NTLMSSP command 3, expected 1
>>>>>
>>>>>
>>>>> Our authentication is ntlm-based.
>>>>>
>>>> http://markmail.org/message/aumkxcehqmlnuhbu?q=NTLMSSP+command+3+expected+1

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.4
Received on Fri Jun 25 2010 - 12:36:27 MDT

This archive was generated by hypermail 2.2.0 : Fri Jun 25 2010 - 12:00:04 MDT