Re: [squid-users] The Famous "NTLMSSP command 3, expected 1"

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 20 Apr 2011 01:17:26 +1200

On 20/04/11 01:04, Go Wow wrote:
> I have seen the increasing the number of auth children decreases the
> error in cache.log. What is the optimal amount of children that we
> should use, supposing squid is serving 500 users.
>
> I will try your suggestions and inform you.
>

Hmm, that sounds like it may actually be NTLM, but failing some other way.

Number of auth children has a max of 256 connections to the DC. Each
child will consume one.
  If you have much RAM used by Squid there are also sometimes limits to
how many children it can spawn/fork before you get out-of-memory problems.

Ensure that persistent connections are ON to clients (default in 3.1).
That will have the biggest impact.

>
> Regards
>
> On 19 April 2011 16:50, Amos Jeffries wrote:
>> On 19/04/11 23:54, Go Wow wrote:
>>>
>>> Hi,
>>>
>>> I meant 3.1.11
>>>
>>> How do I check which user-agent is giving this issue? As I told 70%
>>> people use IE here (different versions) some use IE 8, IE 7 and IE 6.
>>> 20-25% use firefox 3.6 or firefox 4 and rest use google chrome.
>>
>> It may be in your logs as a client which gets a lot of NTLM denials.
>>
>> If not, adding a log to record which agents are failing is easy:
>>
>> logformat agentTokens %{Proxy-Authentication}>h "%{User-Agent}>h"
>>
>> (mind the wrap that is one line)
>>
>> acl failedAuth http_status 407
>> access_log /some/file.log agentTokens failedAuth
>>
>> This logs the auth tokens and user-agents sending them. One of the tokens
>> should appear in cache.log next to the error message.
>>
>>>
>>> Can you please point me to some doc to use that negotiate wrapper. I
>>> tried squid_kerb_auth and failed miserably and I'm not planning to go
>>> near it until my squid is stable.
>>>
>>> I have made a GPO for all users to use NTML as preferred auth method,
>>> let's see if that makes a difference. I did it by adding
>>> "LmCompatibilityLevel" to "1" in registry.
>>
>> "1" is not a good value for that. Probably "4" is what you need. "5" if
>> possible.
>>
>> see this for what each level apparently means:
>>
>> http://technet.microsoft.com/en-nz/magazine/2006.08.securitywatch%28en-us%29.aspx
>>
>> It seems to be an old article, so things may have changed a little. I'm not
>> sure how Kerberos integrates with those for example in IE 7/8.
>>
>>>
>>> Cheers
>>>
>>> On 19 April 2011 14:08, Amos Jeffries wrote:
>>>>
>>>> On 19/04/11 20:09, Go Wow wrote:
>>>>>
>>>>> Hi,
>>>>>
>>>>> I use NTLM to authenticate my AD users with Squid 3.11. My cache logs
>>>>
>>>> You mean 3.1.1? we are only up to 3.2 series so far.
>>>>
>>>>> have these entries at random times. I know that the client is sending
>>>>> a kerberos reply instead of NTLM auth. I want to know whether
>>>>> something can be done about this or not.
>>>>>
>>>>> libsmb/ntlmssp.c:335(ntlmssp_update) got NTLMSSP command 3, expected 1
>>>>>
>>>>> I tried moving to Kerberos but it didnt work for me. My client envirno
>>>>> is IE 8, Chrome and Firefox 3.6 or 4
>>>>
>>>> For the record which User-Agent is broken and sending Kerberos when
>>>> offered
>>>> NTLM? and are you offering Negotiate?
>>>>
>>>> The new negotiate_wrapper helper from Markus Moeller may help. We have
>>>> tested it of use in "auth_param negotiate", but I'm not sure of the
>>>> effect
>>>> if its used in "auth_param ntlm".

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.12
   Beta testers wanted for 3.2.0.7 and 3.1.12.1
Received on Tue Apr 19 2011 - 13:17:31 MDT

This archive was generated by hypermail 2.2.0 : Tue Apr 19 2011 - 12:00:04 MDT