Re: [squid-users] Squid-Cache-Error with NTLM: "got NTLMSSP command 3, expected 1"

From: Tom Tux <tomtux80_at_gmail.com>
Date: Fri, 25 Jun 2010 15:07:20 +0200

Hi

If I want to realise a promptless (SSO) login with squid, do I have
- to use ntlm as a auth_param? Or is plain kerberos also possible?
- to configure the "smb.conf" and start the winbind-daemon?
- to join the squid-server to the ad-domain? If yes, is it necessary
to take winbind for this step?

Are the kerberos-tickets persistent, or do I have to renew them
periodically? While creating a keytab-file, I have to enter an
domain-admin-account. I think, that this account appears in the
keytab-file. What happens, if this account will locked out? Is then
the squid-access denied?

I read a lot documents with ntlm/kerberos. But I don't understand, why
I need to have winbind AND kerberos configured. A lot of examples
describes the auth_param with ntlm instead (my opinion) with kerberos.

Can someone help me with this? Are there some other examples, which
describes a promptless login (SSO) with plain kerberos?

Thanks a lot.
Regards,
Tom

2010/6/25 Amos Jeffries <squid3_at_treenet.co.nz>:
> Tom Tux wrote:
>>
>> Hi Jorge
>>
>> Is it possible to have ad-group-permissions with kerb_auth like I can
>> do it with ntlm_auth?
>> What are the disadvantages using ntlm_auth?
>
> * Weak security algorithms. Which can be broken in near real-time today.
> * It's officially being obsoleted by MS.
> * requires an HTTP-level handshake to setup credentials key exchange (wastes
> bandwidth and fills logs with 407 responses).
> * does not fit with HTTP/1.0
> * winbind helpers are locked during handshake and are capped at a low number
> of parallel requests being authenticated.
>
>>
>> I don't understand exactly, if it's possible or not (with kerb_auth)
>> to have an ad-group with all users, who have squid-permissions. Does
>
> Users and groups work identical in Kerberos as NTLM. Indeed the concept
> works the same in all auth protocols that consider groups.
>
>> the kerberos-authentication works without user-interaction (no prompt
>> for username/password)?
>
> The prompt is a browser feature. It only appears if the browser has no known
> credentials to pass to the proxy. Even Basic auth does not prompt if the
> browser password manager already knows the username/password to send.
>
> Kerberos is just an upgraded version of NTLM. Which has been altered to:
> �* use stronger encryption algorithms
> �* omit the resource-hungry challenge handshake (type 1 and 2 NTLM commands)
> The system configuration is quite different since Kerberos requires you to
> install a KeyTab which essentially contains a pre-seeded handshake response
> (type 3 NTLM command) to send with authentication credentials.
>
>
>>
>> 2010/6/24 Jorge Armando Medina <jmedina_at_e-compugraf.com>:
>>>
>>> Tom Tux wrote:
>>>>
>>>> I didn't configured kerberos-helper like squid_kerb_auth. I'm just
>>>> using ntlm_auth. So why do I have this message?
>>>>
>>> If you want to use ntlm_auth ( NTLMv1?) you need to change some
>>> compatibility settings in windows, specially windows vista and 7 are
>>> configure by default to only use NTLMv2 honoring kerberos, you need to
>>> edit windows registry and change/create
>>>
>>>
>>> *HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\LmCompatibilityLevel*
>>>
>>> *DWORD value 1
>>>
>>> You can automate this with a logon script o with a group policy
>>> Security:LAN Manager Authentication Level
>>>
>>> Anyway, I think is time to migrate to kerb_auth.
>>>
>>> Best regards.
>>> *
>>>>
>>>> 2010/6/24 Amos Jeffries <squid3_at_treenet.co.nz>:
>>>>
>>>>> On Wed, 23 Jun 2010 09:28:38 +0200, Tom Tux <tomtux80_at_gmail.com> wrote:
>>>>>
>>>>>> Hi
>>>>>>
>>>>>> A few days ago, I already wrote a post concerning the following
>>>>>> messages in the cache.log (squid 3.1.3):
>>>>>>
>>>>>> [2010/06/23 09:13:46, �1] libsmb/ntlmssp.c:335(ntlmssp_update)
>>>>>> �got NTLMSSP command 3, expected 1
>>>>>> [2010/06/23 09:13:46, �1] libsmb/ntlmssp.c:335(ntlmssp_update)
>>>>>> �got NTLMSSP command 3, expected 1
>>>>>> [2010/06/23 09:13:46, �1] libsmb/ntlmssp.c:335(ntlmssp_update)
>>>>>> �got NTLMSSP command 3, expected 1
>>>>>>
>>>>>>
>>>>>> Our authentication is ntlm-based.
>>>>>>
>>>>>
>>>>> http://markmail.org/message/aumkxcehqmlnuhbu?q=NTLMSSP+command+3+expected+1
>
>
>
> Amos
> --
> Please be using
> �Current Stable Squid 2.7.STABLE9 or 3.1.4
>
Received on Fri Jun 25 2010 - 13:07:35 MDT

This archive was generated by hypermail 2.2.0 : Fri Jun 25 2010 - 12:00:04 MDT