[squid-users] ntlmssp: bad ascii: ffffffab (Lan Manager auth broken?)
Victor Sudakov
sudakov at sibptus.tomsk.ru
Mon Oct 6 15:39:26 UTC 2014
Dear Francesco,
I have never used the helper provided by Samba, and I am not willing
to start using it.
I don't want to install Samba on a proxy server, maintain a smb.conf
and TDB databases there, join a domain, see hundreds of winbindd
processes etc.
The ntlm_auth plugin has always been sufficient for my needs. I hoped
it would continue to be usable, but something is broken in it.
I would be glad to migrate to Kerberos though, if I can only make
browsers use it. No success so far. If anybody can help with it, I
would greatly appreciate.
Kinkie wrote:
> er.. are you not using the helper provided by Samba? That is the most
> reliable way to do NTLM authentication in squid (and most other Linux
> software)
>
> On Mon, Oct 6, 2014 at 11:08 AM, Victor Sudakov
> <sudakov at sibptus.tomsk.ru> wrote:
> > Francesco,
> >
> > What do you mean by "client"? Absolutely everything in this lab setup
> > is the same, including the browser.
> >
> > The only difference is the ntlm plugin binary (ntlm_auth taken from
> > the old squid and ntlm_smb_lm_auth from the new one).
> >
> > In fact, I replaced the binary and restarted squid.
> >
> > Kinkie wrote:
> >> Whoops, sorry for the empty message.
> >> This seems like a broken client. Can you check whether the client
> >> sending that was a legitimate one?
> >>
> >> On Mon, Oct 6, 2014 at 10:24 AM, Victor Sudakov
> >> <sudakov at sibptus.tomsk.ru> wrote:
> >> > Colleagues,
> >> >
> >> > The NTLM (LM) plugin in squid27 worked perfectly while the NTLM plugin in
> >> > squid34 is obviously broken.
> >> >
> >> > I am attaching two log files, one of the old plugin and the other of
> >> > the new one. Could someone please have a look at bad-ntlm.log to see
> >> > why ntlm_smb_lm_auth does not work any more after upgrading to 34?
> >> >
> >> > What does this failure
> >> >
> >> > ntlmssp: bad ascii: ffffffab
> >> > No auth at all. Returning no-auth
> >> > ntlm_smb_lm_auth.cc(531): pid=16346 :sending 'NA Logon Failure' to squid
> >> >
> >> > actually mean?
> >> >
> >> > I know that LM is bad and insecure, but I cannot give it up for the
> >> > present in the production environment until I make Kerberos
> >> > (negotiate) work.
> >> >
> >> > --
> >> > Victor Sudakov, VAS4-RIPE, VAS47-RIPN
> >> > sip:sudakov at sibptus.tomsk.ru
> >> >
> >> > _______________________________________________
> >> > squid-users mailing list
> >> > squid-users at lists.squid-cache.org
> >> > http://lists.squid-cache.org/listinfo/squid-users
> >> >
> >>
> >>
> >>
> >> --
> >> Francesco
> >
> > --
> > Victor Sudakov, VAS4-RIPE, VAS47-RIPN
> > sip:sudakov at sibptus.tomsk.ru
>
>
>
> --
> Francesco
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
sip:sudakov at sibptus.tomsk.ru
More information about the squid-users
mailing list