[squid-users] ntlmssp: bad ascii: ffffffab (Lan Manager auth broken?)

Victor Sudakov sudakov at sibptus.tomsk.ru
Tue Oct 7 02:52:14 UTC 2014 

Amos Jeffries wrote:
> > 
> > I have never used the helper provided by Samba, and I am not
> > willing to start using it.
> > 
> > I don't want to install Samba on a proxy server, maintain a
> > smb.conf and TDB databases there, join a domain, see hundreds of
> > winbindd processes etc.
> 
> Thats the price of NTLM.

This price is too high for my objectives.

> > The ntlm_auth plugin has always been sufficient for my needs. I
> > hoped it would continue to be usable, but something is broken in
> > it.
> 
> The Squid "ntlm_auth" helper (now ntlm_smb_lm_auth) does not, and
> never has, performed NTLM in any way.
> 
> What it does is this http://en.wikipedia.org/wiki/LM_hash.

I am perfectly aware of that. The problem is that this LM
authentication did work with the squid27 ntlm_auth helper and does not
work with the squid34 newer ntlm_smb_lm_auth helper. There was no need
to break what was working.

> The *Basic* authentication provided in HTTP is actually a superior
> form of authentication.
> If you convert your proxy to requesting Basic auth you will find your

I am afraid you are mistaken. If I convert my proxy to Basic, it
will start asking users for their login/password for proxy access,
instead of authenticating them transparently with their Windows
credentials.

> 
> > I would be glad to migrate to Kerberos though, if I can only make 
> > browsers use it. No success so far. If anybody can help with it, I 
> > would greatly appreciate.
> 
> 
> Since your environment was accepting the old versions of
> ntlm_smb_lm_auth helper I predict that most of that software will
> attempt to use the Negotiate/NTLM form of Negotiate authentication
> over HTTP.
> 
> To prevent that you will have to disable NTLM use on the machine(s)
> you are trying to convert to Kerberos. 

Yes, I have special provisions in the domain policies to allow the old
NTLM.  Do you mean to say if I disable NTLM, the browsers will start
talking Negotiate/Kerberos? 

Thanks for the hint, I will try that out and report here.

> Adding Basic as a fallback
> offering you can test the Kerberos is working without cutting the
> service or /user off completely.

No, adding Basic is not an option because I will have to provide
special "proxy passwords" to the users, or make them enter their
Windows passwords by hand. This is highly undesirable. Once they
logon into Windows, they must have (or not have) Web access
transparently.

If you know how to achieve SSO with Basic auth, please share.

-- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
sip:sudakov at sibptus.tomsk.ru

More information about the squid-users mailing list