[squid-users] ntlmssp: bad ascii: ffffffab (Lan Manager auth broken?)

Amos Jeffries squid3 at treenet.co.nz
Tue Oct 7 03:29:05 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 7/10/2014 3:52 p.m., Victor Sudakov wrote:
> Amos Jeffries wrote:
>>> 
>>> I have never used the helper provided by Samba, and I am not 
>>> willing to start using it.
>>> 
>>> I don't want to install Samba on a proxy server, maintain a 
>>> smb.conf and TDB databases there, join a domain, see hundreds
>>> of winbindd processes etc.
>> 
>> Thats the price of NTLM.
> 
> This price is too high for my objectives.
> 
>>> The ntlm_auth plugin has always been sufficient for my needs.
>>> I hoped it would continue to be usable, but something is broken
>>> in it.
>> 
>> The Squid "ntlm_auth" helper (now ntlm_smb_lm_auth) does not,
>> and never has, performed NTLM in any way.
>> 
>> What it does is this http://en.wikipedia.org/wiki/LM_hash.
> 
> I am perfectly aware of that. The problem is that this LM 
> authentication did work with the squid27 ntlm_auth helper and does
> not work with the squid34 newer ntlm_smb_lm_auth helper. There was
> no need to break what was working.

SMB LM supports both ASCII and UNICODE. Each packet is explicitly
flagged as one or other. Apparently your client software wants to
authenticate using a character 171 out of an array of length 127.


> 
>> The *Basic* authentication provided in HTTP is actually a
>> superior form of authentication. If you convert your proxy to
>> requesting Basic auth you will find your
> 
> I am afraid you are mistaken. If I convert my proxy to Basic, it 
> will start asking users for their login/password for proxy access, 
> instead of authenticating them transparently with their Windows 
> credentials.

That is a limitation of your software. Basic itself is superior to SMB
LM. You are just given no access to use it for SSO by the tools
currently in use.


>> 
>>> I would be glad to migrate to Kerberos though, if I can only
>>> make browsers use it. No success so far. If anybody can help
>>> with it, I would greatly appreciate.
>> 
>> 
>> Since your environment was accepting the old versions of 
>> ntlm_smb_lm_auth helper I predict that most of that software
>> will attempt to use the Negotiate/NTLM form of Negotiate
>> authentication over HTTP.
>> 
>> To prevent that you will have to disable NTLM use on the
>> machine(s) you are trying to convert to Kerberos.
> 
> Yes, I have special provisions in the domain policies to allow the
> old NTLM.  Do you mean to say if I disable NTLM, the browsers will
> start talking Negotiate/Kerberos?

I mean turn off NTLM for the specific machines being checked so you
can identify the ones that have broken Kerberos and concentrate on
resolving that. Otherwise they will "work" and continue to use NTLM
invisibly. You hit a major emergency if you think all are using
Kerberos and NTLM can be turned off completely.


> 
> Thanks for the hint, I will try that out and report here.
> 
>> Adding Basic as a fallback offering you can test the Kerberos is
>> working without cutting the service or /user off completely.
> 
> No, adding Basic is not an option because I will have to provide 
> special "proxy passwords" to the users, or make them enter their 
> Windows passwords by hand. This is highly undesirable. Once they 
> logon into Windows, they must have (or not have) Web access 
> transparently.
> 
> If you know how to achieve SSO with Basic auth, please share.
> 

This is what password managers in the browser are for IME. Someone
else might know how to get Windows itself providing them to the browser.

On the AD end of things the LDAP interface I think is required for
non-NTLM/Kerberos SSO.

Amos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUM14BAAoJELJo5wb/XPRjJD4H/10GqG12nApeSchd70Oc/sMn
RGGdYJYALv5jPfA6/Zu1IW/Vdbnz7pEQwUmNEBnKxzMHm+/4ZFd6qGiL6xYiS2AE
Tzhkgsu8Jm1JTE3NbK06qb0lE8KbuRHzcmjUihjD+0DoY0Bbm9Om/4PHv9q4KaC2
aVq08AhrBaiYT0tbli+FmMTHYmrKjyKaiwPo5U//Rpotv2J4oZsPWRfxyN2yeIpH
qZMUMUzEcKR6HRlKlOyG1UhXdciwgk0QgR1wfgFHBTbmxsB62PMU9nqpKc+RUkdu
ZBBBigOrhsSrz9FWZhJOZMwta6UCdpRJjS/zx6VMb8bu93nXwb0pA2qffXFYcHU=
=uZCV
-----END PGP SIGNATURE-----

More information about the squid-users mailing list