[squid-users] ntlmssp: bad ascii: ffffffab (Lan Manager auth broken?)

Tue Oct 7 04:16:59 UTC 2014

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Amos Jeffries wrote:
> >>> 
> >>> I have never used the helper provided by Samba, and I am not 
> >>> willing to start using it.
> >>> 
> >>> I don't want to install Samba on a proxy server, maintain a 
> >>> smb.conf and TDB databases there, join a domain, see hundreds
> >>> of winbindd processes etc.
> >> 
> >> Thats the price of NTLM.
> > 
> > This price is too high for my objectives.
> > 
> >>> The ntlm_auth plugin has always been sufficient for my needs.
> >>> I hoped it would continue to be usable, but something is broken
> >>> in it.
> >> 
> >> The Squid "ntlm_auth" helper (now ntlm_smb_lm_auth) does not,
> >> and never has, performed NTLM in any way.
> >> 
> >> What it does is this http://en.wikipedia.org/wiki/LM_hash.
> > 
> > I am perfectly aware of that. The problem is that this LM 
> > authentication did work with the squid27 ntlm_auth helper and does
> > not work with the squid34 newer ntlm_smb_lm_auth helper. There was
> > no need to break what was working.
> 
> SMB LM supports both ASCII and UNICODE. Each packet is explicitly
> flagged as one or other. Apparently your client software wants to
> authenticate using a character 171 out of an array of length 127.

Apparently so, but as I said, the very same client software does work
with the old "ntlm_auth" helper and does not work with the new
ntlm_smb_lm_auth one.

That's why I am saying that the problem is on the authenticator side
and not on the client side.

> >> The *Basic* authentication provided in HTTP is actually a
> >> superior form of authentication. If you convert your proxy to
> >> requesting Basic auth you will find your
> > 
> > I am afraid you are mistaken. If I convert my proxy to Basic, it 
> > will start asking users for their login/password for proxy access, 
> > instead of authenticating them transparently with their Windows 
> > credentials.
> 
> That is a limitation of your software. Basic itself is superior to SMB
> LM. 

I am not so sure about it. In Basic, you just base64 decode the
relevant HTTP header to obtain a plain text password. In LM,
it is a bit more difficult.

> You are just given no access to use it for SSO by the tools
> currently in use.

All right, what tools are there for proxy SSO with Windows
credentials? Please specify.

[dd]

I will reply to the rest of the mail after I experiment if disabling
LM actutlly does enable Negotiate/Kerberos.

- -- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
sip:sudakov at sibptus.tomsk.ru
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJUM2k6AAoJEA2k8lmbXsY0Y4IH/1KE7zea2njCKWCHp5wY0bsz
9QIW3ds0T+JCj9Fvfsdt+4cRAzGMu1ILnlC5FtosRz5Bi1sPBva3BRcBQRdilxfc
dmlL/XVmfs/F39iGKJnIM7Xy9gs2D5a7pBfvo+J6Ph3lxhbKEvDLQTET3IO9eF99
BH2La23Rk1+3rFyrL6eapt9/F3q2ndwspzqiKUcHeJFGRzfcuEzYto9YxJXWy1t1
eRi0Y9yVw+QiVlz6NxTShLg/TRGS+CPPhLFRTwSwqmeC+rtUzBNKyB7UqCUe/cM1
rkoGoaNzYPNkbJda8RW64pl2EYHDZANjAoAb+LoZBFfW7T3JBfNpzj1zEBSqDq4=
=7PmE
-----END PGP SIGNATURE-----