[squid-users] squid basic ntlm auth error after upgrade to 3.3.8

[Amos Jeffries]

On 28/04/2015 8:46 p.m., Lupick wrote:
> I've found probably where is the problem but I don't know how to solve it.
> 
> If I try to connect with a PC outside the domain squid ntlm auth prompt for
> username/password. On the password prompt banner I have the proxy ip
> address; so the ntlm auth is used.

The HTTP auth label "NTLM" was used by some old client software to
deliver LanMan protocol credentials (DOS 1.0 thru Windows 98 to give you
an idea of scale) - which is essentially 8-bit encrypted username+password.

Naturally a lot of more modern systems are not permitting that type of
downgrade attack anymore. I susect your OS upgrade came with an upgrade
to either CentOS Samba version ntlm_auth helper which dropped supprot
for those 20+ year old insecure protocols.

IIRC the "fix" for this is to turn off MSIE "Windows Integrated
Authentication" on machines which are not part of a domain. That leaves
them with selecting Basic auth which works.

Alternatively upgrading the domain to Kerberos (Negotiate auth) instead
of NTLM has also long been recommended.


> I can put my domain\username + password but it keep requesting the
> password.
> 
> I've tried to comment out all the ntlm auth stuff in squid.conf; and I kept
> only the basic.
> 
> Now the PC request to me the username\password but this time on the banner
> I have " Squid proxy-caching web server"  so basic auth is used.  If I put
> my domain\username + pwd all is working well.
> 
> So I assume the problem is due to ntlm auth doesn't fall back to basic but
> it keeps requesting password.
> 
> Do you know how to force squid to fallback to basic auth if ntlm auth fail?
> I remember in older version it was automatic.

There is no way to force fallback. Squid is merely advertising the set
of HTTP auth schemes it accepts. The client software makes the choice
which to use.

Amos