[squid-users] problem with ntlm_smb_lm_auth helper

Emmanuel Garette egarette at cadoles.com
Thu Sep 17 10:24:36 UTC 2015 

Le 16/09/2015 11:40, Amos Jeffries a écrit :
> On 16/09/2015 9:05 p.m., Emmanuel Garette wrote:
>> Le 07/09/2015 18:40, Amos Jeffries a écrit :
>>> On 8/09/2015 1:17 a.m., Emmanuel Garette wrote:
>>>> Seems to be ok for me. Thanks for your fast reply.
>>>>
>>>> Need I open a bug in bugzilla ?
>>>>
>>> No need. I think this may be one of the existing ones about this helper.
>>> Thanks for the feedback it should be applied to the current versions
>>> shortly.
>> Hi,
>>
>> Today I found a new problem. All work fine with computer join into
>> windows domain. Not for computer user CNTLM (not in the domain).
>>
>> In debug mode I can see this error:
>>
>>> ntlm_smb_lm_auth.cc(307): pid=4668 :NT response: insane data (pkt-sz:
>> 108, fetch len: 0, offset: 108)
>>
>> If I understand, there is no NT password.
>>
>> In older code, there was this line:
>>
>>> tmp = ntlm_fetch_string ((char *) auth, auth_length, &auth->ntresponse);
>>> if (tmp.str != NULL && tmp.l != 0) {
>> The NT password was check only if len was different to 0.
>>
>> In this part of your patch:
>>> /* still fetch the NT response and check validity against empty
>> password */
>>>      {
>>>          const strhdr * str = &auth->ntresponse;
>>>          int16_t len = le16toh(str->len);
>>>          int32_t offset = le32toh(str->offset);
>>>          if (len != ENCODED_PASS_LEN || offset + len > auth_length ||
>> offset == 0) {
>>
>> if I replace last line with:
>>
>>> if ((len != 0 && len != ENCODED_PASS_LEN) || offset + len >
>> auth_length || offset == 0) {
>>
>> Everything works well.
> By that do you mean it rejects with "Empty NT password supplied for
> user" ?  or that it accepts the login?
I'm not familar with NTLM protocol, but in my case NT password seems to
be empty (length 0). In this case, older version of helper accept it.
The new one exit with error "insane data". That why I propose to test if
len is not null.

NT password is empty with cNTLM but also with firefox on a GNU/Linux
workstation.

Cordialement,
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list