[squid-users] ntlmssp: bad ascii: ffffffab (Lan Manager auth broken?)

Amos Jeffries squid3 at treenet.co.nz
Mon Oct 6 16:20:34 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 7/10/2014 4:39 a.m., Victor Sudakov wrote:
> Dear Francesco,
> 
> I have never used the helper provided by Samba, and I am not
> willing to start using it.
> 
> I don't want to install Samba on a proxy server, maintain a
> smb.conf and TDB databases there, join a domain, see hundreds of
> winbindd processes etc.

Thats the price of NTLM.

> 
> The ntlm_auth plugin has always been sufficient for my needs. I
> hoped it would continue to be usable, but something is broken in
> it.
> 

The Squid "ntlm_auth" helper (now ntlm_smb_lm_auth) does not, and
never has, performed NTLM in any way.

What it does is this http://en.wikipedia.org/wiki/LM_hash.

Note how it says the protocol was obsoleted by ... *Windows 3.1*

The *Basic* authentication provided in HTTP is actually a superior
form of authentication.

If you convert your proxy to requesting Basic auth you will find your
system just as secure as before, has a far wider range of software
support, and greater performance.


> I would be glad to migrate to Kerberos though, if I can only make 
> browsers use it. No success so far. If anybody can help with it, I 
> would greatly appreciate.


Since your environment was accepting the old versions of
ntlm_smb_lm_auth helper I predict that most of that software will
attempt to use the Negotiate/NTLM form of Negotiate authentication
over HTTP.

To prevent that you will have to disable NTLM use on the machine(s)
you are trying to convert to Kerberos. Adding Basic as a fallback
offering you can test the Kerberos is working without cutting the
service or /user off completely.

Amos

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUMsFSAAoJELJo5wb/XPRjr6cH/iMaFrWhroq6pOZCVW+gTWwI
BL8sT6xd45vp1jSeIofD4MpkDSeInmjpjD6nT0ZPaanhVq24Wxi7s+h6p4eGccts
5G5GV8ST0tXW03vtOaYTDfuKy4rcmwaf/8ncyKU4gCo4KwMXvGDUxgI5HSSoSkqT
9xe5pLrJMnZzqHB+862zZZqTyu5Sttxu2ACn/lI5WeZMv85YV6EhrZFRQDRc8WNS
ay/iD4VghEdKBQ41f8nt4Ecnghz25oHCU/VsDDptdPXnE5XJc2HD6Je7348uqK3+
yrSscF90qGBd/Tg8BXL7+u5cM9uzx80EPqxax71WD4KOiC6+3uSCO+vBUc7PvNo=
=Nqfn
-----END PGP SIGNATURE-----


More information about the squid-users mailing list