[squid-users] ntlmssp: bad ascii: ffffffab (Lan Manager auth broken?)

Amos Jeffries squid3 at treenet.co.nz
Tue Oct 7 04:43:59 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 7/10/2014 5:16 p.m., Victor Sudakov wrote:
> Amos Jeffries wrote:
>>>>> 
>>>>> I have never used the helper provided by Samba, and I am
>>>>> not willing to start using it.
>>>>> 
>>>>> I don't want to install Samba on a proxy server, maintain a
>>>>>  smb.conf and TDB databases there, join a domain, see
>>>>> hundreds of winbindd processes etc.
>>>> 
>>>> Thats the price of NTLM.
>>> 
>>> This price is too high for my objectives.
>>> 
>>>>> The ntlm_auth plugin has always been sufficient for my
>>>>> needs. I hoped it would continue to be usable, but
>>>>> something is broken in it.
>>>> 
>>>> The Squid "ntlm_auth" helper (now ntlm_smb_lm_auth) does
>>>> not, and never has, performed NTLM in any way.
>>>> 
>>>> What it does is this http://en.wikipedia.org/wiki/LM_hash.
>>> 
>>> I am perfectly aware of that. The problem is that this LM 
>>> authentication did work with the squid27 ntlm_auth helper and
>>> does not work with the squid34 newer ntlm_smb_lm_auth helper.
>>> There was no need to break what was working.
> 
>> SMB LM supports both ASCII and UNICODE. Each packet is
>> explicitly flagged as one or other. Apparently your client
>> software wants to authenticate using a character 171 out of an
>> array of length 127.
> 
> Apparently so, but as I said, the very same client software does
> work with the old "ntlm_auth" helper and does not work with the
> new ntlm_smb_lm_auth one.
> 
> That's why I am saying that the problem is on the authenticator
> side and not on the client side.

The client is sending corrupt packets.

Old authenticator did not check for the corruption. New one does.

Client is still sending corrupt packets, which is why both the
developers have said the problem is in the client.

Amos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUM2+PAAoJELJo5wb/XPRjLbkH/09mdnl6r5Q2ZlPv3uwSjHZf
CAce2sHQYpKM3m7F3V8f4rLxhLz65Ive+nIXTFIkrdf+YWbCr8KRYnHIxWYpsbdz
oIEixxl1lFDnQJmiS8qQXDBDlwoXMNBU+ey3C2TarJt6R62oX+5ZBztVNZHGXycS
aA+I+2K4MHVZXKAS0g8tMecNcSgqB91Qfd3BA4+hybeHXPRbJr8gvZZ6v9vChWZq
BYCyGNDA4r7lEXqQx+YcZ/9BWsQaWBm/Smh4xlR1PD3YiIrLZ8WvK9o+Ldjz+nEC
iZG2VM9OHb9Nf52ZNU8Ofw+6CoM4reiQPydswFjqwnwWze7UEZQ0DUjiFvantm8=
=Uosz
-----END PGP SIGNATURE-----


More information about the squid-users mailing list