[squid-users] ntlmssp: bad ascii: ffffffab (Lan Manager auth broken?)

Tue Oct 7 07:45:50 UTC 2014

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 7/10/2014 8:31 p.m., Amos Jeffries wrote:
> On 7/10/2014 7:40 p.m., Victor Sudakov wrote:
>> Amos Jeffries wrote:
>>>> 
>>>>>> Apparently so, but as I said, the very same client 
>>>>>> software does work with the old "ntlm_auth" helper and
>>>>>> does not work with the new ntlm_smb_lm_auth one.
>>>>>> 
>>>>>> That's why I am saying that the problem is on the 
>>>>>> authenticator side and not on the client side.
>>>>> 
>>>>> The client is sending corrupt packets. Old authenticator
>>>>> did not check for the corruption. New one does.
>>>> 
>>>> Which renders the new authenticator useless, at least for
>>>> me.
>>>> 
>>>>> 
>>>>> Client is still sending corrupt packets, which is why both 
>>>>> the developers have said the problem is in the client.
>>>> 
>>>> The developers could have at least provided the option of 
>>>> compatibility with the old bugs :) There is the old good 
>>>> programming creed "be conservative about what you send and 
>>>> liberal about what you receive".
>>>> 
>>> 
>>> The packet *is* accepted. Its the security privileges which
>>> are denied.
>>> 
>>> If you want to accept anything the client sends regardless of 
>>> the credentials accuracy there is ntlm_fake_auth.
> 
>> No, ntlm_fake_auth does not work either. It keeps giving
> 
>> "HTTP/1.1 407 Proxy Authentication Required" Proxy-Authenticate: 
>> NTLM
> 
>> and the browser keeps asking for user credentials.
>> Authentication is never successful/complete with this plugin.
> 
>> I'm attaching the debug log.
> 
> 
> Interesting log. Can you get a full-body packet trace to me
> privately? That is captured by using tcpdump -s 0 or -s 65535
> option.
> 
> And if possible the full cache.log contents?

Actually please run the fake-auth helper from 3.4.* with parameter -dv
when doing that. It will dump the relevant NTLM details to cache.log.

If you can also get a similar pair of traces from the SMB LM helper
with option -d it might help investigation that issue as well.

Amos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUM5ouAAoJELJo5wb/XPRjJewIANMi9E9qlv6k5zdDSf+w14T9
AZtC/QEYKXl8cJU37BBy+bBqtAkXfd3XWJb7CNgDPc3UPFw6WS7caayybG+Eo5A4
bW1dT2hslViPN1Pt9GwFm1y8Xnoqm6+Fg0R8T7fTXBfQHyjxb7g4t5fo8lOqYUp1
r/9HQvJFaFjUPRQAp2lZJY/zLKpt3Vvz/Ch8t0ic6DMMtl3cA2QTLOGvy4bbHVLl
NyRW0NuKYeU+Ek4DemlM/7y1eAZGaDCD8RwXGx9T01BpN5QI1dSQCbmuHhbtQsmH
cXyxrd8m95qZ3ThB+Cnegk2ptQBemWXnZgvVsACzcZmca56W7rsiWGD8D7KZW2c=
=4dfw
-----END PGP SIGNATURE-----