Re: [squid-users] The Famous "NTLMSSP command 3, expected 1"

From: Go Wow <gowows_at_gmail.com>
Date: Tue, 19 Apr 2011 17:04:50 +0400

I have seen the increasing the number of auth children decreases the
error in cache.log. What is the optimal amount of children that we
should use, supposing squid is serving 500 users.

I will try your suggestions and inform you.

Regards

On 19 April 2011 16:50, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
> On 19/04/11 23:54, Go Wow wrote:
>>
>> Hi,
>>
>> I meant 3.1.11
>>
>> How do I check which user-agent is giving this issue? As I told 70%
>> people use IE here (different versions) some use IE 8, IE 7 and IE 6.
>> 20-25% use firefox 3.6 or firefox 4 and rest use google chrome.
>
> It may be in your logs as a client which gets a lot of NTLM denials.
>
> If not, adding a log to record which agents are failing is easy:
>
>  logformat agentTokens %{Proxy-Authentication}>h "%{User-Agent}>h"
>
> (mind the wrap that is one line)
>
>  acl failedAuth http_status 407
>  access_log /some/file.log agentTokens failedAuth
>
> This logs the auth tokens and user-agents sending them. One of the tokens
> should appear in cache.log next to the error message.
>
>>
>> Can you please point me to some doc to use that negotiate wrapper. I
>> tried squid_kerb_auth and failed miserably and I'm not planning to go
>> near it until my squid is stable.
>>
>> I have made  a GPO for all users to use NTML as preferred auth method,
>> let's see if that makes a difference. I did it by adding
>> "LmCompatibilityLevel" to "1" in registry.
>
> "1" is not a good value for that. Probably "4" is what you need. "5" if
> possible.
>
> see this for what each level apparently means:
>
> http://technet.microsoft.com/en-nz/magazine/2006.08.securitywatch%28en-us%29.aspx
>
> It seems to be an old article, so things may have changed a little. I'm not
> sure how Kerberos integrates with those for example in IE 7/8.
>
>>
>> Cheers
>>
>> On 19 April 2011 14:08, Amos Jeffries wrote:
>>>
>>> On 19/04/11 20:09, Go Wow wrote:
>>>>
>>>> Hi,
>>>>
>>>> I use NTLM to authenticate my AD users with Squid 3.11. My cache logs
>>>
>>> You mean 3.1.1? we are only up to 3.2 series so far.
>>>
>>>> have these entries at random times. I know that the client is sending
>>>> a kerberos reply instead of NTLM auth. I want to know whether
>>>> something can be done about this or not.
>>>>
>>>> libsmb/ntlmssp.c:335(ntlmssp_update)  got NTLMSSP command 3, expected 1
>>>>
>>>> I tried moving to Kerberos but it didnt work for me. My client envirno
>>>> is IE 8, Chrome and Firefox 3.6 or 4
>>>
>>> For the record which User-Agent is broken and sending Kerberos when
>>> offered
>>> NTLM? and are you offering Negotiate?
>>>
>>> The new negotiate_wrapper helper from Markus Moeller may help. We have
>>> tested it of use in "auth_param negotiate", but I'm not sure of the
>>> effect
>>> if its used in "auth_param ntlm".
>
>
> Amos
> --
> Please be using
>  Current Stable Squid 2.7.STABLE9 or 3.1.12
>  Beta testers wanted for 3.2.0.7 and 3.1.12.1
>
Received on Tue Apr 19 2011 - 13:04:58 MDT

This archive was generated by hypermail 2.2.0 : Tue Apr 19 2011 - 12:00:04 MDT