Re: [squid-users] The Famous "NTLMSSP command 3, expected 1"

From: Go Wow <gowows_at_gmail.com>
Date: Tue, 19 Apr 2011 17:32:01 +0400

Thanks.

I have set my ntlm auth children to 50, basic auth children to 30 and
squidGuard children to 30. As I see my CPU usage is under 0.09 and RAM
is 1.2GB free outta 4GB.

I also set these directives in squid.conf

logformat agentTokens %{Proxy-Authentication}>h "%{User-Agent}>h"
acl failedAuth http_status 407
access_log /var/log/squid3/access.log squid
access_log /var/log/squid3/access.log agentTokens failedAuth

but I dont see any user-agent info in cache.log (I know im doing
something wrong here, pls correct me)

Cheers

On 19 April 2011 17:26, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
> On 20/04/11 01:20, Go Wow wrote:
>>
>> I'm completely noob in this.  How do I set the below setting?
>>
>> Ensure that persistent connections are ON to clients (default in 3.1).
>> That will have the biggest impact.
>>
>
> In 3.0 and older:
>  client_persistent_connections on
>
> In 3.1 ensure that the directive is not set anywhere in squid.conf.
>
>
>> On 19 April 2011 17:17, Amos Jeffries wrote:
>>>
>>> On 20/04/11 01:04, Go Wow wrote:
>>>>
>>>> I have seen the increasing the number of auth children decreases the
>>>> error in cache.log. What is the optimal amount of children that we
>>>> should use, supposing squid is serving 500 users.
>>>>
>>>> I will try your suggestions and inform you.
>>>>
>>>
>>> Hmm, that sounds like it may actually be NTLM, but failing some other
>>> way.
>>>
>>> Number of auth children has a max of 256 connections to the DC. Each
>>> child
>>> will consume one.
>>>  If you have much RAM used by Squid there are also sometimes limits to
>>> how
>>> many children it can spawn/fork before you get out-of-memory problems.
>>>
>>> Ensure that persistent connections are ON to clients (default in 3.1).
>>> That
>>> will have the biggest impact.
>>>
>>>>
>>>> Regards
>>>>
>>>> On 19 April 2011 16:50, Amos Jeffries wrote:
>>>>>
>>>>> On 19/04/11 23:54, Go Wow wrote:
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> I meant 3.1.11
>>>>>>
>>>>>> How do I check which user-agent is giving this issue? As I told 70%
>>>>>> people use IE here (different versions) some use IE 8, IE 7 and IE 6.
>>>>>> 20-25% use firefox 3.6 or firefox 4 and rest use google chrome.
>>>>>
>>>>> It may be in your logs as a client which gets a lot of NTLM denials.
>>>>>
>>>>> If not, adding a log to record which agents are failing is easy:
>>>>>
>>>>>  logformat agentTokens %{Proxy-Authentication}>h "%{User-Agent}>h"
>>>>>
>>>>> (mind the wrap that is one line)
>>>>>
>>>>>  acl failedAuth http_status 407
>>>>>  access_log /some/file.log agentTokens failedAuth
>>>>>
>>>>> This logs the auth tokens and user-agents sending them. One of the
>>>>> tokens
>>>>> should appear in cache.log next to the error message.
>>>>>
>>>>>>
>>>>>> Can you please point me to some doc to use that negotiate wrapper. I
>>>>>> tried squid_kerb_auth and failed miserably and I'm not planning to go
>>>>>> near it until my squid is stable.
>>>>>>
>>>>>> I have made  a GPO for all users to use NTML as preferred auth method,
>>>>>> let's see if that makes a difference. I did it by adding
>>>>>> "LmCompatibilityLevel" to "1" in registry.
>>>>>
>>>>> "1" is not a good value for that. Probably "4" is what you need. "5" if
>>>>> possible.
>>>>>
>>>>> see this for what each level apparently means:
>>>>>
>>>>>
>>>>>
>>>>> http://technet.microsoft.com/en-nz/magazine/2006.08.securitywatch%28en-us%29.aspx
>>>>>
>>>>> It seems to be an old article, so things may have changed a little. I'm
>>>>> not
>>>>> sure how Kerberos integrates with those for example in IE 7/8.
>>>>>
>>>>>>
>>>>>> Cheers
>>>>>>
>>>>>> On 19 April 2011 14:08, Amos Jeffries wrote:
>>>>>>>
>>>>>>> On 19/04/11 20:09, Go Wow wrote:
>>>>>>>>
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> I use NTLM to authenticate my AD users with Squid 3.11. My cache
>>>>>>>> logs
>>>>>>>
>>>>>>> You mean 3.1.1? we are only up to 3.2 series so far.
>>>>>>>
>>>>>>>> have these entries at random times. I know that the client is
>>>>>>>> sending
>>>>>>>> a kerberos reply instead of NTLM auth. I want to know whether
>>>>>>>> something can be done about this or not.
>>>>>>>>
>>>>>>>> libsmb/ntlmssp.c:335(ntlmssp_update)  got NTLMSSP command 3,
>>>>>>>> expected
>>>>>>>> 1
>>>>>>>>
>>>>>>>> I tried moving to Kerberos but it didnt work for me. My client
>>>>>>>> envirno
>>>>>>>> is IE 8, Chrome and Firefox 3.6 or 4
>>>>>>>
>>>>>>> For the record which User-Agent is broken and sending Kerberos when
>>>>>>> offered
>>>>>>> NTLM? and are you offering Negotiate?
>>>>>>>
>>>>>>> The new negotiate_wrapper helper from Markus Moeller may help. We
>>>>>>> have
>>>>>>> tested it of use in "auth_param negotiate", but I'm not sure of the
>>>>>>> effect
>>>>>>> if its used in "auth_param ntlm".
>
> Amos
> --
> Please be using
>  Current Stable Squid 2.7.STABLE9 or 3.1.12
>  Beta testers wanted for 3.2.0.7 and 3.1.12.1
>
Received on Tue Apr 19 2011 - 13:32:09 MDT

This archive was generated by hypermail 2.2.0 : Wed Apr 20 2011 - 12:00:03 MDT