[squid-users] squid 3.3.3 + ntlm + kerberos

From: nicola gentile <nicola.gentile.to_at_gmail.com>
Date: Tue, 23 Apr 2013 10:12:46 +0200

Good morning,
I would ask you an information and help.
Actually I use squid 3.1.21 on debian 6.0.7 with ntlm and kerberos
authentication and all works fine.
Now I must recompile squid and I would test 3.3.3 version.
The options that I have used for the compile are:

./configure --prefix=/usr/local/squid \
--with-default-user=proxy \
--enable-async-io \
--enable-storeio="ufs,aufs,diskd" \
--enable-auth \
--disable-auth-basic \
--enable-auth-ntml=smb_lm \
--enable-auth-negotiate=kerberos,wrapper \
--disable-auth-digest \
--with-large-files \
--with-filedescriptors=65535 \
--enable-ltdl-convenience \
--enable-ssl \
--disable-ipv6

The daemon seems to work but when I try to authenticate through ntlm
not work while kerberos work correctly
I look in the file cache.log and the error message is the follow:

ntlm_smb_lm_auth.cc(482): pid=11662 :managing request
ntlm_smb_lm_auth.cc(488): pid=11662 :ntlm authenticator. Got 'YR
TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==' from Squid
ntlm_smb_lm_auth.cc(438): pid=11662 :obtain_challenge: selecting
DOM1\SRV1 (attempt #1)
ntlm_smb_lm_auth.cc(450): pid=11662 :attempting challenge retrieval
ntlm_smb_lm_auth.cc(154): pid=11662 :Connecting to server SRV1 domain DOM1
ntlm_smb_lm_auth.cc(452): pid=11662 :make_challenge retuned 0x80545a0
ntlm_smb_lm_auth.cc(454): pid=11662 :Got it
ntlm_smb_lm_auth.cc(623): pid=11662 :sending 'TT
TlRMTVNTUAACAAAABQAFACgAAACCgkEAhtKix/CDajcAAAAAAAAAAExJTkZB' to squid
ntlm_smb_lm_auth.cc(482): pid=11662 :managing request
ntlm_smb_lm_auth.cc(488): pid=11662 :ntlm authenticator. Got 'KK
TlRMTVNTUAADAAAAGAAYAGwAAAAYABgAhAAAAAYABgBYAAAABwAHAF4AAAAHAAcAZQAAAAAAAACcAAAABoIAAgYBsR0AAAAPptDQzxxxWJkujr9PtX/NoFBPTElUT0QwMDMwMzJQQ0xEMDUwor7z/ZaxHhw2k51d0lFDXxfxPESmOIySor7z/ZaxHhw2k51d0lFDXxfxPESmOIyS'
from Squid
ntlmssp: bad ascii: ffffffa2
2013/04/22 16:50:13 kid1| WARNING: ntlmauthenticator #1 exited
2013/04/22 16:50:13 kid1| Too few ntlmauthenticator processes are
running (need 1/10)
2013/04/22 16:50:13 kid1| Starting new helpers
2013/04/22 16:50:13 kid1| helperOpenServers: Starting 1/10
'ntlm_smb_lm_auth' processes
2013/04/22 16:50:13 kid1| ERROR: NTLM Authentication Helper
'0x9f2f478' crashed!.
2013/04/22 16:50:13 kid1| ERROR: NTLM Authentication validating user.
Error returned 'BH Internal error'
ntlm_smb_lm_auth.cc(384): pid=11667 :Adding domain-controller dom1/srv1
ntlm_smb_lm_auth.cc(384): pid=11667 :Adding domain-controller dom2/srv2
ntlm_smb_lm_auth.cc(640): pid=11667 :options processed OK
ntlm_smb_lm_auth.cc(482): pid=11663 :managing request
ntlm_smb_lm_auth.cc(488): pid=11663 :ntlm authenticator. Got 'YR
TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==' from Squid
ntlm_smb_lm_auth.cc(438): pid=11663 :obtain_challenge: selecting
DOM1\SRV1 (attempt #1)
ntlm_smb_lm_auth.cc(450): pid=11663 :attempting challenge retrieval
ntlm_smb_lm_auth.cc(154): pid=11663 :Connecting to server SRV1 domain DOM1
ntlm_smb_lm_auth.cc(452): pid=11663 :make_challenge retuned 0x80545a0
ntlm_smb_lm_auth.cc(454): pid=11663 :Got it
ntlm_smb_lm_auth.cc(623): pid=11663 :sending 'TT
TlRMTVNTUAACAAAABQAFACgAAACCgkEAYyPYfPYAm3IAAAAAAAAAAExJTkZB' to squid
ntlm_smb_lm_auth.cc(482): pid=11663 :managing request
ntlm_smb_lm_auth.cc(488): pid=11663 :ntlm authenticator. Got 'KK
TlRMTVNTUAADAAAAGAAYAGwAAAAYABgAhAAAAAYABgBYAAAABwAHAF4AAAAHAAcAZQAAAAAAAACcAAAABoIAAgYBsR0AAAAPIp8Zk9ICN8Hw1rL0qdbrHlBPTElUT0QwMDMwMzJQQ0xEMDUwIRuK8hsvU3s5klqASx0ijB7dbIt+CIw+IRuK8hsvU3s5klqASx0ijB7dbIt+CIw+'
from Squid
ntlmssp: bad ascii: 001b
No auth at all. Returning no-auth
ntlm_smb_lm_auth.cc(531): pid=11663 :sending 'NA Logon Failure' to squid

I use Windows 7 with Internet Explorer 9 on the client.
Also on my server, samba is not installed.
I attach also the configuration of squid for NTLM:

auth_param ntlm program /usr/local/squid/libexec/ntlm_smb_lm_auth -d
dom1/srv1 dom2/srv2
auth_param ntlm children 10 startup=2 idle=1
auth_param ntlm keep_alive off

Any suggestion? Help please!

Nick
Received on Tue Apr 23 2013 - 08:12:53 MDT

This archive was generated by hypermail 2.2.0 : Tue Apr 23 2013 - 12:00:05 MDT