Re: [squid-users] The Famous "NTLMSSP command 3, expected 1"

From: Go Wow <gowows_at_gmail.com>
Date: Tue, 19 Apr 2011 17:20:49 +0400

I'm completely noob in this. How do I set the below setting?

Ensure that persistent connections are ON to clients (default in 3.1).
That will have the biggest impact.

On 19 April 2011 17:17, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
> On 20/04/11 01:04, Go Wow wrote:
>>
>> I have seen the increasing the number of auth children decreases the
>> error in cache.log. What is the optimal amount of children that we
>> should use, supposing squid is serving 500 users.
>>
>> I will try your suggestions and inform you.
>>
>
> Hmm, that sounds like it may actually be NTLM, but failing some other way.
>
> Number of auth children has a max of 256 connections to the DC. Each child
> will consume one.
>  If you have much RAM used by Squid there are also sometimes limits to how
> many children it can spawn/fork before you get out-of-memory problems.
>
> Ensure that persistent connections are ON to clients (default in 3.1). That
> will have the biggest impact.
>
>>
>> Regards
>>
>> On 19 April 2011 16:50, Amos Jeffries wrote:
>>>
>>> On 19/04/11 23:54, Go Wow wrote:
>>>>
>>>> Hi,
>>>>
>>>> I meant 3.1.11
>>>>
>>>> How do I check which user-agent is giving this issue? As I told 70%
>>>> people use IE here (different versions) some use IE 8, IE 7 and IE 6.
>>>> 20-25% use firefox 3.6 or firefox 4 and rest use google chrome.
>>>
>>> It may be in your logs as a client which gets a lot of NTLM denials.
>>>
>>> If not, adding a log to record which agents are failing is easy:
>>>
>>>  logformat agentTokens %{Proxy-Authentication}>h "%{User-Agent}>h"
>>>
>>> (mind the wrap that is one line)
>>>
>>>  acl failedAuth http_status 407
>>>  access_log /some/file.log agentTokens failedAuth
>>>
>>> This logs the auth tokens and user-agents sending them. One of the tokens
>>> should appear in cache.log next to the error message.
>>>
>>>>
>>>> Can you please point me to some doc to use that negotiate wrapper. I
>>>> tried squid_kerb_auth and failed miserably and I'm not planning to go
>>>> near it until my squid is stable.
>>>>
>>>> I have made  a GPO for all users to use NTML as preferred auth method,
>>>> let's see if that makes a difference. I did it by adding
>>>> "LmCompatibilityLevel" to "1" in registry.
>>>
>>> "1" is not a good value for that. Probably "4" is what you need. "5" if
>>> possible.
>>>
>>> see this for what each level apparently means:
>>>
>>>
>>> http://technet.microsoft.com/en-nz/magazine/2006.08.securitywatch%28en-us%29.aspx
>>>
>>> It seems to be an old article, so things may have changed a little. I'm
>>> not
>>> sure how Kerberos integrates with those for example in IE 7/8.
>>>
>>>>
>>>> Cheers
>>>>
>>>> On 19 April 2011 14:08, Amos Jeffries wrote:
>>>>>
>>>>> On 19/04/11 20:09, Go Wow wrote:
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> I use NTLM to authenticate my AD users with Squid 3.11. My cache logs
>>>>>
>>>>> You mean 3.1.1? we are only up to 3.2 series so far.
>>>>>
>>>>>> have these entries at random times. I know that the client is sending
>>>>>> a kerberos reply instead of NTLM auth. I want to know whether
>>>>>> something can be done about this or not.
>>>>>>
>>>>>> libsmb/ntlmssp.c:335(ntlmssp_update)  got NTLMSSP command 3, expected
>>>>>> 1
>>>>>>
>>>>>> I tried moving to Kerberos but it didnt work for me. My client envirno
>>>>>> is IE 8, Chrome and Firefox 3.6 or 4
>>>>>
>>>>> For the record which User-Agent is broken and sending Kerberos when
>>>>> offered
>>>>> NTLM? and are you offering Negotiate?
>>>>>
>>>>> The new negotiate_wrapper helper from Markus Moeller may help. We have
>>>>> tested it of use in "auth_param negotiate", but I'm not sure of the
>>>>> effect
>>>>> if its used in "auth_param ntlm".
>
> Amos
> --
> Please be using
>  Current Stable Squid 2.7.STABLE9 or 3.1.12
>  Beta testers wanted for 3.2.0.7 and 3.1.12.1
>
Received on Tue Apr 19 2011 - 13:20:56 MDT

This archive was generated by hypermail 2.2.0 : Tue Apr 19 2011 - 12:00:04 MDT