$ /usr/bin/ntlm_auth --helper-protocol ntlmssp-client-1 --use-cached-creds --username dwoodhou TT Got 'TT' from squid (length: 2). got NTLMSSP packet: YR TlRMTVNTUAABAAAABYIIYAMAAwAgAAAADgAOACMAAABHRVJEV09PREhPVS1NT0JMNQ== NTLMSSP challenge TT TlRMTVNTUAACAAAABgAGADgAAAAFgoliDM4EybrHiSMAAAAAAAAAALQAtAA+AAAABQLODgAAAA9BAE0AUgACAAYAQQBNAFIAAQAYAEYATQBTAEUAUwBQAFIAQQBVAFAAMAAxAAQAJABhAG0AcgAuAGMAbwByAHAALgBpAG4AdABlAGwALgBjAG8AbQADAD4AZgBtAHMAZQBzAHAAcgBhAHUAcAAwADEALgBhAG0AcgAuAGMAbwByAHAALgBpAG4AdABlAGwALgBjAG8AbQAFABwAYwBvAHIAcAAuAGkAbgB0AGUAbAAuAGMAbwBtAAAAAAA= Got 'TT TlRMTVNTUAACAAAABgAGADgAAAAFgoliDM4EybrHiSMAAAAAAAAAALQAtAA+AAAABQLODgAAAA9BAE0AUgACAAYAQQBNAFIAAQAYAEYATQBTAEUAUwBQAFIAQQBVAFAAMAAxAAQAJABhAG0AcgAuAGMAbwByAHAALgBpAG4AdABlAGwALgBjAG8AbQADAD4AZgBtAHMAZQBzAHAAcgBhAHUAcAAwADEALgBhAG0AcgAuAGMAbwByAHAALgBpAG4AdABlAGwALgBjAG8AbQAFABwAYwBvAHIAcAAuAGkAbgB0AGUAbAAuAGMAbwBtAAAAAAA=' from squid (length: 327). got NTLMSSP packet: KK TlRMTVNTUAADAAAAGAAYAEAAAADgAOAAWAAAAAYABgA4AQAAEAAQAD4BAAAcABwATgEAABAAEABqAQAABYIIYJMrcP29otqNLh93bugxB1E7LhgJI/qHkL6GJgz5MZLHxm3aqekoYDgBAQAAAAAAAACl39QK0M4BJl88dIzDmasAAAAAAgAGAEEATQBSAAEAGABGAE0AUwBFAFMAUABSAEEAVQBQADAAMQAEACQAYQBtAHIALgBjAG8AcgBwAC4AaQBuAHQAZQBsAC4AYwBvAG0AAwA+AGYAbQBzAGUAcwBwAHIAYQB1AHAAMAAxAC4AYQBtAHIALgBjAG8AcgBwAC4AaQBuAHQAZQBsAC4AYwBvAG0ABQAcAGMAbwByAHAALgBpAG4AdABlAGwALgBjAG8AbQAAAAAARwBFAFIAZAB3AG8AbwBkAGgAbwB1AEQAVwBPAE8ARABIAE8AVQAtAE0ATwBCAEwANQBP+ndpb7r4eN4Nf7DIjXXG NTLMSSP challenge GK Got 'GK' from squid (length: 2). Requested session key BH
But if I continue after that, and try again, it works... NTLMSSP challenge TT Got 'TT' from squid (length: 2). got NTLMSSP packet: BH NT_STATUS_UNSUCCESSFUL NTLMSSP BH: NT_STATUS_UNSUCCESSFUL TT Got 'TT' from squid (length: 2). got NTLMSSP packet: KK TlRMTVNTUAABAAAABYIIYAMAAwAgAAAADgAOACMAAABHRVJEV09PREhPVS1NT0JMNQ== NTLMSSP challenge TT TlRMTVNTUAACAAAABgAGADgAAAAFgoliDM4EybrHiSMAAAAAAAAAALQAtAA+AAAABQLODgAAAA9BAE0AUgACAAYAQQBNAFIAAQAYAEYATQBTAEUAUwBQAFIAQQBVAFAAMAAxAAQAJABhAG0AcgAuAGMAbwByAHAALgBpAG4AdABlAGwALgBjAG8AbQADAD4AZgBtAHMAZQBzAHAAcgBhAHUAcAAwADEALgBhAG0AcgAuAGMAbwByAHAALgBpAG4AdABlAGwALgBjAG8AbQAFABwAYwBvAHIAcAAuAGkAbgB0AGUAbAAuAGMAbwBtAAAAAAA= Got 'TT TlRMTVNTUAACAAAABgAGADgAAAAFgoliDM4EybrHiSMAAAAAAAAAALQAtAA+AAAABQLODgAAAA9BAE0AUgACAAYAQQBNAFIAAQAYAEYATQBTAEUAUwBQAFIAQQBVAFAAMAAxAAQAJABhAG0AcgAuAGMAbwByAHAALgBpAG4AdABlAGwALgBjAG8AbQADAD4AZgBtAHMAZQBzAHAAcgBhAHUAcAAwADEALgBhAG0AcgAuAGMAbwByAHAALgBpAG4AdABlAGwALgBjAG8AbQAFABwAYwBvAHIAcAAuAGkAbgB0AGUAbAAuAGMAbwBtAAAAAAA=' from squid (length: 327). got NTLMSSP packet: AF TlRMTVNTUAADAAAAAAAAAEAAAAAAAAAAQAAAAAYABgBAAAAAEAAQAEYAAAAcABwAVgAAABAAEAByAAAABYIAYEcARQBSAGQAdwBvAG8AZABoAG8AdQBEAFcATwBPAEQASABPAFUALQBNAE8AQgBMADUAJ+0nfBsXNMHVbD7DtLCy0w== NTLMSSP OK! GK Got 'GK' from squid (length: 2). Requested session key GK G+XN+0TY2C8vusRAc2KCAg==
This got fixed in Samba 4.3.8 (and thus things like Pidgin-SIPE and GSS-NTLMSSP now work nicely). However, it broke Firefox because it didn't expect to see 'AF'. It was *only* accepting the incorrect 'KK' response. It's trivial to fix in Firefox, and I haven't seen anything else that gets it wrong yet. Most things will accept either KK or AF. https://bugzilla.mozilla.org/show_bug.cgi?id=1270046 and https://bugzilla.redhat.com/show_bug.cgi?id=1332875