daniel.jarboe@custserv.com
2003-Sep-03 12:35 UTC
[Samba] Samba 3 - ntlm_auth ntlmssp failing
Is /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp supposed to be working at this stage of samba 3? With RH EL3 beta (taroon) which comes with samba-3.0.0-3rc1.3E packages (and squid-2.5.STABLE3-2.3E packages), the /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic helper works great but /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp always fails (NTLMSSP NT_STATUS_ACCESS_DENIED). This is with an NT domain controller. We're running samba 2.2.8a everywhere else, this is first jump to 3.0. Only winbindd is running, not samba. Here is the smb.conf: [global] workgroup = TCS_MAIN_DOM netbios name = LINBETA server string = Samba Server on LINBETA interfaces = eth0 127.0.0.1/24 bind interfaces only = yes security = DOMAIN encrypt passwords = Yes password server = tcs_main_pdc username map = /etc/samba/smbusers log level = 1 log file = /var/log/samba/%m.log mangling method = hash2 preferred master = No domain master = No dns proxy = No wins server = tcs_main_pdc kernel oplocks = No winbind uid = 10000-20000 winbind gid = 10000-20000 winbind use default domain = yes winbind enum users = yes winbind enum groups = yes blocking locks = No locking = No oplocks = No level2 oplocks = No guest account = nobody load printers = no Here is a squid/ntlm_auth log of the transaction. Should I file a bug report or is there some setting that needs to be made on the PDC? 2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user request '(nil)'. 2003/09/03 08:15:40| authenticateValidateUser: Auth_user_request was NULL! 2003/09/03 08:15:40| authenticateFixHeader: headertype:34 authuser:(nil) 2003/09/03 08:15:40| authenticateNTLMFixErrorHeader: Sending type:34 header: 'NTLM' 2003/09/03 08:15:40| authenticateFixErrorHeader: Sending type:34 header: 'Basic realm="Proxy"' 2003/09/03 08:15:40| authenticateAuthUserRequestLock auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| authenticateAuthUserRequestLock auth_user request '0x559ba5a8' now at '1'. 2003/09/03 08:15:40| authenticateDecodeAuth: header = 'NTLM TlRMTVNTUAABAAAAB7IAoAwADAAoAAAACAAIACAAAABCQzAwNjc4NFRDU19NQUlOX0RPTX=' 2003/09/03 08:15:40| authenticateAuthUserLock auth_user '0x559ba5c0'. 2003/09/03 08:15:40| authenticateAuthUserLock auth_user '0x559ba5c0' now at '1'. 2003/09/03 08:15:40| authenticateDecodeNTLMAuth: NTLM authentication 2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| User not fully authenticated. 2003/09/03 08:15:40| authenticateNTLMAuthenticateUser: auth state ntlm none. NTLM TlRMTVNTUAABAAAAB7IAoAwADAAoAAAACAAIACAAAABCQzAwNjc4NFRDU19NQUlOX0RPTX=2003/09/03 08:15:40| authenticateNTLMAuthenticateUser: Locking auth_user from the connection. 2003/09/03 08:15:40| authenticateAuthUserRequestLock auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| authenticateAuthUserRequestLock auth_user request '0x559ba5a8' now at '2'. 2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| User not fully authenticated. 2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| authenticateStart: auth_user_request '0x559ba5a8' 2003/09/03 08:15:40| authenticateNTLMStart: auth state '1' 2003/09/03 08:15:40| authenticateNTLMStart: state '1' 2003/09/03 08:15:40| authenticateNTLMStart: 'TlRMTVNTUAABAAAAB7IAoAwADAAoAAAACAAIACAAAABCQzAwNjc4NFRDU19NQUlOX0RPTX=' 2003/09/03 08:15:40| authenticateNTLMHelperServerAvailable: not starving - returning 1 2003/09/03 08:15:40| authenticateNTLMChangeChallenge_p: first use 2003/09/03 08:15:40| authenticateNTLMStart: helper '0x557d9470' assigned 2003/09/03 08:15:40| authenticateNTLMValidChallenge: Challenge is Invalid [2003/09/03 08:15:40, 10] utils/ntlm_auth.c:manage_squid_request(1061) Got 'YR' from squid (length: 2). [2003/09/03 08:15:40, 10] utils/ntlm_auth.c:manage_squid_ntlmssp_request(312) got NTLMSSP packet: [2003/09/03 08:15:40, 10] utils/ntlm_auth.c:manage_squid_ntlmssp_request(322) NTLMSSP challenge 2003/09/03 08:15:40| authenticateNTLMHandleReply: Helper: '0x557d9470' {TT TlRMTVNTUAACAAAAAAAAADAAAAACAgAgJt9X786e84sAAAAAAAAAAAAAAAAwAAAA} 2003/09/03 08:15:40| authenticateNTLMHandleReply: helper '0x557d9470' 2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| User not fully authenticated. 2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| User not fully authenticated. 2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| User not fully authenticated. 2003/09/03 08:15:40| authenticateAuthUserRequestLock auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| authenticateAuthUserRequestLock auth_user request '0x559ba5a8' now at '3'. 2003/09/03 08:15:40| authenticateAuthUserRequestUnlock auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| authenticateAuthUserRequestUnlock auth_user_request '0x559ba5a8' now at '2'. 2003/09/03 08:15:40| authenticateAuthUserRequestLock auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| authenticateAuthUserRequestLock auth_user request '0x559ba5a8' now at '3'. 2003/09/03 08:15:40| authenticateFixHeader: headertype:34 authuser:0x559ba5a8 2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| User not fully authenticated. 2003/09/03 08:15:40| authenticateNTLMFixErrorHeader: Sending type:34 header: 'NTLM TlRMTVNTUAACAAAAAAAAADAAAAACAgAgJt9X786e84sAAAAAAAAAAAAAAAAwAAAA' 2003/09/03 08:15:40| authenticateFixHeader: headertype:34 authuser:0x559ba5a8 2003/09/03 08:15:40| authenticateAuthUserRequestUnlock auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| authenticateAuthUserRequestUnlock auth_user_request '0x559ba5a8' now at '2'. 2003/09/03 08:15:40| NTLM HandleReply, telling stateful helper : 3 2003/09/03 08:15:40| authenticateNTLMHelperServerAvailable: not starving - returning 1 2003/09/03 08:15:40| authenticateAuthUserRequestUnlock auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| authenticateAuthUserRequestUnlock auth_user_request '0x559ba5a8' now at '1'. 2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| User not fully authenticated. 2003/09/03 08:15:40| authenticateAuthUserRequestLock auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| authenticateAuthUserRequestLock auth_user request '0x559ba5a8' now at '2'. 2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| User not fully authenticated. 2003/09/03 08:15:40| authenticateNTLMAuthenticateUser: auth state challenge with header NTLM TlRMTVNTUAADAAAAGAAYAFsAAAAYABgAcwAAAAwADABAAAAABwAHAEwAAAAIAAgAUwAAAAAA AACLAAAABgIAIFRDU19NQUlOX0RPTUpBUkJPRURCQzAwNjc4NON8EoE7fMsT6jvmLE4o/21h ZkcIaibynLCXFLHy8rti9ODY4m9avPWULzf7R5yBzw==. 2003/09/03 08:15:40| aclMatchProxyAuth: cache lookup with key 'NTLM TlRMTVNTUAADAAAAGAAYAFsAAAAYABgAcwAAAAwADABAAAAABwAHAEwAAAAIAAgAUwAAAAAA AACLAAAABgIAIFRDU19NQUlOX0RPTUpBUkJPRURCQzAwNjc4NON8EoE7fMsT6jvmLE4o/21h ZkcIaibynLCXFLHy8rti9ODY4m9avPWULzf7R5yBzw==TlRMTVNTUAACAAAAAAAAADAAAAAC AgAgJt9X786e84sAAAAAAAAAAAAAAAAwAAAA' 2003/09/03 08:15:40| authenticateNTLMAuthenticateUser: proxy-auth cache miss. 2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| User not fully authenticated. 2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| authenticateStart: auth_user_request '0x559ba5a8' 2003/09/03 08:15:40| authenticateNTLMStart: auth state '3' 2003/09/03 08:15:40| authenticateNTLMStart: Asking NTLMauthenticator '0x557d9470'. 2003/09/03 08:15:40| authenticateNTLMStart: state '3' 2003/09/03 08:15:40| authenticateNTLMStart: 'TlRMTVNTUAADAAAAGAAYAFsAAAAYABgAcwAAAAwADABAAAAABwAHAEwAAAAIAAgAUwAAAAA AAACLAAAABgIAIFRDU19NQUlOX0RPTUpBUkJPRURCQzAwNjc4NON8EoE7fMsT6jvmLE4o/21 hZkcIaibynLCXFLHy8rti9ODY4m9avPWULzf7R5yBzw==' 2003/09/03 08:15:40| authenticateNTLMstart: finished [2003/09/03 08:15:40, 10] utils/ntlm_auth.c:manage_squid_request(1061) Got 'KK TlRMTVNTUAADAAAAGAAYAFsAAAAYABgAcwAAAAwADABAAAAABwAHAEwAAAAIAAgAUwAAAAAA AACLAAAABgIAIFRDU19NQUlOX0RPTUpBUkJPRURCQzAwNjc4NON8EoE7fMsT6jvmLE4o/21h ZkcIaibynLCXFLHy8rti9ODY4m9avPWULzf7R5yBzw==' from squid (length: 191). [2003/09/03 08:15:40, 10] utils/ntlm_auth.c:manage_squid_ntlmssp_request(312) got NTLMSSP packet: [2003/09/03 08:15:40, 10] lib/util.c:dump_data(1887) [000] 4E 54 4C 4D 53 53 50 00 03 00 00 00 18 00 18 00 NTLMSSP. ........ [010] 5B 00 00 00 18 00 18 00 73 00 00 00 0C 00 0C 00 [....... s....... [020] 40 00 00 00 07 00 07 00 4C 00 00 00 08 00 08 00 @....... L....... [030] 53 00 00 00 00 00 00 00 8B 00 00 00 06 02 00 20 S....... ....... [040] 54 43 53 5F 4D 41 49 4E 5F 44 4F 4D 4A 41 52 42 TCS_MAIN _DOMJARB [050] 4F 45 44 42 43 30 30 36 37 38 34 E3 7C 12 81 3B OEDBC006 784.|..; [060] 7C CB 13 EA 3B E6 2C 4E 28 FF 6D 61 66 47 08 6A |...;.,N (.mafG.j [070] 26 F2 9C B0 97 14 B1 F2 F2 BB 62 F4 E0 D8 E2 6F &....... ..b....o [080] 5A BC F5 94 2F 37 FB 47 9C 81 CF 00 Z.../7.G .... [2003/09/03 08:15:40, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(292) Got user=[JARBOED] domain=[TCS_MAIN_DOM] workstation=[BC006784] len1=24 len2=24 [2003/09/03 08:15:40, 10] utils/ntlm_auth.c:manage_squid_ntlmssp_request(325) NTLMSSP NT_STATUS_ACCESS_DENIED 2003/09/03 08:15:40| authenticateNTLMHandleReply: Helper: '0x557d9470' {NA NT_STATUS_ACCESS_DENIED} 2003/09/03 08:15:40| authenticateNTLMHandleReply: Error validating user via NTLM. Error returned 'NA NT_STATUS_ACCESS_DENIED' 2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| User not fully authenticated. 2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| User not fully authenticated. 2003/09/03 08:15:40| authenticateNTLMAuthenticateUser: auth state ntlm failed. NTLM TlRMTVNTUAADAAAAGAAYAFsAAAAYABgAcwAAAAwADABAAAAABwAHAEwAAAAIAAgAUwAAAAAA AACLAAAABgIAIFRDU19NQUlOX0RPTUpBUkJPRURCQzAwNjc4NON8EoE7fMsT6jvmLE4o/21h ZkcIaibynLCXFLHy8rti9ODY4m9avPWULzf7R5yBzw=2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| User not fully authenticated. 2003/09/03 08:15:40| authenticateAuthUserRequestUnlock auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| authenticateAuthUserRequestUnlock auth_user_request '0x559ba5a8' now at '1'. 2003/09/03 08:15:40| authenticateAuthUserRequestLock auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| authenticateAuthUserRequestLock auth_user request '0x559ba5a8' now at '2'. 2003/09/03 08:15:40| authenticateFixHeader: headertype:34 authuser:0x559ba5a8 2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| User not fully authenticated. 2003/09/03 08:15:40| authenticateNTLMFixErrorHeader: Sending type:34 header: 'NTLM' 2003/09/03 08:15:40| authenticateAuthUserRequestUnlock auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| authenticateAuthUserRequestUnlock auth_user_request '0x559ba5a8' now at '1'. 2003/09/03 08:15:40| NTLM HandleReply, telling stateful helper : 2 2003/09/03 08:15:40| authenticateNTLMHelperServerAvailable: not starving - returning 1 2003/09/03 08:15:40| authenticateAuthUserRequestUnlock auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| authenticateAuthUserRequestUnlock auth_user_request '0x559ba5a8' now at '0'. 2003/09/03 08:15:40| authenticateAuthUserRequestFree: freeing request 0x559ba5a8 2003/09/03 08:15:40| authenticateAuthUserUnlock auth_user '0x559ba5c0'. 2003/09/03 08:15:40| authenticateAuthUserUnlock auth_user '0x559ba5c0' now at '0'. 2003/09/03 08:15:40| authenticateFreeProxyAuthUser: Freeing auth_user '0x559ba5c0' with refcount '0'. 2003/09/03 08:15:40| authenticateNTLMFreeUser: Clearing NTLM scheme data ----------------------------------------------------------------------- This message is the property of Time Inc. or its affiliates. It may be legally privileged and/or confidential and is intended only for the use of the addressee(s). No addressee should forward, print, copy, or otherwise reproduce this message in any manner that would allow it to be viewed by any individual not originally listed as a recipient. If the reader of this message is not the intended recipient, you are hereby notified that any unauthorized disclosure, dissemination, distribution, copying or the taking of any action in reliance on the information herein is strictly prohibited. If you have received this communication in error, please immediately notify the sender and delete this message. Thank you.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, 3 Sep 2003 daniel.jarboe@custserv.com wrote:> Is /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp supposed to be > working at this stage of samba 3? With RH EL3 beta (taroon) which comesIt should. File a bug if it is not and assign it abartlet@samba.org cheers, jerry ---------------------------------------------------------------------- Hewlett-Packard ------------------------- http://www.hp.com SAMBA Team ---------------------- http://www.samba.org GnuPG Key ---- http://www.plainjoe.org/gpg_public.asc "You can never go home again, Oatman, but I guess you can shop there." --John Cusack - "Grosse Point Blank" (1997) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: For info see http://quantumlab.net/pine_privacy_guard/ iD8DBQE/V52UIR7qMdg1EfYRAlqcAKDsshRZqOEWCHrhT/mjtAMzAO20+QCgn/Cc S9e5Ou0vj/94on6E4GkMmQI=RWy+ -----END PGP SIGNATURE-----
daniel.jarboe@custserv.com
2003-Sep-05 11:42 UTC
[Samba] Samba 3 - ntlm_auth ntlmssp failing
Andrew said it wasn't well documented yet, but the winbindd_priveledged pipe needed to be readable by squid. Chgrp'ing the winbindd_priveledged directory (it was chmodded 750) to the squid group solved my problem, it's now working great. ~ Daniel ----------------------------------------------------------------------- This message is the property of Time Inc. or its affiliates. It may be legally privileged and/or confidential and is intended only for the use of the addressee(s). No addressee should forward, print, copy, or otherwise reproduce this message in any manner that would allow it to be viewed by any individual not originally listed as a recipient. If the reader of this message is not the intended recipient, you are hereby notified that any unauthorized disclosure, dissemination, distribution, copying or the taking of any action in reliance on the information herein is strictly prohibited. If you have received this communication in error, please immediately notify the sender and delete this message. Thank you.
daniel.jarboe@custserv.com
2003-Sep-05 13:03 UTC
[Samba] Samba 3 - ntlm_auth ntlmssp failing
I did not find that that was the case. On the taroon beta (RH EL AS 3 beta) anyway, service winbind stop and start did not affect ownership of /var/cache/samba/winbindd_privileged. ~ Daniel On Friday, September 05, 2003 8:45 AM Guenther Deschner wrote:> > unfortunatly the new group-ownership will be lost again, as > soon as you > restart winbindd. for me only adding a posix-acl for "squid" was a > long-term-solution. maybe this should be written down > somewhere, too...----------------------------------------------------------------------- This message is the property of Time Inc. or its affiliates. It may be legally privileged and/or confidential and is intended only for the use of the addressee(s). No addressee should forward, print, copy, or otherwise reproduce this message in any manner that would allow it to be viewed by any individual not originally listed as a recipient. If the reader of this message is not the intended recipient, you are hereby notified that any unauthorized disclosure, dissemination, distribution, copying or the taking of any action in reliance on the information herein is strictly prohibited. If you have received this communication in error, please immediately notify the sender and delete this message. Thank you.
hi daniel, On Fri, Sep 05, 2003 at 09:03:11AM -0400, daniel.jarboe@custserv.com wrote:> I did not find that that was the case. On the taroon beta (RH EL AS 3 > beta) anyway, service winbind stop and start did not affect ownership of > /var/cache/samba/winbindd_privileged.absolutely right. i could have swared that this was the case once. now it preserves group_ownership fine. maybe this behaviour has been changed during one of the betas. thanks for clarifying, guenther -- Guenther Deschner guenther.deschner@suse.de SuSE Linux AG GnuPG: 8EE11688 Berliner Str. 27 phone: +49 (0) 30 / 430944778 D-13507 Berlin fax: +49 (0) 30 / 43732804 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available Url : http://lists.samba.org/archive/samba/attachments/20030905/19b67003/attachment.bin
Seemingly Similar Threads
- [newbie] SQUID/SAMBA problems with NTLM_Auth
- AUTH_USER variable has invalid value in checkpassword Script
- Bug in icecast 2.3.2 (not in stable release but a little later and in trunk) : Null pointer in auth_remove_listener
- configuration user= or auth_user=
- question on autch cache parameters