daniel.jarboe@custserv.com
2003-Sep-03 12:35 UTC
[Samba] Samba 3 - ntlm_auth ntlmssp failing
Is /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp supposed to be
working at this stage of samba 3? With RH EL3 beta (taroon) which comes
with samba-3.0.0-3rc1.3E packages (and squid-2.5.STABLE3-2.3E packages),
the /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic helper works
great but /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp always
fails (NTLMSSP NT_STATUS_ACCESS_DENIED). This is with an NT domain
controller. We're running samba 2.2.8a everywhere else, this is first
jump to 3.0.
Only winbindd is running, not samba. Here is the smb.conf:
[global]
workgroup = TCS_MAIN_DOM
netbios name = LINBETA
server string = Samba Server on LINBETA
interfaces = eth0 127.0.0.1/24
bind interfaces only = yes
security = DOMAIN
encrypt passwords = Yes
password server = tcs_main_pdc
username map = /etc/samba/smbusers
log level = 1
log file = /var/log/samba/%m.log
mangling method = hash2
preferred master = No
domain master = No
dns proxy = No
wins server = tcs_main_pdc
kernel oplocks = No
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
blocking locks = No
locking = No
oplocks = No
level2 oplocks = No
guest account = nobody
load printers = no
Here is a squid/ntlm_auth log of the transaction. Should I file a bug
report or is there some setting that needs to be made on the PDC?
2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user
request '(nil)'.
2003/09/03 08:15:40| authenticateValidateUser: Auth_user_request was
NULL!
2003/09/03 08:15:40| authenticateFixHeader: headertype:34 authuser:(nil)
2003/09/03 08:15:40| authenticateNTLMFixErrorHeader: Sending type:34
header: 'NTLM'
2003/09/03 08:15:40| authenticateFixErrorHeader: Sending type:34 header:
'Basic realm="Proxy"'
2003/09/03 08:15:40| authenticateAuthUserRequestLock auth_user request
'0x559ba5a8'.
2003/09/03 08:15:40| authenticateAuthUserRequestLock auth_user request
'0x559ba5a8' now at '1'.
2003/09/03 08:15:40| authenticateDecodeAuth: header = 'NTLM
TlRMTVNTUAABAAAAB7IAoAwADAAoAAAACAAIACAAAABCQzAwNjc4NFRDU19NQUlOX0RPTX='
2003/09/03 08:15:40| authenticateAuthUserLock auth_user '0x559ba5c0'.
2003/09/03 08:15:40| authenticateAuthUserLock auth_user '0x559ba5c0' now
at '1'.
2003/09/03 08:15:40| authenticateDecodeNTLMAuth: NTLM authentication
2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| User not fully authenticated.
2003/09/03 08:15:40| authenticateNTLMAuthenticateUser: auth state ntlm
none. NTLM
TlRMTVNTUAABAAAAB7IAoAwADAAoAAAACAAIACAAAABCQzAwNjc4NFRDU19NQUlOX0RPTX=2003/09/03
08:15:40| authenticateNTLMAuthenticateUser: Locking auth_user
from the connection.
2003/09/03 08:15:40| authenticateAuthUserRequestLock auth_user request
'0x559ba5a8'.
2003/09/03 08:15:40| authenticateAuthUserRequestLock auth_user request
'0x559ba5a8' now at '2'.
2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| User not fully authenticated.
2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateStart: auth_user_request '0x559ba5a8'
2003/09/03 08:15:40| authenticateNTLMStart: auth state '1'
2003/09/03 08:15:40| authenticateNTLMStart: state '1'
2003/09/03 08:15:40| authenticateNTLMStart:
'TlRMTVNTUAABAAAAB7IAoAwADAAoAAAACAAIACAAAABCQzAwNjc4NFRDU19NQUlOX0RPTX='
2003/09/03 08:15:40| authenticateNTLMHelperServerAvailable: not starving
- returning 1
2003/09/03 08:15:40| authenticateNTLMChangeChallenge_p: first use
2003/09/03 08:15:40| authenticateNTLMStart: helper '0x557d9470' assigned
2003/09/03 08:15:40| authenticateNTLMValidChallenge: Challenge is
Invalid
[2003/09/03 08:15:40, 10] utils/ntlm_auth.c:manage_squid_request(1061)
Got 'YR' from squid (length: 2).
[2003/09/03 08:15:40, 10]
utils/ntlm_auth.c:manage_squid_ntlmssp_request(312)
got NTLMSSP packet:
[2003/09/03 08:15:40, 10]
utils/ntlm_auth.c:manage_squid_ntlmssp_request(322)
NTLMSSP challenge
2003/09/03 08:15:40| authenticateNTLMHandleReply: Helper: '0x557d9470'
{TT TlRMTVNTUAACAAAAAAAAADAAAAACAgAgJt9X786e84sAAAAAAAAAAAAAAAAwAAAA}
2003/09/03 08:15:40| authenticateNTLMHandleReply: helper '0x557d9470'
2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| User not fully authenticated.
2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| User not fully authenticated.
2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| User not fully authenticated.
2003/09/03 08:15:40| authenticateAuthUserRequestLock auth_user request
'0x559ba5a8'.
2003/09/03 08:15:40| authenticateAuthUserRequestLock auth_user request
'0x559ba5a8' now at '3'.
2003/09/03 08:15:40| authenticateAuthUserRequestUnlock auth_user request
'0x559ba5a8'.
2003/09/03 08:15:40| authenticateAuthUserRequestUnlock auth_user_request
'0x559ba5a8' now at '2'.
2003/09/03 08:15:40| authenticateAuthUserRequestLock auth_user request
'0x559ba5a8'.
2003/09/03 08:15:40| authenticateAuthUserRequestLock auth_user request
'0x559ba5a8' now at '3'.
2003/09/03 08:15:40| authenticateFixHeader: headertype:34
authuser:0x559ba5a8
2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| User not fully authenticated.
2003/09/03 08:15:40| authenticateNTLMFixErrorHeader: Sending type:34
header: 'NTLM
TlRMTVNTUAACAAAAAAAAADAAAAACAgAgJt9X786e84sAAAAAAAAAAAAAAAAwAAAA'
2003/09/03 08:15:40| authenticateFixHeader: headertype:34
authuser:0x559ba5a8
2003/09/03 08:15:40| authenticateAuthUserRequestUnlock auth_user request
'0x559ba5a8'.
2003/09/03 08:15:40| authenticateAuthUserRequestUnlock auth_user_request
'0x559ba5a8' now at '2'.
2003/09/03 08:15:40| NTLM HandleReply, telling stateful helper : 3
2003/09/03 08:15:40| authenticateNTLMHelperServerAvailable: not starving
- returning 1
2003/09/03 08:15:40| authenticateAuthUserRequestUnlock auth_user request
'0x559ba5a8'.
2003/09/03 08:15:40| authenticateAuthUserRequestUnlock auth_user_request
'0x559ba5a8' now at '1'.
2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| User not fully authenticated.
2003/09/03 08:15:40| authenticateAuthUserRequestLock auth_user request
'0x559ba5a8'.
2003/09/03 08:15:40| authenticateAuthUserRequestLock auth_user request
'0x559ba5a8' now at '2'.
2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| User not fully authenticated.
2003/09/03 08:15:40| authenticateNTLMAuthenticateUser: auth state
challenge with header NTLM
TlRMTVNTUAADAAAAGAAYAFsAAAAYABgAcwAAAAwADABAAAAABwAHAEwAAAAIAAgAUwAAAAAA
AACLAAAABgIAIFRDU19NQUlOX0RPTUpBUkJPRURCQzAwNjc4NON8EoE7fMsT6jvmLE4o/21h
ZkcIaibynLCXFLHy8rti9ODY4m9avPWULzf7R5yBzw==.
2003/09/03 08:15:40| aclMatchProxyAuth: cache lookup with key 'NTLM
TlRMTVNTUAADAAAAGAAYAFsAAAAYABgAcwAAAAwADABAAAAABwAHAEwAAAAIAAgAUwAAAAAA
AACLAAAABgIAIFRDU19NQUlOX0RPTUpBUkJPRURCQzAwNjc4NON8EoE7fMsT6jvmLE4o/21h
ZkcIaibynLCXFLHy8rti9ODY4m9avPWULzf7R5yBzw==TlRMTVNTUAACAAAAAAAAADAAAAAC
AgAgJt9X786e84sAAAAAAAAAAAAAAAAwAAAA'
2003/09/03 08:15:40| authenticateNTLMAuthenticateUser: proxy-auth cache
miss.
2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| User not fully authenticated.
2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateStart: auth_user_request '0x559ba5a8'
2003/09/03 08:15:40| authenticateNTLMStart: auth state '3'
2003/09/03 08:15:40| authenticateNTLMStart: Asking NTLMauthenticator
'0x557d9470'.
2003/09/03 08:15:40| authenticateNTLMStart: state '3'
2003/09/03 08:15:40| authenticateNTLMStart:
'TlRMTVNTUAADAAAAGAAYAFsAAAAYABgAcwAAAAwADABAAAAABwAHAEwAAAAIAAgAUwAAAAA
AAACLAAAABgIAIFRDU19NQUlOX0RPTUpBUkJPRURCQzAwNjc4NON8EoE7fMsT6jvmLE4o/21
hZkcIaibynLCXFLHy8rti9ODY4m9avPWULzf7R5yBzw=='
2003/09/03 08:15:40| authenticateNTLMstart: finished
[2003/09/03 08:15:40, 10] utils/ntlm_auth.c:manage_squid_request(1061)
Got 'KK
TlRMTVNTUAADAAAAGAAYAFsAAAAYABgAcwAAAAwADABAAAAABwAHAEwAAAAIAAgAUwAAAAAA
AACLAAAABgIAIFRDU19NQUlOX0RPTUpBUkJPRURCQzAwNjc4NON8EoE7fMsT6jvmLE4o/21h
ZkcIaibynLCXFLHy8rti9ODY4m9avPWULzf7R5yBzw==' from squid (length: 191).
[2003/09/03 08:15:40, 10]
utils/ntlm_auth.c:manage_squid_ntlmssp_request(312)
got NTLMSSP packet:
[2003/09/03 08:15:40, 10] lib/util.c:dump_data(1887)
[000] 4E 54 4C 4D 53 53 50 00 03 00 00 00 18 00 18 00 NTLMSSP.
........
[010] 5B 00 00 00 18 00 18 00 73 00 00 00 0C 00 0C 00 [.......
s.......
[020] 40 00 00 00 07 00 07 00 4C 00 00 00 08 00 08 00 @.......
L.......
[030] 53 00 00 00 00 00 00 00 8B 00 00 00 06 02 00 20 S.......
.......
[040] 54 43 53 5F 4D 41 49 4E 5F 44 4F 4D 4A 41 52 42 TCS_MAIN
_DOMJARB
[050] 4F 45 44 42 43 30 30 36 37 38 34 E3 7C 12 81 3B OEDBC006
784.|..;
[060] 7C CB 13 EA 3B E6 2C 4E 28 FF 6D 61 66 47 08 6A |...;.,N
(.mafG.j
[070] 26 F2 9C B0 97 14 B1 F2 F2 BB 62 F4 E0 D8 E2 6F &.......
..b....o
[080] 5A BC F5 94 2F 37 FB 47 9C 81 CF 00 Z.../7.G ....
[2003/09/03 08:15:40, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(292)
Got user=[JARBOED] domain=[TCS_MAIN_DOM] workstation=[BC006784]
len1=24 len2=24
[2003/09/03 08:15:40, 10]
utils/ntlm_auth.c:manage_squid_ntlmssp_request(325)
NTLMSSP NT_STATUS_ACCESS_DENIED
2003/09/03 08:15:40| authenticateNTLMHandleReply: Helper: '0x557d9470'
{NA NT_STATUS_ACCESS_DENIED}
2003/09/03 08:15:40| authenticateNTLMHandleReply: Error validating user
via NTLM. Error returned 'NA NT_STATUS_ACCESS_DENIED'
2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| User not fully authenticated.
2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| User not fully authenticated.
2003/09/03 08:15:40| authenticateNTLMAuthenticateUser: auth state ntlm
failed. NTLM
TlRMTVNTUAADAAAAGAAYAFsAAAAYABgAcwAAAAwADABAAAAABwAHAEwAAAAIAAgAUwAAAAAA
AACLAAAABgIAIFRDU19NQUlOX0RPTUpBUkJPRURCQzAwNjc4NON8EoE7fMsT6jvmLE4o/21h
ZkcIaibynLCXFLHy8rti9ODY4m9avPWULzf7R5yBzw=2003/09/03 08:15:40|
authenticateValidateUser: Validating Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| User not fully authenticated.
2003/09/03 08:15:40| authenticateAuthUserRequestUnlock auth_user request
'0x559ba5a8'.
2003/09/03 08:15:40| authenticateAuthUserRequestUnlock auth_user_request
'0x559ba5a8' now at '1'.
2003/09/03 08:15:40| authenticateAuthUserRequestLock auth_user request
'0x559ba5a8'.
2003/09/03 08:15:40| authenticateAuthUserRequestLock auth_user request
'0x559ba5a8' now at '2'.
2003/09/03 08:15:40| authenticateFixHeader: headertype:34
authuser:0x559ba5a8
2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| User not fully authenticated.
2003/09/03 08:15:40| authenticateNTLMFixErrorHeader: Sending type:34
header: 'NTLM'
2003/09/03 08:15:40| authenticateAuthUserRequestUnlock auth_user request
'0x559ba5a8'.
2003/09/03 08:15:40| authenticateAuthUserRequestUnlock auth_user_request
'0x559ba5a8' now at '1'.
2003/09/03 08:15:40| NTLM HandleReply, telling stateful helper : 2
2003/09/03 08:15:40| authenticateNTLMHelperServerAvailable: not starving
- returning 1
2003/09/03 08:15:40| authenticateAuthUserRequestUnlock auth_user request
'0x559ba5a8'.
2003/09/03 08:15:40| authenticateAuthUserRequestUnlock auth_user_request
'0x559ba5a8' now at '0'.
2003/09/03 08:15:40| authenticateAuthUserRequestFree: freeing request
0x559ba5a8
2003/09/03 08:15:40| authenticateAuthUserUnlock auth_user '0x559ba5c0'.
2003/09/03 08:15:40| authenticateAuthUserUnlock auth_user '0x559ba5c0'
now at '0'.
2003/09/03 08:15:40| authenticateFreeProxyAuthUser: Freeing auth_user
'0x559ba5c0' with refcount '0'.
2003/09/03 08:15:40| authenticateNTLMFreeUser: Clearing NTLM scheme data
-----------------------------------------------------------------------
This message is the property of Time Inc. or its affiliates. It may be
legally privileged and/or confidential and is intended only for the use
of the addressee(s). No addressee should forward, print, copy, or
otherwise reproduce this message in any manner that would allow it to be
viewed by any individual not originally listed as a recipient. If the
reader of this message is not the intended recipient, you are hereby
notified that any unauthorized disclosure, dissemination, distribution,
copying or the taking of any action in reliance on the information
herein is strictly prohibited. If you have received this communication
in error, please immediately notify the sender and delete this message.
Thank you.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, 3 Sep 2003 daniel.jarboe@custserv.com wrote:> Is /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp supposed to be > working at this stage of samba 3? With RH EL3 beta (taroon) which comesIt should. File a bug if it is not and assign it abartlet@samba.org cheers, jerry ---------------------------------------------------------------------- Hewlett-Packard ------------------------- http://www.hp.com SAMBA Team ---------------------- http://www.samba.org GnuPG Key ---- http://www.plainjoe.org/gpg_public.asc "You can never go home again, Oatman, but I guess you can shop there." --John Cusack - "Grosse Point Blank" (1997) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: For info see http://quantumlab.net/pine_privacy_guard/ iD8DBQE/V52UIR7qMdg1EfYRAlqcAKDsshRZqOEWCHrhT/mjtAMzAO20+QCgn/Cc S9e5Ou0vj/94on6E4GkMmQI=RWy+ -----END PGP SIGNATURE-----
daniel.jarboe@custserv.com
2003-Sep-05 11:42 UTC
[Samba] Samba 3 - ntlm_auth ntlmssp failing
Andrew said it wasn't well documented yet, but the winbindd_priveledged pipe needed to be readable by squid. Chgrp'ing the winbindd_priveledged directory (it was chmodded 750) to the squid group solved my problem, it's now working great. ~ Daniel ----------------------------------------------------------------------- This message is the property of Time Inc. or its affiliates. It may be legally privileged and/or confidential and is intended only for the use of the addressee(s). No addressee should forward, print, copy, or otherwise reproduce this message in any manner that would allow it to be viewed by any individual not originally listed as a recipient. If the reader of this message is not the intended recipient, you are hereby notified that any unauthorized disclosure, dissemination, distribution, copying or the taking of any action in reliance on the information herein is strictly prohibited. If you have received this communication in error, please immediately notify the sender and delete this message. Thank you.
daniel.jarboe@custserv.com
2003-Sep-05 13:03 UTC
[Samba] Samba 3 - ntlm_auth ntlmssp failing
I did not find that that was the case. On the taroon beta (RH EL AS 3 beta) anyway, service winbind stop and start did not affect ownership of /var/cache/samba/winbindd_privileged. ~ Daniel On Friday, September 05, 2003 8:45 AM Guenther Deschner wrote:> > unfortunatly the new group-ownership will be lost again, as > soon as you > restart winbindd. for me only adding a posix-acl for "squid" was a > long-term-solution. maybe this should be written down > somewhere, too...----------------------------------------------------------------------- This message is the property of Time Inc. or its affiliates. It may be legally privileged and/or confidential and is intended only for the use of the addressee(s). No addressee should forward, print, copy, or otherwise reproduce this message in any manner that would allow it to be viewed by any individual not originally listed as a recipient. If the reader of this message is not the intended recipient, you are hereby notified that any unauthorized disclosure, dissemination, distribution, copying or the taking of any action in reliance on the information herein is strictly prohibited. If you have received this communication in error, please immediately notify the sender and delete this message. Thank you.
hi daniel, On Fri, Sep 05, 2003 at 09:03:11AM -0400, daniel.jarboe@custserv.com wrote:> I did not find that that was the case. On the taroon beta (RH EL AS 3 > beta) anyway, service winbind stop and start did not affect ownership of > /var/cache/samba/winbindd_privileged.absolutely right. i could have swared that this was the case once. now it preserves group_ownership fine. maybe this behaviour has been changed during one of the betas. thanks for clarifying, guenther -- Guenther Deschner guenther.deschner@suse.de SuSE Linux AG GnuPG: 8EE11688 Berliner Str. 27 phone: +49 (0) 30 / 430944778 D-13507 Berlin fax: +49 (0) 30 / 43732804 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available Url : http://lists.samba.org/archive/samba/attachments/20030905/19b67003/attachment.bin
Possibly Parallel Threads
- [newbie] SQUID/SAMBA problems with NTLM_Auth
- AUTH_USER variable has invalid value in checkpassword Script
- Bug in icecast 2.3.2 (not in stable release but a little later and in trunk) : Null pointer in auth_remove_listener
- configuration user= or auth_user=
- question on autch cache parameters