Lombardo Federico
2003-Nov-11 13:58 UTC
[Samba] ntlm_auth and squid authentication problems
Hi all, I've a little problem using ntlm_auth with squid. Scenario: Redhat 9, Samba 3 compiled, squid-2.5 compiled. smb.conf: [global] encrypt passwords = Yes winbind separator = \ winbind cache time = 10 template homedir = /home/%D/%U template shell = /bin/bash idmap uid = 10000-20000 idmap gid = 10000-20000 winbind uid = 10000-20000 winbind gid = 10000-20000 winbind enum users = yes winbind enum groups = yes winbind use default domain = yes workgroup = GRANDI_STAZIONI server string = venere netbios name = venere security = ads log file = /var/log/samba/log.%m max log size = 50 password server = MASTER BDC realm = GSTAZIONI.IT socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 wins server = 192.168.5.1 192.168.0.1 wins proxy = yes dns proxy = yes Samba is correctly configured into the domain. Now I take a simple user... called "user" with password "password" ... what a fantasy, I'm smart ah!? :-) So, go on. I try to authenticate it with wbinfo: [root@Squid root]# wbinfo -a user%password plaintext password authentication succeeded challenge/response password authentication succeeded So go on, and try to authenticate it with ntlm_auth: [root@Squid root]# /usr/squid/libexec/ntlm_auth --username=user --nt-response password: NT_STATUS_OK: Success (0x0) then, configure my squid to work with ntlm_auth, so squid.conf will be: auth_param ntlm program /usr/squid/libexec/ntlm_auth --debug-level=10 --helper-protocol=squid-2.5-nt lmssp --nt-response auth_param ntlm children 40 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes auth_param basic program /usr/squid/libexec/ntlm_auth --debug-level=10 --helper-protocol=squid-2.5-ba sic --nt-response auth_param basic children 40 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours Ok ? that's ok. then I open my IE6, latest patchlevel, tried on win2k, win2003 and XP, and when I ask a site I receive this in squid's cache.log: [2003/11/11 14:52:02, 10] utils/ntlm_auth.c:manage_squid_request(1061) Got 'KK TlRMTVNTUAADAAAAGAAYAGIAAAAYABgAegAAAA8ADwBIAAAABAAEAFcAAAAHAAcAWwAAAAAAAACS AAAABgIAIgUCzg4AAAAPR1JBTkRJX1NUQVpJT05JVVNFUkNFUkJFUk8Sh8IeDiFr+fN1aPqFbYp8 HMPZCVVtWHOK6pqb0wMyFKr+LB7KIDwbIIJzdVWIUS8=' from squid (length: 199). [2003/11/11 14:52:02, 10] utils/ntlm_auth.c:manage_squid_ntlmssp_request(312) got NTLMSSP packet: [2003/11/11 14:52:02, 10] lib/util.c:dump_data(1825) [000] 4E 54 4C 4D 53 53 50 00 03 00 00 00 18 00 18 00 NTLMSSP. ........ [010] 62 00 00 00 18 00 18 00 7A 00 00 00 0F 00 0F 00 b....... z....... [020] 48 00 00 00 04 00 04 00 57 00 00 00 07 00 07 00 H....... W....... [030] 5B 00 00 00 00 00 00 00 92 00 00 00 06 02 00 22 [....... ......." [040] 05 02 CE 0E 00 00 00 0F 47 52 41 4E 44 49 5F 53 ........ GRANDI_S [050] 54 41 5A 49 4F 4E 49 55 53 45 52 43 45 52 42 45 TAZIONIU SERCERBE [060] 52 4F 12 87 C2 1E 0E 21 6B F9 F3 75 68 FA 85 6D RO.....! k..uh..m [070] 8A 7C 1C C3 D9 09 55 6D 58 73 8A EA 9A 9B D3 03 .|....Um Xs...... [080] 32 14 AA FE 2C 1E CA 20 3C 1B 20 82 73 75 55 88 2...,.. <. .suU. [090] 51 2F 00 Q/. [2003/11/11 14:52:02, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(286) Got user=[USER] domain=[GRANDI_STAZIONI] workstation=[CERBERO] len1=24 len2=24 [2003/11/11 14:52:02, 10] utils/ntlm_auth.c:manage_squid_ntlmssp_request(325) NTLMSSP NT_STATUS_ACCESS_DENIED [2003/11/11 14:52:03, 10] utils/ntlm_auth.c:manage_squid_request(1061) Got 'YR' from squid (length: 2). [2003/11/11 14:52:03, 10] utils/ntlm_auth.c:manage_squid_ntlmssp_request(312) got NTLMSSP packet: [2003/11/11 14:52:03, 10] utils/ntlm_auth.c:manage_squid_ntlmssp_request(322) NTLMSSP challenge [2003/11/11 14:52:03, 10] utils/ntlm_auth.c:manage_squid_request(1061) Got 'KK TlRMTVNTUAADAAAAGAAYAGIAAAAYABgAegAAAA8ADwBIAAAABAAEAFcAAAAHAAcAWwAAAAAAAACS AAAABgIAIgUCzg4AAAAPR1JBTkRJX1NUQVpJT05JVVNFUkNFUkJFUk8eZ4Km4Gp0NNEiDnO2ko2P YaSAVmt1WAEOjvUdTWSakqTyJWkliZaHhljnTdE165I=' from squid (length: 199). [2003/11/11 14:52:03, 10] utils/ntlm_auth.c:manage_squid_ntlmssp_request(312) got NTLMSSP packet: [2003/11/11 14:52:03, 10] lib/util.c:dump_data(1825) [000] 4E 54 4C 4D 53 53 50 00 03 00 00 00 18 00 18 00 NTLMSSP. ........ [010] 62 00 00 00 18 00 18 00 7A 00 00 00 0F 00 0F 00 b....... z....... [020] 48 00 00 00 04 00 04 00 57 00 00 00 07 00 07 00 H....... W....... [030] 5B 00 00 00 00 00 00 00 92 00 00 00 06 02 00 22 [....... ......." [040] 05 02 CE 0E 00 00 00 0F 47 52 41 4E 44 49 5F 53 ........ GRANDI_S [050] 54 41 5A 49 4F 4E 49 55 53 45 52 43 45 52 42 45 TAZIONIU SERCERBE [060] 52 4F 1E 67 82 A6 E0 6A 74 34 D1 22 0E 73 B6 92 RO.g...j t4.".s.. [070] 8D 8F 61 A4 80 56 6B 75 58 01 0E 8E F5 1D 4D 64 ..a..Vku X.....Md [080] 9A 92 A4 F2 25 69 25 89 96 87 86 58 E7 4D D1 35 ....%i%. ...X.M.5 [090] EB 92 00 ... [2003/11/11 14:52:03, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(286) Got user=[USER] domain=[GRANDI_STAZIONI] workstation=[CERBERO] len1=24 len2=24 [2003/11/11 14:52:03, 10] utils/ntlm_auth.c:manage_squid_ntlmssp_request(325) NTLMSSP NT_STATUS_ACCESS_DENIED please note that these packets are REAL, not changed by me. User: user Password: password Note also that using ntlm_auth with basic protocol ONLY will make all work, with chace.log': [2003/11/11 11:59:06, 10] utils/ntlm_auth.c:manage_squid_request(1061) Got 'user password' from squid (length: 17). [2003/11/11 11:59:06, 3] utils/ntlm_auth.c:check_plaintext_auth(172) NT_STATUS_OK: Success (0x0) but I NEED NTLM SCHEME, NOT BASIC ONE!!! I hope someone could help me. Thanks in advance, Best Regards, Federico
On Wed, 2003-11-12 at 00:58, Lombardo Federico wrote:> Hi all, > > I've a little problem using ntlm_auth with squid. > > Scenario: Redhat 9, Samba 3 compiled, squid-2.5 compiled.> utils/ntlm_auth.c:manage_squid_ntlmssp_request(325) > NTLMSSP NT_STATUS_ACCESS_DENIEDI'm working to make this easier to debug, and better documented. You need to change the group ownership of the directory 'winbind_privileged_pipe_dir' in your LOCKDIR. (possibly /var/lock/samba) If you make that group owned by squid, it can then get to the 'special things' that NTLMSSP authentication needs. Andrew Bartlett -- Andrew Bartlett abartlet@pcug.org.au Manager, Authentication Subsystems, Samba Team abartlet@samba.org Student Network Administrator, Hawker College abartlet@hawkerc.net http://samba.org http://build.samba.org http://hawkerc.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba/attachments/20031112/e6009b0b/attachment.bin