thr3ads.net - samba - [Samba] ntlm_auth and squid authentication problems [Nov 2003]

If this information is useful, please help other people find it:
Share via:

Lombardo Federico

2003-Nov-11 13:58 UTC

[Samba] ntlm_auth and squid authentication problems

Hi all,

I've a little problem using ntlm_auth with squid.

Scenario: Redhat 9, Samba 3 compiled, squid-2.5 compiled.

smb.conf:

[global]
encrypt passwords = Yes
winbind separator = \
winbind cache time = 10
template homedir = /home/%D/%U
template shell = /bin/bash
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
workgroup = GRANDI_STAZIONI
server string = venere
netbios name = venere
security = ads
log file = /var/log/samba/log.%m
max log size = 50
password server = MASTER BDC
realm = GSTAZIONI.IT
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
wins server = 192.168.5.1 192.168.0.1
wins proxy = yes
dns proxy = yes




Samba is correctly configured into the domain.

Now I take a simple user... called "user" with password
"password" ... what
a fantasy, I'm smart ah!? :-)
So, go on. I try to authenticate it with wbinfo:

[root@Squid root]# wbinfo -a user%password
plaintext password authentication succeeded
challenge/response password authentication succeeded

So go on, and try to authenticate it with ntlm_auth:

[root@Squid root]#
/usr/squid/libexec/ntlm_auth --username=user --nt-response
password:
NT_STATUS_OK: Success (0x0)


then, configure my squid to work with ntlm_auth, so squid.conf will be:

auth_param ntlm program
/usr/squid/libexec/ntlm_auth --debug-level=10 --helper-protocol=squid-2.5-nt
lmssp --nt-response
auth_param ntlm children 40
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes

auth_param basic program
/usr/squid/libexec/ntlm_auth --debug-level=10 --helper-protocol=squid-2.5-ba
sic --nt-response
auth_param basic children 40
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

Ok ? that's ok.

then I open my IE6, latest patchlevel, tried on win2k, win2003 and XP, and
when I ask a site I receive this in squid's cache.log:

[2003/11/11 14:52:02, 10] utils/ntlm_auth.c:manage_squid_request(1061)
  Got 'KK
TlRMTVNTUAADAAAAGAAYAGIAAAAYABgAegAAAA8ADwBIAAAABAAEAFcAAAAHAAcAWwAAAAAAAACS
AAAABgIAIgUCzg4AAAAPR1JBTkRJX1NUQVpJT05JVVNFUkNFUkJFUk8Sh8IeDiFr+fN1aPqFbYp8
HMPZCVVtWHOK6pqb0wMyFKr+LB7KIDwbIIJzdVWIUS8=' from squid (length: 199).
[2003/11/11 14:52:02, 10]
utils/ntlm_auth.c:manage_squid_ntlmssp_request(312)
  got NTLMSSP packet:
[2003/11/11 14:52:02, 10] lib/util.c:dump_data(1825)
  [000] 4E 54 4C 4D 53 53 50 00  03 00 00 00 18 00 18 00  NTLMSSP. ........
  [010] 62 00 00 00 18 00 18 00  7A 00 00 00 0F 00 0F 00  b....... z.......
  [020] 48 00 00 00 04 00 04 00  57 00 00 00 07 00 07 00  H....... W.......
  [030] 5B 00 00 00 00 00 00 00  92 00 00 00 06 02 00 22  [....... ......."
  [040] 05 02 CE 0E 00 00 00 0F  47 52 41 4E 44 49 5F 53  ........ GRANDI_S
  [050] 54 41 5A 49 4F 4E 49 55  53 45 52 43 45 52 42 45  TAZIONIU SERCERBE
  [060] 52 4F 12 87 C2 1E 0E 21  6B F9 F3 75 68 FA 85 6D  RO.....! k..uh..m
  [070] 8A 7C 1C C3 D9 09 55 6D  58 73 8A EA 9A 9B D3 03  .|....Um Xs......
  [080] 32 14 AA FE 2C 1E CA 20  3C 1B 20 82 73 75 55 88  2...,..  <. .suU.
  [090] 51 2F 00                                          Q/.
[2003/11/11 14:52:02, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(286)
  Got user=[USER] domain=[GRANDI_STAZIONI] workstation=[CERBERO] len1=24
len2=24
[2003/11/11 14:52:02, 10]
utils/ntlm_auth.c:manage_squid_ntlmssp_request(325)
  NTLMSSP NT_STATUS_ACCESS_DENIED
[2003/11/11 14:52:03, 10] utils/ntlm_auth.c:manage_squid_request(1061)
  Got 'YR' from squid (length: 2).
[2003/11/11 14:52:03, 10]
utils/ntlm_auth.c:manage_squid_ntlmssp_request(312)
  got NTLMSSP packet:
[2003/11/11 14:52:03, 10]
utils/ntlm_auth.c:manage_squid_ntlmssp_request(322)
  NTLMSSP challenge
[2003/11/11 14:52:03, 10] utils/ntlm_auth.c:manage_squid_request(1061)
  Got 'KK
TlRMTVNTUAADAAAAGAAYAGIAAAAYABgAegAAAA8ADwBIAAAABAAEAFcAAAAHAAcAWwAAAAAAAACS
AAAABgIAIgUCzg4AAAAPR1JBTkRJX1NUQVpJT05JVVNFUkNFUkJFUk8eZ4Km4Gp0NNEiDnO2ko2P
YaSAVmt1WAEOjvUdTWSakqTyJWkliZaHhljnTdE165I=' from squid (length: 199).
[2003/11/11 14:52:03, 10]
utils/ntlm_auth.c:manage_squid_ntlmssp_request(312)
  got NTLMSSP packet:
[2003/11/11 14:52:03, 10] lib/util.c:dump_data(1825)
  [000] 4E 54 4C 4D 53 53 50 00  03 00 00 00 18 00 18 00  NTLMSSP. ........
  [010] 62 00 00 00 18 00 18 00  7A 00 00 00 0F 00 0F 00  b....... z.......
  [020] 48 00 00 00 04 00 04 00  57 00 00 00 07 00 07 00  H....... W.......
  [030] 5B 00 00 00 00 00 00 00  92 00 00 00 06 02 00 22  [....... ......."
  [040] 05 02 CE 0E 00 00 00 0F  47 52 41 4E 44 49 5F 53  ........ GRANDI_S
  [050] 54 41 5A 49 4F 4E 49 55  53 45 52 43 45 52 42 45  TAZIONIU SERCERBE
  [060] 52 4F 1E 67 82 A6 E0 6A  74 34 D1 22 0E 73 B6 92  RO.g...j t4.".s..
  [070] 8D 8F 61 A4 80 56 6B 75  58 01 0E 8E F5 1D 4D 64  ..a..Vku X.....Md
  [080] 9A 92 A4 F2 25 69 25 89  96 87 86 58 E7 4D D1 35  ....%i%. ...X.M.5
  [090] EB 92 00                                          ...
[2003/11/11 14:52:03, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(286)
  Got user=[USER] domain=[GRANDI_STAZIONI] workstation=[CERBERO] len1=24
len2=24
[2003/11/11 14:52:03, 10]
utils/ntlm_auth.c:manage_squid_ntlmssp_request(325)
  NTLMSSP NT_STATUS_ACCESS_DENIED

please note that these packets are REAL, not changed by me.
User: user
Password: password


Note also that using ntlm_auth with basic protocol ONLY will make all work,
with chace.log':

[2003/11/11 11:59:06, 10] utils/ntlm_auth.c:manage_squid_request(1061)
  Got 'user password' from squid (length: 17).
[2003/11/11 11:59:06, 3] utils/ntlm_auth.c:check_plaintext_auth(172)
  NT_STATUS_OK: Success (0x0)

but I NEED NTLM SCHEME, NOT BASIC ONE!!!

I hope someone could help me.

Thanks in advance,

Best Regards,

Federico

Andrew Bartlett

2003-Nov-11 22:25 UTC

head link

[Samba] ntlm_auth and squid authentication problems

On Wed, 2003-11-12 at 00:58, Lombardo Federico wrote:> Hi all,
> 
> I've a little problem using ntlm_auth with squid.
> 
> Scenario: Redhat 9, Samba 3 compiled, squid-2.5 compiled.
> utils/ntlm_auth.c:manage_squid_ntlmssp_request(325)
>   NTLMSSP NT_STATUS_ACCESS_DENIED
I'm working to make this easier to debug, and better documented.

You need to change the group ownership of the directory
'winbind_privileged_pipe_dir' in your LOCKDIR. (possibly
/var/lock/samba)

If you make that group owned by squid, it can then get to the 'special
things' that NTLMSSP authentication needs.  

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet@pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet@samba.org
Student Network Administrator, Hawker College   abartlet@hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.samba.org/archive/samba/attachments/20031112/e6009b0b/attachment.bin

Seemingly Similar Threads

Search for more reasonably related threads

samba - Nov 2003 - ntlm_auth and squid authentication problems

[Samba] ntlm_auth and squid authentication problems

[Samba] ntlm_auth and squid authentication problems

Seemingly Similar Threads