John H Terpstra
2004-Oct-13 13:40 UTC
[Samba] RE: TOSHARG: Samba ADS domain membership notes
Jeremy, Thanks for this feedback. I will include this info as soon as I get a moment. Good work. - John T. --- John H Terpstra Samba-Team email: jht@samba.org> -------- Original Message -------- > Subject: TOSHARG: Samba ADS domain membership notes > From: "Jeremy Naylor" <jnaylor@gmail.com> > Date: Wed, October 13, 2004 5:27 am > To: jht@samba.org > > Hi John, > > I ran into a few problems adding a samba machine to my Win2k3 AD > domain for Squid authentication. I pinned it down to two specific > settings in the Security Policy on the domain controller. I googled > for days and found a few other cases of the same problem but never any > solutions. I finally found them through trial and error. I think > these two would be good tips to add to the how-to, since the settings > are recommended by Microsoft as a best practice for security. > > At first, I was always getting this message: > > [2004/10/13 08:11:14, 0] utils/net_ads.c:ads_startup(183) > ads_connect: Strong(er) authentication required > > This directly correlated with this setting in the Security Policy: > Domain Controller: LDAP server signing requirements = Require Signing > Changing this to "None" got it working as a workaround. I'm still > trying to get it to work with that enabled. > > The other issue I had was testing authentication with "wbinfo -a > user%pass". That would never succeed, even once I had joined the > domain. It would always come back with: > > plaintext password authentication failed > error code was NT_STATUS_WRONG_PASSWORD (0xc000006a) > error messsage was: Wrong Password > Could not authenticate user user%pass with plaintext password > challenge/response password authentication failed > error code was NT_STATUS_WRONG_PASSWORD (0xc000006a) > error messsage was: Wrong Password > Could not authenticate user user with challenge/response > > It also failed when using the ntlm_auth helper (with basic or NTLM > authentication). I found out this is because neither wbinfo or > ntlm_auth support NTLMv2, and I had this setting in my Security > Policy: > > Network security: LAN Manager authentication level = Send NTLMv2 > response only\refuse LM & NTLM > > I configured Squid for NTLMv2 (ntlm_auth > --helper-protocol=squid-2.5-ntlmssp) authentication and that worked > fine. I could have saved a lot of time had I realized the other tools > would never work. > > Thanks!
Andrew Bartlett
2004-Oct-14 08:36 UTC
[Samba] RE: TOSHARG: Samba ADS domain membership notes
On Wed, 2004-10-13 at 23:40, John H Terpstra wrote:> Jeremy, > > Thanks for this feedback. I will include this info as soon as I get a > moment. Good work.> > > > It also failed when using the ntlm_auth helper (with basic or NTLM > > authentication). I found out this is because neither wbinfo or > > ntlm_auth support NTLMv2, and I had this setting in my Security > > Policy: > > > > Network security: LAN Manager authentication level = Send NTLMv2 > > response only\refuse LM & NTLM > > > > I configured Squid for NTLMv2 (ntlm_auth > > --helper-protocol=squid-2.5-ntlmssp) authentication and that worked > > fine. I could have saved a lot of time had I realized the other tools > > would never work.It was nothing more than a bug - I'm sorry for the delay in getting it fixed. The changes are in current SVN, which will be 3.0.8. You will need to set 'client ntlmv2 auth = yes'. Andrew Bartlett -- Andrew Bartlett abartlet@samba.org Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College abartlet@hawkerc.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba/attachments/20041014/eb91f337/attachment.bin