samba - Oct 2005 - NTLM Problems

Hi,

I am running squid and samba to auth users against a 2003 domain. My squid
setup is something like this:

auth_param ntlm program /usr/local/libexec/squid/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes 
auth_param ntlm children 2 
auth_param basic program /usr/local/libexec/squid/ntlm_auth
--helper-protocol=squid-2.5-basic 
auth_param basic children 2 
auth_param basic realm Cache NTLM Authentication 
auth_param basic credentialsttl 2 hours

I then join the domain as follows:
Net join -S server -w Domain -U username%password

Once that has succeeded I then run winbindd and nmbd. Once that is done, if
I do a wbinfo -u or -g I can see the users and groups of the users I am
authenticating. All seems fine, but when a user tries to auth, the following
error occurs:

[2005/10/31 11:43:36, 0] utils/ntlm_auth.c:winbind_pw_check(427)
  Login for user [Domain]\[Proxy2]@[ianb] failed due to [Access denied]
[2005/10/31 11:43:36, 0] utils/ntlm_auth.c:manage_squid_ntlmssp_request(600)
  NTLMSSP BH: NT_STATUS_ACCESS_DENIED

If I run a wbinfo -a Proxy2%Password_1 (A valid user and password), I get
this:
[root@cont] ~ # wbinfo -a Proxy2%Password_1
plaintext password authentication failed
error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
error messsage was: Access denied
Could not authenticate user Proxy2%Password_1 with plaintext password
challenge/response password authentication failed
error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
error messsage was: Access denied
Could not authenticate user Proxy2 with challenge/response
[root@cont] ~ #

The user that I am joining the domain with (in net join) has the following
set:
* The account is a local administrator on the device, specified within AD
* The account has full read access to all user information, it was delegated
to me.

Something else that's strange is that I saw this error a while ago, and
while trying to debug it, it just stopped occurring, and my users could auth
fine. The domain im authing to has over 1000 users (in the lab where we are
testing) and over 2000 groups. 

Could anyone provide some more insight as to why this is happening?

Cheers
Ian

Please, post your smb.conf



"Ian Barnes" <ian@opteqint.net> ha scritto nel messaggio 
news:20051031194912.84207162C52@lists.samba.org...
> Hi,
>
> I am running squid and samba to auth users against a 2003 domain. My squid
> setup is something like this:
>
> auth_param ntlm program /usr/local/libexec/squid/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm max_challenge_reuses 0
> auth_param ntlm max_challenge_lifetime 2 minutes
> auth_param ntlm children 2
> auth_param basic program /usr/local/libexec/squid/ntlm_auth
> --helper-protocol=squid-2.5-basic
> auth_param basic children 2
> auth_param basic realm Cache NTLM Authentication
> auth_param basic credentialsttl 2 hours
>
> I then join the domain as follows:
> Net join -S server -w Domain -U username%password
>
> Once that has succeeded I then run winbindd and nmbd. Once that is done, 
> if
> I do a wbinfo -u or -g I can see the users and groups of the users I am
> authenticating. All seems fine, but when a user tries to auth, the 
> following
> error occurs:
>
> [2005/10/31 11:43:36, 0] utils/ntlm_auth.c:winbind_pw_check(427)
>  Login for user [Domain]\[Proxy2]@[ianb] failed due to [Access denied]
> [2005/10/31 11:43:36, 0] 
> utils/ntlm_auth.c:manage_squid_ntlmssp_request(600)
>  NTLMSSP BH: NT_STATUS_ACCESS_DENIED
>
> If I run a wbinfo -a Proxy2%Password_1 (A valid user and password), I get
> this:
> [root@cont] ~ # wbinfo -a Proxy2%Password_1
> plaintext password authentication failed
> error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
> error messsage was: Access denied
> Could not authenticate user Proxy2%Password_1 with plaintext password
> challenge/response password authentication failed
> error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
> error messsage was: Access denied
> Could not authenticate user Proxy2 with challenge/response
> [root@cont] ~ #
>
> The user that I am joining the domain with (in net join) has the following
> set:
> * The account is a local administrator on the device, specified within AD
> * The account has full read access to all user information, it was 
> delegated
> to me.
>
> Something else that's strange is that I saw this error a while ago, and
> while trying to debug it, it just stopped occurring, and my users could 
> auth
> fine. The domain im authing to has over 1000 users (in the lab where we 
> are
> testing) and over 2000 groups.
>
> Could anyone provide some more insight as to why this is happening?
>
> Cheers
> Ian
>
>
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  lists.samba.org/mailman/listinfo/samba
>