Hi, We are having problems setting up a squid cache server to use NTLMv2 authentication to authenticate users against AD. We have narrowed the problems down to being a problem between samba and squid when using NTLMv2. It constantly moans about the password being wrong when using squid, but doing a direct samba auth works fine. We have (believedly) narrowed it down to this: the domain requires client ntlmv2 yes in samba to work - however it seems ntlm_auth does not support this! Our process was as follows: On the domain controller, we set the "Network Security: LAN Manager authentication level properties" option to be "Send Send NTLM response only". We then set smb.conf to look something like this: [global] winbind separator = + winbind cache time = 10 workgroup = DOMAIN security = ads winbind uid = 10000-20000 winbind gid = 10000-20000 winbind use default domain = yes #realm = S058DS1001001.DOMAIN.COM #client ntlmv2 auth = yes log file = /var/log/log.%m That works, when joining the domain we can see the users, groups etc. Some of the commands we ran: [root@cont] ~ # wbinfo -a Proxy2%Password_1 plaintext password authentication succeeded challenge/response password authentication succeeded [root@cont] ~ # wbinfo -t checking the trust secret via RPC calls succeeded All worked fine, and squid could auth the user as could a wbinfo -a. We then switched the option in AD to "Send NTLMv2 response only\refuse LM & NTLM" and the smb.conf to the following: [global] winbind separator = + winbind cache time = 10 workgroup = DOMAIN security = ads winbind uid = 10000-20000 winbind gid = 10000-20000 winbind use default domain = yes realm = S058DS1001001.DOMAIN.COM client ntlmv2 auth = yes log file = /var/log/log.%m When we join the domain, it joins fine, we run winbindd and nmbd and we can then lookup the users and groups. We can do a net ads testjoin which works fine aswell" [root@cont] ~ # net ads testjoin Join is OK Note that client ntlmv2 is on now. The problem comes in when trying to use squid to do the authentication. We get the following error in the squid log file if we set the authenticators debugging to level 9: [2005/11/07 13:36:35, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(606) Got user=[Proxy4] domain=[DOMAIN] workstation=[ianb] len1=24 len2=24 [2005/11/07 13:36:35, 3] utils/ntlm_auth.c:winbind_pw_check(427) Login for user [DOMAIN]\[Proxy4]@[ianb] failed due to [Wrong Password] If we type in a username that doesn't exist, it complains that the username is invalid, so we know that it has todo with the password. We also know that the password is correct as we tried this numerous times and we also tried copy pasting the password into the required field. Our squid.conf looks like this: auth_param ntlm program /usr/local/libexec/squid/ntlm_auth --helper-protocol=squid-2.5-ntlmssp -d9 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes auth_param ntlm children 2 auth_param basic program /usr/local/libexec/squid/ntlm_auth --helper-protocol=squid-2.5-basic -d9 auth_param basic children 2 auth_param basic realm Cache NTLM Authentication auth_param basic credentialsttl 2 hours Anyone have any idea as to why that would happen when only using squid? Is there an option that we need to set to make the authenticator use ntlmv2 only or something like we had to do for samba? Does ntlm_auth not understand the v2 protocol properly? Onto another question, when I join the domain for the first time, I get this error when trying to do anything besides a wbinfo -u or wbinfo -g. Here are a few examples: [root@cont] ~ # wbinfo -t checking the trust secret via RPC calls failed error code was NT_STATUS_ACCESS_DENIED (0xc0000022) Could not check secret And this from the squid log if we try and auth a user: [2005/10/31 11:43:36, 0] utils/ntlm_auth.c:winbind_pw_check(427) Login for user [Domain]\[Proxy2]@[ianb] failed due to [Access denied] [2005/10/31 11:43:36, 0] utils/ntlm_auth.c:manage_squid_ntlmssp_request(600) NTLMSSP BH: NT_STATUS_ACCESS_DENIED The strange thing is these errors stop happening from anywhere between 5 and 15 minutes after joining the domain. Any ideas as to why they are occurring in the first place? Basically: We are able to list users, and groups - but wbinfo -t doesn't work until we've been logged on for 5-15 minutes (randomly)? Thanks in advance, Ian
On Mon, 2005-11-07 at 23:21 +0200, Ian Barnes wrote:> Hi, > > We are having problems setting up a squid cache server to use NTLMv2 > authentication to authenticate users against AD. > > We have narrowed the problems down to being a problem between samba and > squid when using NTLMv2. It constantly moans about the password being wrong > when using squid, but doing a direct samba auth works fine. We have > (believedly) narrowed it down to this: the domain requires client ntlmv2 > yes in samba to work - however it seems ntlm_auth does not support this!It is meant to work. Have you enabled the options in the squid.conf?> Our squid.conf looks like this: > auth_param ntlm program /usr/local/libexec/squid/ntlm_auth > --helper-protocol=squid-2.5-ntlmssp -d9 > auth_param ntlm max_challenge_reuses 0 > auth_param ntlm max_challenge_lifetime 2 minutes auth_param ntlm children 2 > auth_param basic program /usr/local/libexec/squid/ntlm_auth > --helper-protocol=squid-2.5-basic -d9 > auth_param basic children 2 > auth_param basic realm Cache NTLM Authentication auth_param basic > credentialsttl 2 hours > > Anyone have any idea as to why that would happen when only using squid? Is > there an option that we need to set to make the authenticator use ntlmv2 > only or something like we had to do for samba? Does ntlm_auth not understand > the v2 protocol properly?ntlm_auth understands it, however it requires that: use_ntlm_negotiate on be set in the squid.conf.> > Onto another question, when I join the domain for the first time, I get this > error when trying to do anything besides a wbinfo -u or wbinfo -g. Here are > a few examples: > > [root@cont] ~ # wbinfo -t > checking the trust secret via RPC calls > failed error code was NT_STATUS_ACCESS_DENIED (0xc0000022) > Could not check secret > > And this from the squid log if we try and auth a user: > [2005/10/31 11:43:36, 0] utils/ntlm_auth.c:winbind_pw_check(427) > Login for user [Domain]\[Proxy2]@[ianb] failed due to [Access denied] > [2005/10/31 11:43:36, 0] utils/ntlm_auth.c:manage_squid_ntlmssp_request(600) > NTLMSSP BH: NT_STATUS_ACCESS_DENIED > > The strange thing is these errors stop happening from anywhere between 5 and > 15 minutes after joining the domain. Any ideas as to why they are occurring > in the first place? Basically: We are able to list users, and groups - but > wbinfo -t doesn't work until we've been logged on for 5-15 minutes > (randomly)?This is really odd. It is as if the join wasn't propagated to all the DCs in good time. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba/attachments/20051108/5d562900/attachment-0001.bin
Hi, We asked the squid guys the following, but no response and we thought you guys might understand better. We are trying todo NTLMv2 authentication using samba and squid. We tried and nothing worked so we upgraded our squid (to 2.5Stable12), and samba to 3.0.20b. Once we upgraded squid, the ntlm_auth program was different so we used the samba ntlm_auth instead. We then had the problem that we kept on getting invalid password when using squid to handle the authentication and have narrowed down the problem to do with ntlmssp. If I only have a basic authenticator - which looks like the following, it works perfectly: auth_param basic program /usr/optec/ntlm_auth.sh basic auth_param basic children 10 auth_param basic realm server.opteqint.net Cache NTLM Authentication auth_param basic credentialsttl 2 hours (ntlm_auth.sh runs the ntlm_auth squid-2.5-basic helper) I see the following debug messages: [2005/11/09 13:20:43, 3] utils/ntlm_auth.c:check_plaintext_auth(292) NT_STATUS_OK: Success (0x0) However, when I use ntlmssp in the squid config, shown below, it does not work: auth_param ntlm program /usr/optec/ntlm_auth.sh ntlmssp auth_param ntlm children 10 auth_param ntlm use_ntlm_negotiate yes I see the following debug messages: [2005/11/09 13:22:37, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(606) Got user=[ianb] domain=[MASTERMIND] workstation=[LUCY] len1=24 len2=24 [2005/11/09 13:22:37, 3] utils/ntlm_auth.c:winbind_pw_check(427) Login for user [MASTERMIND]\[ianb]@[LUCY] failed due to [Wrong Password] If I type ian instead of ianb, I see an error saying the user does not exist. This must mean that somehow the wrong password is being passed in the wrong way - even though it is typed right. This only happens with the security option on the AD server set to ONLY allow NTLMv2/LMv2 and not anything else. If we turn that off it works perfectly... As I understand it the password doesn't come to squid in plaintext when its using ntlmssp, and I believe that there is some kind of handling problem with that now? If I type in the password on the command line with the ntlm_auth program, it is able to validate it just fine using NTLMv2 - enforcing my belief that something is wrong here... Any suggestions AT ALL would be appreciated... Thanks Ian
I have an update on the problem Ian posted about (I am working with him to solve it)... The problem is isolated to the use of the utils/ntlm_auth.c:winbind_pw_check, and libsmb/ntlmssp.c:ntlmssp_server_auth functions as far as I can tell. When using basic auth, or using the command line tools available NTLMv2 authentication works fine. These are some more indepth error messages seen when trying with a valid user (an invalid user does infact reply invalid user), and a random valid password (note: changing to use -basic instead of -ntlmssp results in this all working perfectly - and I have tried 4 different browsers): [2005/11/09 21:16:38, 10] utils/ntlm_auth.c:manage_squid_request(1609) Got 'YR' from squid (length: 2). [2005/11/09 21:16:38, 10] utils/ntlm_auth.c:manage_squid_ntlmssp_request(587) got NTLMSSP packet: [2005/11/09 21:16:38, 10] utils/ntlm_auth.c:manage_squid_ntlmssp_request(597) NTLMSSP challenge [2005/11/09 21:16:38, 10] utils/ntlm_auth.c:manage_squid_request(1609) Got 'KK TlRMTVNTUAADAAAAGAAYAFoAAAAYABgAcgAAAAoACgBIAAAABAAEAFIAAAAEAAQAVgAAAAAAAACK AAAABgIAAgUBKAoAAAAPTUFTVEVSTUlORElBTkJMVUNZYu0jXv1m1KFd5vnkrpFlwOJD5420tN0z XyXbhlZLKwpoe2FSZ5eadsZLxQ1IVOBC' from squid (length: 187). [2005/11/09 21:16:38, 10] utils/ntlm_auth.c:manage_squid_ntlmssp_request(587) got NTLMSSP packet: [2005/11/09 21:16:38, 10] lib/util.c:dump_data(2053) [000] 4E 54 4C 4D 53 53 50 00 03 00 00 00 18 00 18 00 NTLMSSP. ........ [010] 5A 00 00 00 18 00 18 00 72 00 00 00 0A 00 0A 00 Z....... r....... [020] 48 00 00 00 04 00 04 00 52 00 00 00 04 00 04 00 H....... R....... [030] 56 00 00 00 00 00 00 00 8A 00 00 00 06 02 00 02 V....... ........ [040] 05 01 28 0A 00 00 00 0F 4D 41 53 54 45 52 4D 49 ..(..... MASTERMI [050] 4E 44 49 41 4E 42 4C 55 43 59 62 ED 23 5E FD 66 NDIANBLU CYb.#^.f [060] D4 A1 5D E6 F9 E4 AE 91 65 C0 E2 43 E7 8D B4 B4 ..]..... e..C.... [070] DD 33 5F 25 DB 86 56 4B 2B 0A 68 7B 61 52 67 97 .3_%..VK +.h{aRg. [080] 9A 76 C6 4B C5 0D 48 54 E0 42 .v.K..HT .B [2005/11/09 21:16:38, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(606) Got user=[IANB] domain=[MASTERMIND] workstation=[LUCY] len1=24 len2=24 [2005/11/09 21:16:38, 3] utils/ntlm_auth.c:winbind_pw_check(427) Login for user [MASTERMIND]\[IANB]@[LUCY] failed due to [Wrong Password] [2005/11/09 21:16:38, 10] utils/ntlm_auth.c:manage_squid_ntlmssp_request(605) NTLMSSP NT_STATUS_WRONG_PASSWORD As you can see, it is receiving the domain, workstation and user perfectly. If I manually run it it seems to work fine as well: [root@server] ~ # ntlm_auth -d10 --helper-protocol=squid-2.5-ntlmssp [2005/11/09 21:20:28, 5] lib/debug.c:debug_dump_status(368) YR [2005/11/09 21:20:32, 10] utils/ntlm_auth.c:manage_squid_request(1609) Got 'YR' from squid (length: 2). [2005/11/09 21:20:32, 10] utils/ntlm_auth.c:manage_squid_ntlmssp_request(587) got NTLMSSP packet: TT TlRMTVNTUAACAAAAAAAAADAAAAASAgAAPOox0vgWvkoAAAAAAAAAAAAAAAAwAAAA [2005/11/09 21:20:32, 10] utils/ntlm_auth.c:manage_squid_ntlmssp_request(597) NTLMSSP challenge What could be the problem ? I'm willing to anything - even arrange remote access. Whatever is required... Thank you Dave
On Thu, 2005-11-10 at 15:58 +0200, Dave Raven wrote:> Okay thanks for your help - we have managed to get it working now, by having > to force NTLMv2 on each client manually. We'll try find a way of doing that > automatically, but it seems a standard XP install wont send NTLMv2 ...Correct. No clients that I know of do NTLMv2 by default. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba/attachments/20051111/a9acfa92/attachment.bin