samba - Nov 2005 - Urgent Samba / Squid NTLM Auth Problems

Hi, 

We are having problems setting up a squid cache server to use NTLMv2
authentication to authenticate users against AD.

We have narrowed the problems down to being a problem between samba and
squid when using NTLMv2. It constantly moans about the password being wrong
when using squid, but doing a direct samba auth works fine. We have
(believedly) narrowed it down to this: the domain requires client ntlmv2 yes in
samba to work - however it seems ntlm_auth does not support this!

Our process was as follows:

On the domain controller, we set the "Network Security: LAN Manager
authentication level properties" option to be "Send Send NTLM response
only". We then set smb.conf to look something like this:

[global]
winbind separator = +
winbind cache time = 10
workgroup = DOMAIN
security = ads
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind use default domain = yes
#realm = S058DS1001001.DOMAIN.COM
#client ntlmv2 auth = yes
log file = /var/log/log.%m

That works, when joining the domain we can see the users, groups etc. Some
of the commands we ran:
[root@cont] ~ # wbinfo -a Proxy2%Password_1 
plaintext password authentication succeeded challenge/response password
authentication succeeded [root@cont] ~ # wbinfo -t checking the trust secret
via RPC calls succeeded

All worked fine, and squid could auth the user as could a wbinfo -a. 

We then switched the option in AD to "Send NTLMv2 response only\refuse LM
&
NTLM" and the smb.conf to the following:

[global]
winbind separator = +
winbind cache time = 10
workgroup = DOMAIN
security = ads
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind use default domain = yes
realm = S058DS1001001.DOMAIN.COM
client ntlmv2 auth = yes
log file = /var/log/log.%m

When we join the domain, it joins fine, we run winbindd and nmbd and we can
then lookup the users and groups. We can do a net ads testjoin which works
fine aswell"

[root@cont] ~ # net ads testjoin
Join is OK

Note that client ntlmv2 is on now. The problem comes in when trying to use
squid to do the authentication. We get the following error in the squid log
file if we set the authenticators debugging to level 9:

[2005/11/07 13:36:35, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(606)
  Got user=[Proxy4] domain=[DOMAIN] workstation=[ianb] len1=24 len2=24
[2005/11/07 13:36:35, 3] utils/ntlm_auth.c:winbind_pw_check(427)
  Login for user [DOMAIN]\[Proxy4]@[ianb] failed due to [Wrong Password]

If we type in a username that doesn't exist, it complains that the username
is invalid, so we know that it has todo with the password. We also know that
the password is correct as we tried this numerous times and we also tried
copy pasting the password into the required field.

Our squid.conf looks like this:
auth_param ntlm program /usr/local/libexec/squid/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp -d9
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes auth_param ntlm children 2
auth_param basic program /usr/local/libexec/squid/ntlm_auth
--helper-protocol=squid-2.5-basic -d9
auth_param basic children 2
auth_param basic realm Cache NTLM Authentication auth_param basic
credentialsttl 2 hours

Anyone have any idea as to why that would happen when only using squid? Is
there an option that we need to set to make the authenticator use ntlmv2
only or something like we had to do for samba? Does ntlm_auth not understand
the v2 protocol properly?


Onto another question, when I join the domain for the first time, I get this
error when trying to do anything besides a wbinfo -u or wbinfo -g. Here are
a few examples:

[root@cont] ~ # wbinfo -t
checking the trust secret via RPC calls 
failed error code was NT_STATUS_ACCESS_DENIED (0xc0000022) 
Could not check secret

And this from the squid log if we try and auth a user:
[2005/10/31 11:43:36, 0] utils/ntlm_auth.c:winbind_pw_check(427)
  Login for user [Domain]\[Proxy2]@[ianb] failed due to [Access denied]
[2005/10/31 11:43:36, 0] utils/ntlm_auth.c:manage_squid_ntlmssp_request(600)
  NTLMSSP BH: NT_STATUS_ACCESS_DENIED

The strange thing is these errors stop happening from anywhere between 5 and
15 minutes after joining the domain. Any ideas as to why they are occurring
in the first place? Basically: We are able to list users, and groups - but
wbinfo -t doesn't work until we've been logged on for 5-15 minutes
(randomly)?

Thanks in advance,
Ian

On Mon, 2005-11-07 at 23:21 +0200, Ian Barnes wrote:
> Hi, 
> 
> We are having problems setting up a squid cache server to use NTLMv2
> authentication to authenticate users against AD.
> 
> We have narrowed the problems down to being a problem between samba and
> squid when using NTLMv2. It constantly moans about the password being wrong
> when using squid, but doing a direct samba auth works fine. We have
> (believedly) narrowed it down to this: the domain requires client ntlmv2
> yes in samba to work - however it seems ntlm_auth does not support this!
It is meant to work.  Have you enabled the options in the squid.conf?
> Our squid.conf looks like this:
> auth_param ntlm program /usr/local/libexec/squid/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp -d9
> auth_param ntlm max_challenge_reuses 0
> auth_param ntlm max_challenge_lifetime 2 minutes auth_param ntlm children 2
> auth_param basic program /usr/local/libexec/squid/ntlm_auth
> --helper-protocol=squid-2.5-basic -d9
> auth_param basic children 2
> auth_param basic realm Cache NTLM Authentication auth_param basic
> credentialsttl 2 hours
> 
> Anyone have any idea as to why that would happen when only using squid? Is
> there an option that we need to set to make the authenticator use ntlmv2
> only or something like we had to do for samba? Does ntlm_auth not
understand
> the v2 protocol properly?
ntlm_auth understands it, however it requires that:

use_ntlm_negotiate on

be set in the squid.conf.  
> 
> Onto another question, when I join the domain for the first time, I get
this
> error when trying to do anything besides a wbinfo -u or wbinfo -g. Here are
> a few examples:
> 
> [root@cont] ~ # wbinfo -t
> checking the trust secret via RPC calls 
> failed error code was NT_STATUS_ACCESS_DENIED (0xc0000022) 
> Could not check secret
> 
> And this from the squid log if we try and auth a user:
> [2005/10/31 11:43:36, 0] utils/ntlm_auth.c:winbind_pw_check(427)
>   Login for user [Domain]\[Proxy2]@[ianb] failed due to [Access denied]
> [2005/10/31 11:43:36, 0]
utils/ntlm_auth.c:manage_squid_ntlmssp_request(600)
>   NTLMSSP BH: NT_STATUS_ACCESS_DENIED
> 
> The strange thing is these errors stop happening from anywhere between 5
and
> 15 minutes after joining the domain. Any ideas as to why they are occurring
> in the first place? Basically: We are able to list users, and groups - but
> wbinfo -t doesn't work until we've been logged on for 5-15 minutes
> (randomly)?
This is really odd.  It is as if the join wasn't propagated to all the
DCs in good time.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.samba.org/archive/samba/attachments/20051108/5d562900/attachment-0001.bin

Hi,

We asked the squid guys the following, but no response and we thought you
guys might understand better.

We are trying todo NTLMv2 authentication using samba and squid. We tried and
nothing worked so we upgraded our squid (to 2.5Stable12), and samba to
3.0.20b. Once we upgraded squid, the ntlm_auth program was different so we
used the samba ntlm_auth instead.

We then had the problem that we kept on getting invalid password when using
squid to handle the authentication and have narrowed down the problem to do
with ntlmssp. If I only have a basic authenticator - which looks like the
following, it works perfectly:

auth_param basic program /usr/optec/ntlm_auth.sh basic
auth_param basic children 10
auth_param basic realm server.opteqint.net Cache NTLM Authentication
auth_param basic credentialsttl 2 hours

(ntlm_auth.sh runs the ntlm_auth squid-2.5-basic helper) 

I see the following debug messages:

[2005/11/09 13:20:43, 3] utils/ntlm_auth.c:check_plaintext_auth(292)
  NT_STATUS_OK: Success (0x0)


However, when I use ntlmssp in the squid config, shown below, it does not
work:

auth_param ntlm program /usr/optec/ntlm_auth.sh ntlmssp 
auth_param ntlm children 10 
auth_param ntlm use_ntlm_negotiate yes 

I see the following debug messages:
[2005/11/09 13:22:37, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(606)
  Got user=[ianb] domain=[MASTERMIND] workstation=[LUCY] len1=24 len2=24
[2005/11/09 13:22:37, 3] utils/ntlm_auth.c:winbind_pw_check(427)
  Login for user [MASTERMIND]\[ianb]@[LUCY] failed due to [Wrong Password]


If I type ian instead of ianb, I see an error saying the user does not
exist. This must mean that somehow the wrong password is being passed in the
wrong way - even though it is typed right. 

This only happens with the security option on the AD server set to ONLY
allow NTLMv2/LMv2 and not anything else. If we turn that off it works
perfectly...

As I understand it the password doesn't come to squid in plaintext when its
using ntlmssp, and I believe that there is some kind of handling problem
with that now? If I type in the password on the command line with the
ntlm_auth program, it is able to validate it just fine using NTLMv2 -
enforcing my belief that something is wrong here...

Any suggestions AT ALL would be appreciated...

Thanks
Ian

I have an update on the problem Ian posted about (I am working with him to
solve it)...

The problem is isolated to the use of the
utils/ntlm_auth.c:winbind_pw_check, and libsmb/ntlmssp.c:ntlmssp_server_auth
functions as far as I can tell. When using basic auth, or using the command
line tools available NTLMv2 authentication works fine. 

These are some more indepth error messages seen when trying with a valid
user (an invalid user does infact reply invalid user), and a random valid
password (note: changing to use -basic instead of -ntlmssp results in this
all working perfectly - and I have tried 4 different browsers):

[2005/11/09 21:16:38, 10] utils/ntlm_auth.c:manage_squid_request(1609)
  Got 'YR' from squid (length: 2).
[2005/11/09 21:16:38, 10]
utils/ntlm_auth.c:manage_squid_ntlmssp_request(587)
  got NTLMSSP packet:
[2005/11/09 21:16:38, 10]
utils/ntlm_auth.c:manage_squid_ntlmssp_request(597)
  NTLMSSP challenge
[2005/11/09 21:16:38, 10] utils/ntlm_auth.c:manage_squid_request(1609)
  Got 'KK
TlRMTVNTUAADAAAAGAAYAFoAAAAYABgAcgAAAAoACgBIAAAABAAEAFIAAAAEAAQAVgAAAAAAAACK
AAAABgIAAgUBKAoAAAAPTUFTVEVSTUlORElBTkJMVUNZYu0jXv1m1KFd5vnkrpFlwOJD5420tN0z
XyXbhlZLKwpoe2FSZ5eadsZLxQ1IVOBC' from squid (length: 187).
[2005/11/09 21:16:38, 10]
utils/ntlm_auth.c:manage_squid_ntlmssp_request(587)
  got NTLMSSP packet:
[2005/11/09 21:16:38, 10] lib/util.c:dump_data(2053)
  [000] 4E 54 4C 4D 53 53 50 00  03 00 00 00 18 00 18 00  NTLMSSP. ........
  [010] 5A 00 00 00 18 00 18 00  72 00 00 00 0A 00 0A 00  Z....... r.......
  [020] 48 00 00 00 04 00 04 00  52 00 00 00 04 00 04 00  H....... R.......
  [030] 56 00 00 00 00 00 00 00  8A 00 00 00 06 02 00 02  V....... ........
  [040] 05 01 28 0A 00 00 00 0F  4D 41 53 54 45 52 4D 49  ..(..... MASTERMI
  [050] 4E 44 49 41 4E 42 4C 55  43 59 62 ED 23 5E FD 66  NDIANBLU CYb.#^.f
  [060] D4 A1 5D E6 F9 E4 AE 91  65 C0 E2 43 E7 8D B4 B4  ..]..... e..C....
  [070] DD 33 5F 25 DB 86 56 4B  2B 0A 68 7B 61 52 67 97  .3_%..VK +.h{aRg.
  [080] 9A 76 C6 4B C5 0D 48 54  E0 42                    .v.K..HT .B
[2005/11/09 21:16:38, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(606)
  Got user=[IANB] domain=[MASTERMIND] workstation=[LUCY] len1=24 len2=24
[2005/11/09 21:16:38, 3] utils/ntlm_auth.c:winbind_pw_check(427)
  Login for user [MASTERMIND]\[IANB]@[LUCY] failed due to [Wrong Password]
[2005/11/09 21:16:38, 10]
utils/ntlm_auth.c:manage_squid_ntlmssp_request(605)
  NTLMSSP NT_STATUS_WRONG_PASSWORD


As you can see, it is receiving the domain, workstation and user perfectly.
If I manually run it it seems to work fine as well:

[root@server] ~ # ntlm_auth -d10 --helper-protocol=squid-2.5-ntlmssp
[2005/11/09 21:20:28, 5] lib/debug.c:debug_dump_status(368)
YR
[2005/11/09 21:20:32, 10] utils/ntlm_auth.c:manage_squid_request(1609)
  Got 'YR' from squid (length: 2).
[2005/11/09 21:20:32, 10]
utils/ntlm_auth.c:manage_squid_ntlmssp_request(587)
  got NTLMSSP packet:
TT TlRMTVNTUAACAAAAAAAAADAAAAASAgAAPOox0vgWvkoAAAAAAAAAAAAAAAAwAAAA
[2005/11/09 21:20:32, 10]
utils/ntlm_auth.c:manage_squid_ntlmssp_request(597)
  NTLMSSP challenge



What could be the problem ? I'm willing to anything - even arrange remote
access. Whatever is required...

Thank you
Dave

On Thu, 2005-11-10 at 15:58 +0200, Dave Raven wrote:
> Okay thanks for your help - we have managed to get it working now, by
having
> to force NTLMv2 on each client manually. We'll try find a way of doing
that
> automatically, but it seems a standard XP install wont send NTLMv2 ...
Correct.  

No clients that I know of do NTLMv2 by default.

Andrew Bartlett
-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.samba.org/archive/samba/attachments/20051111/a9acfa92/attachment.bin