Hi all, We are having a an ongoing problem with out NTLM authentication on out squid system. The problem tends to arise when users change their passwords. I have read a KB article that says that DC's will still continue to authenticate Old password for an hour or so after the password is changed. But I think it is between IE and winbindd that is the problem. Below is a trace at debug level 5 from winbindd. The first is a correct authentication Attempt from boh\mobeid. The second is the user that had chaged his password 2.5 hours before this trace. NTLM authentication has failed and he is Prompted for basic, he types in his name and it attempts to authenticate as Proxy\james.clavering, which no such user exists. If I manually use ntlm_auth to authenticate with the new password I get a result code 0, So I know that the DC's are working correctly. [22734]: pam auth crap domain: BOH user: MOBEID Using cleartext machine password cred_create cred_create cred_assert [22734]: pam auth crap domain: PROXY user: JAMES.CLAVERING Using cleartext machine password cred_create cred_create cred_assert NTLM CRAP authentication for user [PROXY]\[JAMES.CLAVERING] returned NT_STATUS_NO_SUCH_USER (PAM: 10) [22734]: pam auth crap domain: BOH user: MVELLA Using cleartext machine password cred_create cred_create cred_assert Has anybody else experienced these problems with NTLM auth. Our installation is RedHad ES Linux 3, with samba-3.0.9-1.3E.5 Adam
Andrew Bartlett
2005-Dec-02 08:45 UTC
[Samba] Internet explorer not authenticating properly
On Fri, 2005-12-02 at 14:16 +1100, Adam Clark wrote:> Hi all, > We are having a an ongoing problem with out NTLM authentication on out > squid system. > The problem tends to arise when users change their passwords. > > I have read a KB article that says that DC's will still continue to > authenticate > Old password for an hour or so after the password is changed.This seems to happen on win2k3 SP1 DCs, from my testing. (But not earlier versions).> But I think it is between IE and winbindd that is the problem. > > Below is a trace at debug level 5 from winbindd. The first is a correct > authentication > Attempt from boh\mobeid. The second is the user that had chaged his > password > 2.5 hours before this trace. NTLM authentication has failed and he is > Prompted for basic, he types in his name and it attempts to authenticate > as > Proxy\james.clavering, which no such user exists. > > If I manually use ntlm_auth to authenticate with the new password I get > a result code 0, > So I know that the DC's are working correctly. > > [22734]: pam auth crap domain: BOH user: MOBEID > Using cleartext machine password > cred_create > cred_create > cred_assert > [22734]: pam auth crap domain: PROXY user: JAMES.CLAVERING > Using cleartext machine password > cred_create > cred_create > cred_assert > NTLM CRAP authentication for user [PROXY]\[JAMES.CLAVERING] returned > NT_STATUS_NO_SUCH_USER (PAM: 10) > [22734]: pam auth crap domain: BOH user: MVELLA > Using cleartext machine password > cred_create > cred_create > cred_assert > > Has anybody else experienced these problems with NTLM auth. > > Our installation is RedHad ES Linux 3, with samba-3.0.9-1.3E.5The problem with the [PROXY] domain is that the user is entering no domain. They should enter domain\\username for the basic authentication. You could set 'winbind use default domain = yes' to get the behaviour your users are after. It is frustrating that IE isn't picking up the new password after the change. It would be interesting to see how firefox reacts (as a comparison/contrast). Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba/attachments/20051202/825826ef/attachment.bin
Is it possible to test the challenge/response strings that internet
explorer
Uses to validate where the problem lies using the following options
--challenge=STRING challenge (HEX encoded)
--lm-response=STRING LM Response to the
challenge
(HEX encoded)
--nt-response=STRING NT or NTLMv2 Response to
the
challenge (HEX encoded)
This raises another questions, is the challenge/response questions the
same over a period
Of time or are the challenges unique each time?
Below is some output from a successful ntlm response:
GET http://www.google.com/ HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, */* Accept-Language:
en-au
Proxy-Authorization: NTLM
TlRMTVNTUAADAAAAGAAYAFsAAAAYABgAcwAAAAMAAwBIAAAABgAGAEsAAAAKAAoAUQAAAAAA
AACLAAAABgIAAgUBKAoAAAAPQk9IQUNMQVJLV1MwMDAwNDA2Mcqy1BlECOrX/0aK5lXSDRv3
Vyl/Cz0QPqBFYp3vsixnzBGbbNsq13AjQeJgdduJAA==
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: www.google.com
Proxy-Connection: Keep-Alive
-----Original Message-----
From: Andrew Bartlett [mailto:abartlet@samba.org]
Sent: Friday, 2 December 2005 7:45 PM
To: Adam Clark
Cc: samba@lists.samba.org
Subject: Re: [Samba] Internet explorer not authenticating properly
On Fri, 2005-12-02 at 14:16 +1100, Adam Clark wrote:> Hi all,
> We are having a an ongoing problem with out NTLM authentication on
> out squid system.
> The problem tends to arise when users change their passwords.
>
> I have read a KB article that says that DC's will still continue to
> authenticate Old password for an hour or so after the password is
> changed.
This seems to happen on win2k3 SP1 DCs, from my testing. (But not
earlier versions).
> But I think it is between IE and winbindd that is the problem.
>
> Below is a trace at debug level 5 from winbindd. The first is a
> correct authentication Attempt from boh\mobeid. The second is the
> user that had chaged his password
> 2.5 hours before this trace. NTLM authentication has failed and he is
> Prompted for basic, he types in his name and it attempts to
> authenticate as Proxy\james.clavering, which no such user exists.
>
> If I manually use ntlm_auth to authenticate with the new password I
> get a result code 0, So I know that the DC's are working correctly.
>
> [22734]: pam auth crap domain: BOH user: MOBEID Using cleartext
> machine password cred_create cred_create cred_assert
> [22734]: pam auth crap domain: PROXY user: JAMES.CLAVERING Using
> cleartext machine password cred_create cred_create cred_assert NTLM
> CRAP authentication for user [PROXY]\[JAMES.CLAVERING] returned
> NT_STATUS_NO_SUCH_USER (PAM: 10)
> [22734]: pam auth crap domain: BOH user: MVELLA Using cleartext
> machine password cred_create cred_create cred_assert
>
> Has anybody else experienced these problems with NTLM auth.
>
> Our installation is RedHad ES Linux 3, with samba-3.0.9-1.3E.5
The problem with the [PROXY] domain is that the user is entering no
domain. They should enter domain\\username for the basic
authentication. You could set 'winbind use default domain = yes' to get
the behaviour your users are after.
It is frustrating that IE isn't picking up the new password after the
change. It would be interesting to see how firefox reacts (as a
comparison/contrast).
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College http://hawkerc.net