Michael.Kaiser@InfraServ.Gendorf.de
2007-Aug-07 13:45 UTC
[Samba] NTLM-Auth fails agains Win200SP5
Hello List, i have a Problem with NTLM-Auth (squid with ntlm_auth) against Win2000SP5. After updating Win2000SP4 to Win200SP5 no authentification via ntlm is possible: Linux Version: SuSE Linux 8.1 (i386) 2.4.19-4GB Samba Version: samba-3.0.14a Squid Version: squid-2.5.STABLE14 If i try to auth. via console there is no Problem (see below 4,5,6). I attached some tests and the regarding output: Domain where i want to authenticate: "DOMAIN6" --------------------------------cut-------------------------------------- 1) gilbi:~ # wbinfo -t checking the trust secret via RPC calls succeeded 2) gilbi:~ # wbinfo --sequence GILBI : 1 BUILTIN : 1 DOMAIN1 : 45 DOMAIN2: DISCONNECTED DOMAIN3: 743 DOMAIN4: 1 DOMAIN5: DISCONNECTED DOMAIN6 : DISCONNECTED 3) gilbi:~ # wbinfo -m GILBI BUILTIN DOMAIN1 DOMAIN2 DOMAIN3 DOMAIN4 DOMAIN5 # COMMENT: ---- no DOMAIN6 ----- no trust????? 4) gilbi:~ # wbinfo -a DOMAIN6\\user%password plaintext password authentication succeeded challenge/response password authentication succeeded 5) gilbi:~ # /usr/local/samba/bin/ntlm_auth --username=user --domain=DOMAIN6 --password=password NT_STATUS_OK: Success (0x0) 6) gilbi:~ # /usr/local/samba/bin/ntlm_auth --helper-protocol=squid-2.5-basic DOMAIN6\user password OK --------------------------------cut-------------------------------------- How can I test the "/usr/local/samba/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp" option via command line? What does "wbinfo --sequence" exactly lists? At the Win2000 Logs i couldn`t see anything. here my smb.conf --------------------------------cut_------------------------------------- [global] workgroup = DOMAIN6 server string = Proxyauthmodule hosts allow = 10. 127. log file = /var/log/messages security = domain password server = DOMAINCONTROLER-DNS encrypt passwords = yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 remote browse sync = 10.255.255.255 dns proxy = no domain master = no local master = no preferred master = no os level = 0 winbind uid = 10000-20000 winbind gid = 10000-20000 winbind use default domain = yes --------------------------------cut_------------------------------------- PS: The Update (to win200SP5) also includes the actual LDAP-Patch (KB926122 - http://www.microsoft.com/germany/technet/sicherheit/bulletins/ms07-039.mspx). Could this cause a Problem with winbindd? No, or? Mit freundlichen Gr??en Michael Kaiser Business Unit IT-Services Network Solutions InfraServ GmbH & Co. Gendorf KG Industriepark Werk GENDORF