samba - Sep 2007 - NTLMv2, Samba, and Squid

Here is the problem: I'm setting up a new squid proxy server with
authentication via Samba and NTLM because the old one died suddenly.
The new one is up and running and i have it working; mostly. The
kicker is the 2 employees testing Vista (myself and my supervisor)
could not authenticate against the server. I say could because through
a variety of testing and some lucky reading I found the cause of the
problem to be that by default Windows Vista uses NTLMv2 only, and when
I change the setting to LM & NTLM using NTLMv2 for negotiation it all
works. The old proxy server allowed us ot authenticate using NTLMv2,
and that is the goal of this question: what am I missing in my
configuration? Here's a dump of smb.conf taken via a testparm:

[global]
        workgroup = EDMCOMPUTRONIX
        realm = COMPUTRONIX.COM
        server string = CX Canada's SQUID Web Proxy
        security = ADS
        password server = 206.75.5.19
        log file = /var/log/samba/%m.log
        max log size = 500
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        preferred master = No
        domain master = No
        dns proxy = No
        idmap uid = 16777216-33554431
        idmap gid = 16777216-33554431
        winbind separator = +
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = Yes

[test]
        path = /testshare
        guest ok = Yes

If you'd like force NTLMv2 authentication these settings in your
smb.conf could help:
ntlm auth = Yes
client NTLMv2 auth = Yes
min protocol = LANMAN2
max protocol = NT1

I also put these:
client lanman auth = No
client plaintext auth = No
use spnego = Yes
client use spnego = Yes

For the client part if you want there are these Microsoft articles for
Windows 95/98/NT that works in XP too, so I think that also works for
Winows Vista:
http://support.microsoft.com/?scid=kb%3Ben-us%3B239869&x=14&y=10
http://support.microsoft.com/?scid=kb%3Ben-us%3B147706&x=15&y=10

Even on XP clients I prefer strictly force NTLMv2.


On 9/7/07, Darren Maskowitz <squitz@gmail.com>
wrote:
> Here is the problem: I'm setting up a new squid proxy server with
> authentication via Samba and NTLM because the old one died suddenly.
> The new one is up and running and i have it working; mostly. The
> kicker is the 2 employees testing Vista (myself and my supervisor)
> could not authenticate against the server. I say could because through
> a variety of testing and some lucky reading I found the cause of the
> problem to be that by default Windows Vista uses NTLMv2 only, and when
> I change the setting to LM & NTLM using NTLMv2 for negotiation it all
> works. The old proxy server allowed us ot authenticate using NTLMv2,
> and that is the goal of this question: what am I missing in my
> configuration? Here's a dump of smb.conf taken via a testparm:
>
> [global]
>        workgroup = EDMCOMPUTRONIX
>        realm = COMPUTRONIX.COM
>        server string = CX Canada's SQUID Web Proxy
>        security = ADS
>        password server = 206.75.5.19
>        log file = /var/log/samba/%m.log
>        max log size = 500
>        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>        preferred master = No
>        domain master = No
>        dns proxy = No
>        idmap uid = 16777216-33554431
>        idmap gid = 16777216-33554431
>        winbind separator = +
>        winbind enum users = Yes
>        winbind enum groups = Yes
>        winbind use default domain = Yes
>
> [test]
>        path = /testshare
>        guest ok = Yes
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>

On Fri, 2007-09-07 at 15:51 -0600, Darren Maskowitz
wrote:
> Here is the problem: I'm setting up a new squid proxy server with
> authentication via Samba and NTLM because the old one died suddenly.
> The new one is up and running and i have it working; mostly. The
> kicker is the 2 employees testing Vista (myself and my supervisor)
> could not authenticate against the server. I say could because through
> a variety of testing and some lucky reading I found the cause of the
> problem to be that by default Windows Vista uses NTLMv2 only, and when
> I change the setting to LM & NTLM using NTLMv2 for negotiation it all
> works. The old proxy server allowed us ot authenticate using NTLMv2,
> and that is the goal of this question: what am I missing in my
> configuration? Here's a dump of smb.conf taken via a testparm:
Make sure the netbios name (implictly set as the hostname, which becomes
the machine join account) matches name you access the server as.  

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.samba.org/archive/samba/attachments/20070910/e12da327/attachment.bin

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Pau Garcia i Quiles wrote:
> Quoting Andrew Bartlett <abartlet@samba.org>:
> 
> [...]
>> For a long time windows clients have refused to send cleartext
>> passwords.  Samba 3.2.0 will likewise refuse by default.
> [...]
> 
> Is there a release date for 3.2.0?
> 
3.2.0pre1 is due out early next week.




cheers, jerry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFG5njFIR7qMdg1EfYRAveGAJ9KeafGf7n+Kf2L7YGK4sRWVMK06QCeP9i3
0gcLZk+bUt7jFQ73gw2q6fE=LTum
-----END PGP SIGNATURE-----