samba - Jun 2008 - Squid/ntlm_auth issues with two user accounts (all other accounts on the domain work).

Hi all,

I have just installed and configured a squid setup authenticating
against Active Directory using kerberos tickets and have achieved the
holy-grail of IT - Single Sign On!

The problem is that I have two users for whom is does not work.

The ntlm_auth logs show that for users that are properly authenticated
against squid we get the following (Usernames/Domains/Hosts have been
changed for security reasons):

=======================
ntlm-auth[4409](ntlm_auth.c:284): managing request
ntlm-auth[4409](ntlm_auth.c:290): ntlm authenticator. Got 'YR
TlRMTVNTUAABAAAAB7IIog0ADQAtAAAABQAFACgAAAAFASgKAAAAD1BBVFRZQ0FSSUJCRUFOLUFCUw=='
from Squid 
ntlm-auth[4409](ntlm_auth.c:239): obtain_challenge: selecting DOMAIN\DC
(attempt #1) 
ntlm-auth[4409](ntlm_auth.c:251): attempting challenge retrieval
ntlm-auth[4409](libntlmssp.c:119): Connecting to server DC domain
DOMAIN 
ntlm-auth[4409](ntlm_auth.c:253): make_challenge retuned
0x80537e0 
ntlm-auth[4409](ntlm_auth.c:255): Got it
ntlm-auth[4409](ntlm_auth.c:437): sending 'TT
TlRMTVNTUAACAAAADQANACgAAACCgkEAJqCr40UuPYsAAAAAAAAAAENBUklCQkVBTi1BQlM='
to squid 
ntlm-auth[4409](ntlm_auth.c:284): managing request
ntlm-auth[4409](ntlm_auth.c:290): ntlm authenticator. Got 'KK
TlRMTVNTUAADAAAAGAAYAGYAAAAYABgAfgAAAA0ADQBIAAAADAAMAFUAAAAFAAUAYQAAAAAAAACWAAAABoIAAgUBKAoAAAAPQ0FSSUJCRUFOLUFCU0pFU1NJQ0EuS0VOVFBBVFRZM6rQG5d/Xb6Ob0rSB3mxhprnkyEaHQD02o4eEyCq9dbXApcDGuzlgfkY8LD5EHzd'
from Squid 
ntlm-auth[4409](libntlmssp.c:268): Empty LM pass detection: user:
'FIRSTNAME.SURNAME',ours:'JB4<B4><95>}d|<FC>Q<C0>m<D0>^L<BA><AA><A5>^Z<B9><99>;<D1><DB><D8>^Mu
<F6>:l^B^Q?<CB>xN<86><D6>rU?N<A1><F0>d<FB>mServer
returned a non-zero
SMB Error Class and Code.',
his:'3<AA><D0>ESC<97>^?]<BE><8E>oJ<D2>^Gy<B1><86><9A><E7>
<93>!^Z^]'(length: 24) 
ntlm-auth[4409](libntlmssp.c:280): Empty NT pass detection: user:
'FIRSTNAME.SURNAME',ours:'^Mu<F6>:l^B^Q?<CB>xN<86><D6>rU?N<A1><F0>d<FB>mServer
returned a non-zero SMB Error Class and Code.', his: '?^^^S
<AA><F5><D6><D7>^B<97>^C^Z<EC><E5><81><F9>^X<F0><B0><F9>^P|<DD>'(length:
24) 
ntlm-auth[4409](libntlmssp.c:294): checking domain: 'DOMAIN', user:
'FIRSTNAME.SURNAME',pass='3<AA><D0>ESC<97>^?]<BE><8E>oJ<D2>^Gy<B1><86><9A><E7><93>!^Z
^]' ntlm-auth[4409](libntlmssp.c:297): Login attempt had result 0
ntlm-auth[4409](libntlmssp.c:305): credentials:
DOMAIN\FIRSTNAME.SURNAME 
ntlm-auth[4409](ntlm_auth.c:418): sending 'AF domain\firstname.surname'
to squid

====================
The setup works for all users on our Domain apart from two.  When they
try and log in, the result is as follows (again, usernames have been
changed):

===================
ntlm-auth[19104](ntlm_auth.c:284): managing request
ntlm-auth[19104](ntlm_auth.c:290): ntlm authenticator. Got 'YR
TlRMTVNTUAABAAAAB7IIog0ADQAvAAAABwAHACgAAAAFASgKAAAAD1BVUi0wMDFDQVJJQkJFQU4tQUJT'
from Squid ntlm-auth[19104](ntlm_auth.c:239): obtain_challenge:
selecting DOMAIN\DC (attempt #1) ntlm-auth[19104](ntlm_auth.c:251):
attempting challenge retrieval ntlm-auth[19104](libntlmssp.c:119):
Connecting to server DC domain DOMAIN
ntlm-auth[19104](ntlm_auth.c:253): make_challenge retuned 0x80537e0
ntlm-auth[19104](ntlm_auth.c:255): Got it
ntlm-auth[19104](ntlm_auth.c:437): sending 'TT
TlRMTVNTUAACAAAADQANACgAAACCgkEAk+cd4WiYtHsAAAAAAAAAAENBUklCQkVBTi1BQlM='
to squid ntlm-auth[19104](ntlm_auth.c:284): managing request
ntlm-auth[19104](ntlm_auth.c:290): ntlm authenticator. Got 'KK
TlRMTVNTUAADAAAAGAAYAGsAAAAYABgAgwAAAA0ADQBIAAAADwAPAFUAAAAHAAcAZAAAAAAAAACbAAAABoIAAgUBKAoAAAAPQ0FSSUJCRUFOLUFCU0JFQVRSSUNFLkJVVExFUlBVUi0wMDEA2pj8Lh8Z0ADamPwuHxnQANqY/C4fGdBmeJnHb+DBs4t00vR1y/hqokvuxtK8U8A='
from Squid ntlm-auth[19104](libntlmssp.c:268): Empty LM pass detection:
user: 'FIRSTNAME2.LASTNAME2', ours:'cx?r??Su?Q???/??1', his:
''(length:
24) ntlm-auth[19104](libntlmssp.c:280): Empty NT pass detection: user:
'FIRSTNAME2.LASTNAME2', ours:'', his:
'fx?????t?u?j?K??S?(length: 24)
ntlm-auth[19104](libntlmssp.c:294): checking domain: 'DOMAIN', user:
'FIRSTNAME2.LASTNAME2', pass=''
ntlm-auth[19104](libntlmssp.c:297):
Login attempt had result -1 ntlm-auth[19104](ntlm_auth.c:350): No creds.
SMBlib error 1, SMB error class 1, SMB error code 5, NB error 0
ntlm-auth[19104](ntlm_auth.c:371): DOS error
ntlm-auth[19104](ntlm_auth.c:376): sending 'NA Access denied' to squid

=========================
The only difference I can see between the two users is that in the
first (successful) one, there is data in the "pass" field and in the
second account there is not.

/etc/squid.conf is as follows:

auth_param ntlm program /usr/lib/squid/ntlm_auth -d domain/dc
auth_param basic program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic 
auth_param basic children 100
auth_param basic realm CARIBBEAN-ABS 
auth_param basic credentialsttl 2 hours


Client PCs are running Windows XP Pro and IE7.  
All PCs are configured in the same way
The two accounts that do not work fail regardless of the PC used.
Other accounts are successful on the PCs "owned" by the users whose
accounts do not work.

Can anyone shed any further light on this for me?  I've been pulling my
hair out over it for the last 48 hours!

Cheers,

Matt
-- 
Matt Wallace
http://www.truthisfreedom.org.uk
matthew@truthisfreedom.org.uk

On Wed, 11 Jun 2008 13:50:45 +0100
Matthew Macdonald-Wallace <lists@truthisfreedom.org.uk> wrote:
> The only difference I can see between the two users is that in the
> first (successful) one, there is data in the "pass" field and in
the
> second account there is not.
Hi all,

Mark sent me a quick note on the above (thanks Mark!) and I now get the
following error on the accounts that don't work:

=========================
ntlm-auth[8705](ntlm_auth.c:284): managing request
ntlm-auth[8705](ntlm_auth.c:290): ntlm authenticator. Got 'YR
TlRMTVNTUAABAAAAB7IIog0ADQAvAAAABwAHACgAAAAFASgKAAAAD09GRklDRTJDQVJJQkJFQU4tQUJT'
from Squid 
ntlm-auth[8705](ntlm_auth.c:239): obtain_challenge: selecting
DOMAIN\DC (attempt #1) 
ntlm-auth[8705](ntlm_auth.c:251): attempting challenge retrieval
ntlm-auth[8705](libntlmssp.c:119): Connecting to server DC
domain DOMAIN 
ntlm-auth[8705](ntlm_auth.c:253): make_challenge retuned 0x80537e0
ntlm-auth[8705](ntlm_auth.c:255): Got it
ntlm-auth[8705](ntlm_auth.c:437): sending 'TT
TlRMTVNTUAACAAAADQANACgAAACCgkEAfnufN5M1ntEAAAAAAAAAAENBUklCQkVBTi1BQlM='
to squid 
ntlm-auth[8705](ntlm_auth.c:284): managing request
ntlm-auth[8705](ntlm_auth.c:290): ntlm authenticator. Got 'KK
TlRMTVNTUAADAAAAGAAYAGsAAAAYABgAgwAAAA0ADQBIAAAADwAPAFUAAAAHAAcAZAAAAAAAAACbAAAABoIAAgUBKAoAAAAPQ0FSSUJCRUFOLUFCU0JFQVRSSUNFLkJVVExFUk9GRklDRTK7ivPZ+YV5gruK89n5hXmCu4rz2fmFeYLZDO98sQRKF2fOAo6s7/TlqolY69sHTTc='
from Squid 
ntlm-auth[8705](libntlmssp.c:268): Empty LM pass detection: user:
'FIRSTNAME.LASTNAME',
ours:'e?,T?i<?%?FG2$G]?I?B?????hq??Vq;=gu?Server
returned a non-zero SMB Error Class and Code.', his:
'??????????????????Jg?????X?M7'(length: 24)
ntlm-auth[8705](libntlmssp.c:280): Empty NT pass detection: user:
'FIRSTNAME.LASTNAME', ours:'B?????hq??Vq;=gu?Server returned a
non-zero
SMB Error Class and Code.', his: '???Jg?????X?M7'(length: 24)
ntlm-auth[8705](libntlmssp.c:294): checking domain: 'DOMAIN',
user: 'FIRSTNAME.LASTNAME', pass='???????????????'
ntlm-auth[8705](libntlmssp.c:297): Login attempt had result -1
ntlm-auth[8705](ntlm_auth.c:350): No creds. SMBlib error 1, SMB error
class 1, SMB error code 5, NB error 0 
ntlm-auth[8705](ntlm_auth.c:371): DOS error
ntlm-auth[8705](ntlm_auth.c:376): sending 'NA Access denied' to squid

======================
If people can tell me which squid/samba conf files they need to see,
let me know and I'll post them to the list as well.

Kind regards,

Matt
-- 
Matthew Macdonald-Wallace
matthew@truthisfreedom.org.uk
http://www.truthisfreedom.org.uk/