samba - Oct 2011 - security of ntlmauth / winbindd_privileged dir

I have a working setup with samba & squid on one machine. However it 
seems that ntlm_auth is not doing what I expected.

As an unprivilegd user I am able to test succesfull password:


ute at alix:~$ ntlm_auth -V
Version 3.5.6


ute at alix:~$ ntlm_auth  --username=hans --password=keins
NT_STATUS_OK: Success (0x0)

Surely I know this password.



Now the same with diagnostics on:

ute at alix:~$ ntlm_auth --diagnostics --username=hans --password=keins

winbind client not authorized to use winbindd_pam_auth_crap. Ensure 
permissions on /var/run/samba/winbindd_privileged are set correctly. 
(0xc0000022)
[2011/10/01 14:56:15.107135,  1] 
utils/ntlm_auth_diagnostics.c:601(diagnose_ntlm_auth)
  Test LM failed!
winbind client not authorized to use winbindd_pam_auth_crap. Ensure 
permissions on /var/run/samba/winbindd_privileged are set correctly. 
(0xc0000022)
[2011/10/01 14:56:15.108233,  1] 
utils/ntlm_auth_diagnostics.c:601(diagnose_ntlm_auth)
  Test LM and NTLM failed!
winbind client not authorized to use winbindd_pam_auth_crap. Ensure 
permissions on /var/run/samba/winbindd_privileged are set correctly. 
(0xc0000022)
[2011/10/01 14:56:15.108713,  1] 
utils/ntlm_auth_diagnostics.c:601(diagnose_ntlm_auth)
  Test NTLM failed!
winbind client not authorized to use winbindd_pam_auth_crap. Ensure 
permissions on /var/run/samba/winbindd_privileged are set correctly. 
(0xc0000022)
[2011/10/01 14:56:15.108951,  1] 
utils/ntlm_auth_diagnostics.c:601(diagnose_ntlm_auth)
  Test NTLM in LM failed!
winbind client not authorized to use winbindd_pam_auth_crap. Ensure 
permissions on /var/run/samba/winbindd_privileged are set correctly. 
(0xc0000022)
[2011/10/01 14:56:15.109218,  1] 
utils/ntlm_auth_diagnostics.c:601(diagnose_ntlm_auth)
  Test NTLM in both failed!
winbind client not authorized to use winbindd_pam_auth_crap. Ensure 
permissions on /var/run/samba/winbindd_privileged are set correctly. 
(0xc0000022)
[2011/10/01 14:56:15.109478,  1] 
utils/ntlm_auth_diagnostics.c:601(diagnose_ntlm_auth)
  Test NTLMv2 failed!
winbind client not authorized to use winbindd_pam_auth_crap. Ensure 
permissions on /var/run/samba/winbindd_privileged are set correctly. 
(0xc0000022)
[2011/10/01 14:56:15.109611,  1] 
utils/ntlm_auth_diagnostics.c:601(diagnose_ntlm_auth)
  Test NTLMv2 and LMv2 failed!
winbind client not authorized to use winbindd_pam_auth_crap. Ensure 
permissions on /var/run/samba/winbindd_privileged are set correctly. 
(0xc0000022)
[2011/10/01 14:56:15.109742,  1] 
utils/ntlm_auth_diagnostics.c:601(diagnose_ntlm_auth)
  Test LMv2 failed!
winbind client not authorized to use winbindd_pam_auth_crap. Ensure 
permissions on /var/run/samba/winbindd_privileged are set correctly. 
(0xc0000022)
[2011/10/01 14:56:15.109871,  1] 
utils/ntlm_auth_diagnostics.c:601(diagnose_ntlm_auth)
  Test NTLMv2 and LMv2, LMv2 broken failed!
winbind client not authorized to use winbindd_pam_auth_crap. Ensure 
permissions on /var/run/samba/winbindd_privileged are set correctly. 
(0xc0000022)
winbind client not authorized to use winbindd_pam_auth_crap. Ensure 
permissions on /var/run/samba/winbindd_privileged are set correctly. 
(0xc0000022)
[2011/10/01 14:56:15.110300,  1] 
utils/ntlm_auth_diagnostics.c:601(diagnose_ntlm_auth)
  Test NTLM and LM, LM broken failed!
winbind client not authorized to use winbindd_pam_auth_crap. Ensure 
permissions on /var/run/samba/winbindd_privileged are set correctly. 
(0xc0000022)
winbind client not authorized to use winbindd_pam_auth_crap. Ensure 
permissions on /var/run/samba/winbindd_privileged are set correctly. 
(0xc0000022)
[2011/10/01 14:56:15.110751,  1] 
utils/ntlm_auth_diagnostics.c:601(diagnose_ntlm_auth)
  Test Plaintext failed!
winbind client not authorized to use winbindd_pam_auth_crap. Ensure 
permissions on /var/run/samba/winbindd_privileged are set correctly. 
(0xc0000022)
[2011/10/01 14:56:15.110874,  1] 
utils/ntlm_auth_diagnostics.c:601(diagnose_ntlm_auth)
  Test Plaintext LM broken failed!
winbind client not authorized to use winbindd_pam_auth_crap. Ensure 
permissions on /var/run/samba/winbindd_privileged are set correctly. 
(0xc0000022)
winbind client not authorized to use winbindd_pam_auth_crap. Ensure 
permissions on /var/run/samba/winbindd_privileged are set correctly. 
(0xc0000022)
[2011/10/01 14:56:15.111192,  1] 
utils/ntlm_auth_diagnostics.c:601(diagnose_ntlm_auth)
  Test Plaintext NT only failed!
winbind client not authorized to use winbindd_pam_auth_crap. Ensure 
permissions on /var/run/samba/winbindd_privileged are set correctly. 
(0xc0000022)
[2011/10/01 14:56:15.111303,  1] 
utils/ntlm_auth_diagnostics.c:601(diagnose_ntlm_auth)
  Test Plaintext LM only failed!

This time the password test failed. 

Here is the relevant config:

# ls -la /var/run/samba/winbindd_privileged/
insgesamt 8
drwxr-x--- 2 root winbindd_priv 4096  1. Okt 14:33 .
drwxr-xr-x 3 root root          4096  1. Okt 14:33 ..
srwxrwxrwx 1 root root             0  1. Okt 14:33 pipe

# getent group winbindd_priv
winbindd_priv:x:121:proxy

# id ute
uid=10003(ute) gid=1002(students) 
Gruppen=1002(students),1006(online),1016(neu2)

# md5sum 
/var/cache/apt/archives/winbind_2%3a3.5.6~dfsg-3squeeze5_amd64.deb 
0d0d2535622eaf154889587fdc81e0b2  
/var/cache/apt/archives/winbind_2%3a3.5.6~dfsg-3squeeze5_amd64.deb

# testparm --section-name=global -s
[global]
        unix charset = UTF8
        workgroup = SCHULE
        server string = Schulserver %h
        interfaces = lo, 10.100.0.1/16
        obey pam restrictions = Yes
        passdb backend = ldapsam
        pam password change = Yes
        passwd program = /usr/sbin/smbldap-passwd %u
        passwd chat = *Enter\snew\s*\spassword:* %n\n 
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully*
        log level = 0 auth:3 sam:3 winbind:3
        log file = /var/log/samba/log.%m
        smb ports = 139
        announce version = 6.5
        name resolve order = wins host bcast
        time server = Yes
        add user script = /usr/sbin/smbldap-useradd -m "%u"
        delete user script = /usr/sbin/smbldap-userdel "%u"
        add group script = /usr/sbin/smbldap-groupadd -p "%g"
        delete group script = /usr/sbin/smbldap-groupdel "%g"
        add user to group script = /usr/sbin/smbldap-groupmod -m "%u" 
"%g"
        delete user from group script = /usr/sbin/smbldap-groupmod -x 
"%u" "%g"
        set primary group script = /usr/sbin/smbldap-usermod -g "%g" 
"%u"
        add machine script = /usr/sbin/smbldap-useradd -w "%u"
        logon script = %a.bat
        logon path = \\%L\profile\%G\%U\%a
        logon drive = U:
        domain logons = Yes
        os level = 65
        preferred master = Yes
        domain master = Yes
        wins support = Yes
        ldap admin dn = cn=admin,dc=delixs-schule,dc=de
        ldap delete dn = Yes
        ldap group suffix = ou=groups
        ldap idmap suffix = ou=idmap
        ldap machine suffix = ou=machines,ou=accounts
        ldap passwd sync = yes
        ldap suffix = dc=delixs-schule,dc=de
        ldap ssl = no
        ldap user suffix = ou=people,ou=accounts
        idmap backend = ldap
        idmap alloc backend = ldap
        idmap uid = 1000000-1999999
        idmap gid = 1000000-1999999
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = Yes
        idmap alloc config : ldap_user_dn = cn=admin,dc=delixs-
schule,dc=de
        idmap alloc config : ldap_base_dn = ou=Idmap,dc=delixs-
schule,dc=de
        idmap alloc config : ldap_url = ldap://127.0.0.1/
        veto files = /*.eml/*.nws/riched20.dll/autorun.inf/


# egrep -v '^$|^#' /etc/samba/winbind.conf
include = /etc/samba/smb.conf
[global]
security		= domain
domain logons		= no




Gruss
	Harry Jede