On Thu, 2012-07-19 at 15:11 +0000, Baird, Josh wrote:> Hi,
>
> I'm struggling to get squid+ntlm_auth working correctly. I have
successfully joined the domain, and I am able to successfully enumerate groups
and users using wbinfo. I can also successfully run "wbinfo -a."
>
> However, once I configure Squid to use ntlm_auth per:
>
> auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp --debug-level=10 --nt-response
> auth_param ntlm children 5
> auth_param ntlm keep_alive on
>
> .. Squid does not authenticate and prompts me for credentials. My domain
credentials do not work, and this is displayed in Samba/WB's log:
>
> [2012/07/19 09:58:14, 0]
nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1767)
> winbindd_pam_auth_crap: invalid password length 24/336
>
> Does anyone have any ideas on what is causing this? I apologize that this
message is Squid-related, but I can't seem to find any answers elsewhere.
This looks like a Samba issue to me. Try a much more recent version of
Samba. I see code in current master for a BIG_NTLMV2_BLOB that smells
exactly like what you have here. Long domain names are padding out one
of the response values (the 336) and going over an internal arbitrary
limit that shouldn't have been there.
The fix is in:
commit 9264f4891484b0316e8e574e256ca0b0a5e9f007
Author: G?nther Deschner <gd at samba.org>
Date: Tue Sep 1 11:58:05 2009 +0200
wbclient: Fix Bug #6680: always activate handling of large (> 256
byte) ntlmv2
blobs in wbcAuthenticateUserEx().
Guenther
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org