On Tue, 23 Jan 2024 17:07:35 -0500 Mark Foley via samba <samba at lists.samba.org> wrote:> On Mon Jan 22 11:00:59 2024 Mark Foley via samba > <samba at lists.samba.org> wrote: > > > > I have scripts that runs ntlm_auth. Before upgrading my DC to > > 4.18.9 I would get text string output from the ntlm_auth command. > > For example: > > > > STATUS_NO_SUCH_USER > > NT_STATUS_WRONG_PASSWORD > > STATUS_OK > > > > My script(s) look for these strings. > > > > Now with the new Samba, the first two strings are output as usual > > in the case of non-existant user and invalid password, > > respectively, but if the user/pw is OK it now returns the string: > > ": (0x0)", which, I suppose, is the exit status of the ntlm_auth > > command meaning OK. > > > > Is there an option to change this back to the string "STATUS_OK"? > > If not, I'll change my programs, but I'd rather not do that. > > After more investigation, I find that on another system running Samba > 4.15.13 and ntlm_auth version 4.15.13 it continues to print > "NT_STATUS_OK: The operation completed successfully. (0x0)" when > 'ntlm_auth --username user --password pw' is run. > > So, Samba/ntlm_auth version 4.18.9 changes that to print ": (0x0)". > > I have never been in favor of developers changing the behavoir of > programs when "new features" come out, expecially programs that might > be used in scripts that rely on responses. I think it's naughty when > developers do that. If behavoir is different from a previous > version, then the new version ought to have a different name or a > switch enabling the new/changed feature. > > Since the 4.18.9 ntlm_auth output has an oddly placed colon (:) in > the string, as if some text was supposed to come before that, I'll > assume this was an inadvertant omission and not a deliberate change > to the output response of this program, espcially given that the > other responses (full text): > > NT_STATUS_NO_SUCH_USER: The specified account does not exist. > (0xc0000064) NT_STATUS_WRONG_PASSWORD: When trying to update a > password, this return status indicates that the value provided as the > current password is not correct. (0xc000006a) > > are unchanged. The Samba developers are certainly too seasoned to do > that deliberately. > > Meanwhile, I'll change my programs to look for "(0x0)" as both > versions have that, and maybe I'll just look for the 0x codes for all. > > --Mark > >Sooner or later, ntlm_auth wil be removed, so if you can find another way for your script to do what it is doing now, then you may be wise to do so. In the meantime, it might be a good idea to log a bug report. Rowland
On Wed Jan 24 05:03:25 2024 Rowland Penny via samba <samba at lists.samba.org> wrote:> > On Tue, 23 Jan 2024 17:07:35 -0500 > Mark Foley via samba <samba at lists.samba.org> wrote: > > > On Mon Jan 22 11:00:59 2024 Mark Foley via samba > > <samba at lists.samba.org> wrote: > > > > > > I have scripts that runs ntlm_auth. Before upgrading my DC to > > > 4.18.9 I would get text string output from the ntlm_auth command. > > > For example: > > > > > > STATUS_NO_SUCH_USER > > > NT_STATUS_WRONG_PASSWORD > > > STATUS_OK > > > > > > Now with the new Samba, the first two strings are output as usual > > > in the case of non-existant user and invalid password, > > > respectively, but if the user/pw is OK it now returns the string: > > > ": (0x0)", which, I suppose, is the exit status of the ntlm_auth > > > command meaning OK. > > > > > I have never been in favor of developers changing the behavior of > > programs when "new features" come out, expecially programs that might > > be used in scripts that rely on responses. I think it's naughty when > > developers do that. > > > > > <snip> > > > > --Mark > >> Sooner or later, ntlm_auth wil be removed, so if you can find another > way for your script to do what it is doing now, then you may be wise to > do so. > In the meantime, it might be a good idea to log a bug report. > > RowlandThe application ntlm_auth is used for is an intranet web application which is a pension system implemented in HTML, JSP and SQL Server. User/employees must log in to use this webapp. Rather than maintain separate app-only credentials, the users can authenticate with their domain credentials. This is where ntlm_auth comes in. I would be very sorry to see ntlm_auth go away. A quick web search shows I'm not the only one using it. This reinforces my comment about developers removing longstanding functionality without a compatible path forward. That places a burden on downstream developers who have come to rely on functionality. Windows has long permitted authentication of its apps with domain credentials, whether Access, SQL Server, Outlook, etc. It would be a shame for Linus to take a step backward in this regard. Do you know of anything besides ntlm_auth that will authenticate a domain user on the command line? I'll search for JSP jarfiles that might do that, but my brief search on that has not been promising thus far. --Mark
On Wed, 2024-01-24 at 10:02 +0000, Rowland Penny via samba wrote:> Sooner or later, ntlm_auth wil be removed, so if you can find another > way for your script to do what it is doing now, then you may be wise > to > do so. > In the meantime, it might be a good idea to log a bug report. > > RowlandI do need to clarify, the ntlm_auth binary, which is scriptable interface to winbindd for password checking, of raw passwords and for NTLMSSP and Kerberos authentication protocols, as well as a client for the same, is not going away any time soon. Frankly neither is NTLM in any sense, given Microsoft is only just starting to implement a better alternative. The "ntlm auth" option and the ntlm_auth binary are not really connected. Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead https://catalyst.net.nz/services/samba Catalyst.Net Ltd Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group company Samba Development and Support: https://catalyst.net.nz/services/samba Catalyst IT - Expert Open Source Solutions