samba - Jan 2024 - ntlm_auth not returning "STATUS_OK"

On Fri, 26 Jan 2024 22:22:49 -0500
Mark Foley via samba <samba at lists.samba.org> wrote:
> On Wed Jan 24 05:03:25 2024 Rowland Penny via samba
> <samba at lists.samba.org> wrote:
> >
> > On Tue, 23 Jan 2024 17:07:35 -0500
> > Mark Foley via samba <samba at lists.samba.org> wrote:
> >
> > > On Mon Jan 22 11:00:59 2024 Mark Foley via samba
> > > <samba at lists.samba.org> wrote:
> > > >
> > > > I have scripts that runs ntlm_auth. Before upgrading my DC
to
> > > > 4.18.9 I would get text string output from the ntlm_auth
> > > > command. For example:
> > > >
> > > > STATUS_NO_SUCH_USER
> > > > NT_STATUS_WRONG_PASSWORD
> > > > STATUS_OK
> > > >
> > > > Now with the new Samba, the first two strings are output as
> > > > usual in the case of non-existant user and invalid password,
> > > > respectively, but if the user/pw is OK it now returns the
> > > > string: ":  (0x0)", which, I suppose, is the exit
status of the
> > > > ntlm_auth command meaning OK.
> > > >
> > > I have never been in favor of developers changing the behavior of
> > > programs when "new features" come out, expecially
programs that
> > > might be used in scripts that rely on responses.  I think
it's
> > > naughty when developers do that.
> > >
> > > > <snip>
> > >
> > > --Mark
> > > 
> 
> > Sooner or later, ntlm_auth wil be removed, so if you can find
> > another way for your script to do what it is doing now, then you
> > may be wise to do so.
> > In the meantime, it might be a good idea to log a bug report.
> >
> > Rowland
> 
> The application ntlm_auth is used for is an intranet web application
> which is a pension system implemented in HTML, JSP and SQL Server.
> User/employees must log in to use this webapp. Rather than maintain
> separate app-only credentials, the users can authenticate with their
> domain credentials. This is where ntlm_auth comes in.
> 
> I would be very sorry to see ntlm_auth go away. A quick web search
> shows I'm not the only one using it. This reinforces my comment about
> developers removing longstanding functionality without a compatible
> path forward. That places a burden on downstream developers who have
> come to rely on functionality.
Perhaps when I said ntlm_auth is likely to away, I should have
qualified it, so lets do that now:

If you set 'ntlm auth = yes', you are actually setting 'ntlm auth
ntlmv1-permitted', which is just about as insecure as you can get.
The default (since 4.7.0) is 'ntlm auth = ntlmv2-only', which when it
comes to ntlm auth is secure as you can get.

However, you can set 'ntlm auth = mschapv2-and-ntlmv2-only', this is
required for the ntlm-auth tool.

There is some talk of Microsoft moving away from NTLM to Kerberos and
if this occurs, Samba will surely have to follow.

Have you considered using Kerberos for authentication ?

Rowland

On 27-01-2024 11:56, Rowland Penny via samba wrote:
> On Fri, 26 Jan 2024 22:22:49 -0500
> Mark Foley via samba<samba at lists.samba.org>  wrote:
>
>> On Wed Jan 24 05:03:25 2024 Rowland Penny via samba
>> <samba at lists.samba.org>  wrote:
>>> On Tue, 23 Jan 2024 17:07:35 -0500
>>> Mark Foley via samba<samba at lists.samba.org>  wrote:
>>>
>>>> On Mon Jan 22 11:00:59 2024 Mark Foley via samba
>>>> <samba at lists.samba.org>  wrote:
>>>>> I have scripts that runs ntlm_auth. Before upgrading my DC
to
>>>>> 4.18.9 I would get text string output from the ntlm_auth
>>>>> command. For example:
>>>>>
>>>>> STATUS_NO_SUCH_USER
>>>>> NT_STATUS_WRONG_PASSWORD
>>>>> STATUS_OK
>>>>>
>>>>> Now with the new Samba, the first two strings are output as
>>>>> usual in the case of non-existant user and invalid
password,
>>>>> respectively, but if the user/pw is OK it now returns the
>>>>> string: ":  (0x0)", which, I suppose, is the exit
status of the
>>>>> ntlm_auth command meaning OK.
>>>>>
>>>> I have never been in favor of developers changing the behavior
of
>>>> programs when "new features" come out, expecially
programs that
>>>> might be used in scripts that rely on responses.  I think
it's
>>>> naughty when developers do that.
>>>>
>>>>> <snip>
>>>> --Mark
>>>>
>>> Sooner or later, ntlm_auth wil be removed, so if you can find
>>> another way for your script to do what it is doing now, then you
>>> may be wise to do so.
>>> In the meantime, it might be a good idea to log a bug report.
>>>
>>> Rowland
>> The application ntlm_auth is used for is an intranet web application
>> which is a pension system implemented in HTML, JSP and SQL Server.
>> User/employees must log in to use this webapp. Rather than maintain
>> separate app-only credentials, the users can authenticate with their
>> domain credentials. This is where ntlm_auth comes in.
>>
>> I would be very sorry to see ntlm_auth go away. A quick web search
>> shows I'm not the only one using it. This reinforces my comment
about
>> developers removing longstanding functionality without a compatible
>> path forward. That places a burden on downstream developers who have
>> come to rely on functionality.
> Perhaps when I said ntlm_auth is likely to away, I should have
> qualified it, so lets do that now:
>
> If you set 'ntlm auth = yes', you are actually setting 'ntlm
auth > ntlmv1-permitted', which is just about as insecure as you can get.
> The default (since 4.7.0) is 'ntlm auth = ntlmv2-only', which when
it
> comes to ntlm auth is secure as you can get.
>
> However, you can set 'ntlm auth = mschapv2-and-ntlmv2-only', this
is
> required for the ntlm-auth tool.
>
> There is some talk of Microsoft moving away from NTLM to Kerberos and
> if this occurs, Samba will surely have to follow.
A link to an interesting talk from Microsoft engineers about this was 
posted on the samba-technical list some time ago: 
https://www.youtube.com/watch?v=SEtARCtGP0Y <This is worth a watch: 
https://www.youtube.com/watch?v=SEtARCtGP0Y>
>
> Have you considered using Kerberos for authentication ?
>
> Rowland
>

On Sat Jan 27 05:57:28 2024 Rowland Penny via samba <samba at
lists.samba.org> wrote:
>
> On Fri, 26 Jan 2024 22:22:49 -0500
> Mark Foley via samba <samba at lists.samba.org> wrote:
>
> > On Wed Jan 24 05:03:25 2024 Rowland Penny via samba
> > <samba at lists.samba.org> wrote:
> > >
> > > On Tue, 23 Jan 2024 17:07:35 -0500
> > > Mark Foley via samba <samba at lists.samba.org> wrote:
> > >
> > > > On Mon Jan 22 11:00:59 2024 Mark Foley via samba
> > > > <samba at lists.samba.org> wrote:
> > > > >
> > > > > I have scripts that runs ntlm_auth. Before upgrading my
DC to
> > > > > 4.18.9 I would get text string output from the
ntlm_auth
> > > > > command. For example:
> > > > >
> > > > > STATUS_NO_SUCH_USER
> > > > > NT_STATUS_WRONG_PASSWORD
> > > > > STATUS_OK
> > > > >
> > > > > Now with the new Samba, the first two strings are
output as
> > > > > usual in the case of non-existant user and invalid
password,
> > > > > respectively, but if the user/pw is OK it now returns
the
> > > > > string: ":  (0x0)", which, I suppose, is the
exit status of the
> > > > > ntlm_auth command meaning OK.
> > > > >
> > > > I have never been in favor of developers changing the
behavior of
> > > > programs when "new features" come out, expecially
programs that
> > > > might be used in scripts that rely on responses.  I think
it's
> > > > naughty when developers do that.
> > > >
> > > > > <snip>
> > > >
> > > > --Mark
> > > > 
> > 
> > > Sooner or later, ntlm_auth wil be removed, so if you can find
> > > another way for your script to do what it is doing now, then you
> > > may be wise to do so.
> > > In the meantime, it might be a good idea to log a bug report.
> > >
> > > Rowland
> > 
> > The application ntlm_auth is used for is an intranet web application
> > which is a pension system implemented in HTML, JSP and SQL Server.
> > User/employees must log in to use this webapp. Rather than maintain
> > separate app-only credentials, the users can authenticate with their
> > domain credentials. This is where ntlm_auth comes in.
> > 
> > I would be very sorry to see ntlm_auth go away. A quick web search
> > shows I'm not the only one using it. This reinforces my comment
about
> > developers removing longstanding functionality without a compatible
> > path forward. That places a burden on downstream developers who have
> > come to rely on functionality.
>
> Perhaps when I said ntlm_auth is likely to away, I should have
> qualified it, so lets do that now:
>
> If you set 'ntlm auth = yes', you are actually setting 'ntlm
auth > ntlmv1-permitted', which is just about as insecure as you can get.
> The default (since 4.7.0) is 'ntlm auth = ntlmv2-only', which when
it
> comes to ntlm auth is secure as you can get.
>
> However, you can set 'ntlm auth = mschapv2-and-ntlmv2-only', this
is
> required for the ntlm-auth tool.
>
> There is some talk of Microsoft moving away from NTLM to Kerberos and
> if this occurs, Samba will surely have to follow.
>
> Have you considered using Kerberos for authentication ?
>
> Rowland
Thanks, this is encouraging. Having an alternative for the future is good. I
will experiment with kerberos. I don't really care whether I can use
kerberos or
ntlm_auth as long as I have some mechanism for authenticating domain
credentials.

As to the various 'ntlm auth = <settings>' you mentioned, I'm
not sure where
that is done.  I've never done that consciously.  If you aren't totally
fed up
with this thread, please let me know where those settings are done and I'll
explore that further. 

Thanks --Mark