RE: [squid-users] Urgent Samba / Squid NTLM Auth Problems

From: Serassio Guido <[email protected]>
Date: Tue, 08 Nov 2005 15:14:37 +0100

Hi Ian,

At 14.34 08/11/2005, Ian Barnes wrote:

>Hi Guido,
>
>Thanks for the help, I feel kinda daft for not looking in the file first.
>
>Anyway, this hasn't resolved the problem. We upgraded our squid (to
>2.5Stable12), and samba to 3.0.20b. Once we upgraded squid, the ntlm_auth
>program was different so we used the samba ntlm_auth instead.

You must use the ntlm_auth program provided with your running Samba.

>What does the "auth_param use_ntlm_negotiate on|off" actually do?

Look here, there is detailed description of how NTLM over HTTP works:
http://davenport.sourceforge.net/ntlm.html

Using the previous page as reference, use_ntlm_negotiate does the following:

When enabled, the Type 1 message is passed to the helper for the
challenge (Type 2 message) generation, when disabled, the helper uses
a self created type 1 message for challenge generation.

What means this ?
NTLMv2 needs to be negotiated between client and server, so it cannot
be used when use_ntlm_negotiate is off.

> Is it
>reliant on a certain helper? Because that didn't make any difference to the
>outcome. We where told to put this option into our smb.conf to enable
>NTLMv2: " client ntlmv2 auth = yes", would this have any effect on whats
>happening?

In the Samba configuration manual, about "client ntlmv2 auth" you can read:
"This parameter determines whether or not smbclient(8) will attempt
to authenticate itself to servers using the NTLMv2 encrypted password
response."
So, it should be not related to ntlm_auth, but only Samba guys know
exactly this.

>Adding that option makes all the difference with out setup - with
>it wbinfo -a works perfectly, without it we see the same error squid is
>getting.
>
>Here is a copy of the error message again:
>
>[2005/11/08 15:16:36, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(606)
> Got user=[IANB] domain=[MASTERMIND] workstation=[IANB] len1=24 len2=24
>[2005/11/08 15:16:37, 3] utils/ntlm_auth.c:winbind_pw_check(427)
> Login for user [MASTERMIND]\[IANB]@[IANB] failed due to [Wrong Password]
>
>If we however turn off the option in AD (i.e let it allow all authentication
>types), this doesn't happen, but I am assuming that is because it isn't
>using NTLMv2 then and only NTLM?

Really I don't know if Samba works correctly in a NTLMv2 only
environment, but I'm sure that NTLMv2 works fine in the Squid Windows
port using "use_ntlm_negotiate on" , your domain settings and a
native Windows NTLM authentication helper.

So, I think that your problems should be related to Samba.

Regards

Guido

-
========================================================
Guido Serassio
Acme Consulting S.r.l. - Microsoft Certified Partner
Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY
Tel. : +39.011.9530135 Fax. : +39.011.9781115
Email: guido.serassio@acmeconsulting.it
WWW: http://www.acmeconsulting.it/
Received on Tue Nov 08 2005 - 07:14:47 MST

This archive was generated by hypermail pre-2.1.9 : Thu Dec 01 2005 - 12:00:09 MST