[Samba] Urgent Samba / Squid NTLM Auth Problems

Andrew Bartlett abartlet at samba.org
Thu Nov 10 11:28:27 GMT 2005 

On Thu, 2005-11-10 at 08:44 +0200, Dave Raven wrote:
> Hi again all,
> 	I have a few questions regarding NTLMv2. Do you have to be in a
> domain for NTLMv2 authentication to work (specifically through a program
> like squid). I found an article that says: 
> 
> "These computers will use Kerberos when they are communicating with Active
> Directory and the members of Active Directory. When these computers are in a
> workgroup, they will use NTLMv2." 
> 
> Also, when I am not in the same domain (or when I am) I see the following
> from ntlm_auth:
> Got 'YR TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' from squid
> (length: 59).
> 
> As far as I understand it that is NTLMv2 - or not? I also see 
>   Got NTLMSSP neg_flags=0xa2088207
>     NTLMSSP_NEGOTIATE_UNICODE
>     NTLMSSP_NEGOTIATE_OEM
>     NTLMSSP_REQUEST_TARGET
>     NTLMSSP_NEGOTIATE_NTLM
>     NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>     NTLMSSP_NEGOTIATE_NTLM2
>     NTLMSSP_NEGOTIATE_128
> 
> Which specifies NTLM2. Does that mean my negotiation is working properly?

No.  NTLM2 (modified challenge, which is what the flag is for) and
NTLMv2 are different.  

> The main problem is that I am getting a NT_STATUS_WRONG_PASSWORD always, and
> am trying to decipher why... It still happens when I'm in the domain. 
> 
> The way this all started happening was after turning 'Network security: LAN
> Manager authentication level' to be 'Send NTLMv2 response only/refuse LM &
> NTLM'.

Is this configured on your clients?  Does it show up in the effective
policy value?

Also, are you still getting len2=24 in current debug traces?  This
indicates that NTLMv2 is not in use.

> [2005/11/09 22:21:04, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(606)
>   Got user=[ianb] domain=[MASTERMIND] workstation=[LUCY] len1=24 len2=24

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20051110/ec36e029/attachment.bin

More information about the samba mailing list