[Samba] Samba 4, ntlm_auth testing ...

Garming Sam garming at catalyst.net.nz
Tue Jun 10 20:36:56 MDT 2014 

Hi there,

I'm helping out Andrew, seeing if I can replicate this issue.

Using the same command as Andrew did previously, with samba 4.1.8 I get 
the same results as him.

SELFTEST_TESTENV=s3member make testenv


Would it be possible to generate level 10 logs for ntlm_auth and 
winbindd? They should be able to give a much
better idea of what's actually going on? If you'd prefer, you can send 
the logs directly to me or Andrew instead
of posting them to the list.



Cheers,

Garming Sam


On 11/06/14 02:11, Dirk Brenken wrote:
> Am 06/10/2014 11:19 AM, schrieb Andrew Bartlett:
>> On Mon, 2014-06-09 at 19:41 +0200, Dirk Brenken wrote:
>>> Am 06/09/2014 12:39 PM, schrieb Dirk Brenken:
>>>> Am 06/09/2014 07:20 AM, schrieb Dirk Brenken:
>>>>> Hi,
>>>>>
>>>>> currently I've setup Samba 4 (sernet 4.1.8 on debian jessie)
>>>>> successfully as an AD-Server ... domain logins from WIN-Clients etc. are
>>>>> working quite fine.
>>>>> Now I'm trying to test ntlm_auth on cli for later Squid-integration ...
>>>>>
>>>>> *wbinfo output:*
>>>>> wbinfo -a PRAXISAD\\Administrator%xxxxxx
>>>>> plaintext password authentication succeeded
>>>>> challenge/response password authentication succeeded
>>>>>
>>>>> *ntlm_auth with basic helper output:*
>>>>> root at praxis-server:/etc/squid3# ntlm_auth
>>>>> --helper-protocol=squid-2.5-basic --domain=PRAXISAD
>>>>> PRAXISAD\Administrator xxxxxx
>>>>> *OK*
>>>>>
>>>>> *ntlm_auth with ntlmssp helper output:*
>>>>> root at praxis-server:/etc/squid3# ntlm_auth
>>>>> --helper-protocol=squid-2.5-ntlmssp --domain=PRAXISAD
>>>>> PRAXISAD\Administrator xxxxxx
>>>>> *BH SPNEGO request invalid prefix*
>>>>>
>>>>> *ntlm_auth with gss-spnego helper output:**
>>>>> *root at praxis-server:/etc/squid3# ntlm_auth --helper-protocol=gss-spnego
>>>>> --domain=PRAXISAD
>>>>> PRAXISAD\Administrator xxxxxx
>>>>> *BH SPNEGO request invalid prefix*
>>>>>
>>>>>
>>>>> Any ideas what's going wrong here?
>>>>>
>>>>> Thanks & best regards
>>>>> Dirk
>>>> I did further testing directly in SQUID and gss-spnego helper works as
>>>> expected - thanks!
>>>>
>>>> br
>>>> Dirk
>>>>
>>> The "--require-membership-of" parm of ntlm_auth seems to have no effect.
>>> It's not failing, even if the user is *not* member of the group!
>>>
>>> Example:
>>>
>>> SID of Test-User "dirk":
>>> root at praxis-server:/etc/squid3# wbinfo -n dirk
>>> S-1-5-21-3041413330-2355144718-3205532893-1104 SID_USER (1)
>>>
>>> SID of Test-Group "Test":
>>> wbinfo -n PRAXISAD\\Test
>>> S-1-5-21-3041413330-2355144718-3205532893-1105 SID_DOM_GROUP (2)
>>>
>>> Test-User is only in Group "Domain Users":
>>> root at praxis-server:/etc/squid3# wbinfo --user-domgroups
>>> S-1-5-21-3041413330-2355144718-3205532893-1104
>>> S-1-5-21-3041413330-2355144718-3205532893-513
>>>
>>> Result for check against (non-member) Test-Group:
>>> root at praxis-server:/etc/squid3# ntlm_auth
>>> --require-membership-of=S-1-5-21-3041413330-2355144718-3205532893-1105
>>> --helper-protocol=squid-2.5-basic
>>> dirk xxxxxx
>>> OK
>>>
>>> Is this a known bug of ntlm_auth (sernet samba 4.1.8)!?
>> I can't reproduce this in our 'make testenv' in git master.
>>
>> ~/samba/config.abartlet && make -j && SELFTEST_TESTENV=s3member make
>> testenv
>>
>> [abartlet at jesse samba]$ bin/wbinfo -n administrator
>> S-1-5-21-2617796569-3988300915-1045095420-500 SID_USER (1)
>> [abartlet at jesse samba]$ bin/ntlm_auth
>> --require-membership-of=S-1-5-21-2617796569-3988300915-1045095420-500
>> --helper-protocol=squid-2.5-basic
>> SAMBADOMAIN/Administrator locDCpass1
>> OK
>> [abartlet at jesse samba]$ bin/ntlm_auth
>> --require-membership-of=S-1-5-21-2617796569-3988300915-1045095420-5
>> --helper-protocol=squid-2.5-basic
>> SAMBADOMAIN/Administrator locDCpass1
>> ERR
>> [abartlet at jesse samba]$ bin/ntlm_auth
>> --require-membership-of=S-1-5-21-2617796569-3988300915-1045095420-512
>> --helper-protocol=squid-2.5-basic
>> SAMBADOMAIN/Administrator locDCpass1
>> OK
>> [abartlet at jesse samba]$ bin/ntlm_auth
>> --require-membership-of=S-1-5-21-2617796569-3988300915-1045095420-513
>> --helper-protocol=squid-2.5-basic
>> SAMBADOMAIN/Administrator locDCpass1
>> OK
>> [abartlet at jesse samba]$ bin/ntlm_auth
>> --require-membership-of=S-1-5-21-2617796569-3988300915-1045095420-5130
>> --helper-protocol=squid-2.5-basic
>> SAMBADOMAIN/Administrator locDCpass1
>> ERR
>>
>> Are you sure your user really, really isn't a member of that group,
>> perhaps as an alias?
>>
>> Thanks,
>>
>> Andrew Bartlett
>>
> Hi Andrew,
>
> thanks for looking into this ... it's still reproducible in my environment:
>
> Setup an new/empty group in Windows AD (with Windows Remote Admin Tools) :
> wbinfo -n Empty
> S-1-5-21-3041413330-2355144718-3205532893-1107 SID_DOM_GROUP (2)
>
> Test-User:
> root at praxis-server:/var/log/samba# wbinfo -n dirk
> S-1-5-21-3041413330-2355144718-3205532893-1104 SID_USER (1)
>
> Group listing for Test-User:
> root at praxis-server:/var/log/samba# wbinfo --user-domgroups
> S-1-5-21-3041413330-2355144718-3205532893-1104
> S-1-5-21-3041413330-2355144718-3205532893-513
>
> Test-User is only member of "Domain Users":
> root at praxis-server:/var/log/samba# wbinfo -n "Domain Users"
> S-1-5-21-3041413330-2355144718-3205532893-513 SID_DOM_GROUP (2)
>
> Finally let ntlm_auth check against empty group "Empty" ;-):
> root at praxis-server:/var/log/samba# ntlm_auth
> --require-membership-of=S-1-5-21-3041413330-2355144718-3205532893-1107
> --helper-protocol=squid-2.5-basic
> PRAXISAD\dirk xxxxxx
> Got 'PRAXISAD\dirk xxxxxx' from squid (length: 22).
> NT_STATUS_OK: Success (0x0)
> OK
>
>
> As you can see, user "dirk" got still an "OK" for an empty group. Maybe
> you have an idea for further testing or additional checks ...
>
> Thanks & best regards
> Dirk
>
> P.S. SAMBA and SQUID are running on the same server test environment.
> P.P.S. Some version information ...
>
> root at praxis-server:/etc/samba# uname -a
> Linux praxis-server 3.14-1-amd64 #1 SMP Debian 3.14.4-1 (2014-05-13)
> x86_64 GNU/Linux
>
> root at praxis-server:/etc/samba# ntlm_auth --version
> Version 4.1.8-SerNet-Debian-8.wheezy
>
> root at praxis-server:/etc/samba# squid3 -version
> Squid Cache: Version 3.3.8
> configure options:  '--build=x86_64-linux-gnu' '--prefix=/usr'
> '--includedir=${prefix}/include' '--mandir=${prefix}/share/man'
> '--infodir=${prefix}/share/info' '--sysconfdir=/etc'
> '--localstatedir=/var' '--libexecdir=${prefix}/lib/squid3' '--srcdir=.'
> '--disable-maintainer-mode' '--disable-dependency-tracking'
> '--disable-silent-rules' '--datadir=/usr/share/squid3'
> '--sysconfdir=/etc/squid3' '--mandir=/usr/share/man' '--enable-inline'
> '--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd,rock'
> '--enable-removal-policies=lru,heap' '--enable-delay-pools'
> '--enable-cache-digests' '--enable-underscores' '--enable-icap-client'
> '--enable-follow-x-forwarded-for'
> '--enable-auth-basic=DB,fake,getpwnam,LDAP,MSNT,MSNT-multi-domain,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB'
> '--enable-auth-digest=file,LDAP'
> '--enable-auth-negotiate=kerberos,wrapper'
> '--enable-auth-ntlm=fake,smb_lm'
> '--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,unix_group,wbinfo_group'
> '--enable-url-rewrite-helpers=fake' '--enable-eui' '--enable-esi'
> '--enable-icmp' '--enable-zph-qos' '--enable-ecap'
> '--disable-translation' '--with-swapdir=/var/spool/squid3'
> '--with-logdir=/var/log/squid3' '--with-pidfile=/var/run/squid3.pid'
> '--with-filedescriptors=65536' '--with-large-files'
> '--with-default-user=proxy' '--enable-linux-netfilter'
> 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fPIE -fstack-protector
> --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wall'
> 'LDFLAGS=-fPIE -pie -Wl,-z,relro -Wl,-z,now'
> 'CPPFLAGS=-D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fPIE -fstack-protector
> --param=ssp-buffer-size=4 -Wformat -Werror=format-security'
>
>

More information about the samba mailing list