[Samba] Fwd: Samba 4 Domain Provisioning

[Jacques Serfontein]

Hi Louis,

We are using Squid 2.7.STABLE9-4.1, and I have added the "proxy" user to
the "winbindd_priv" group, although that doesn't seem necessary in some
cases.

I am pretty sure it isn't a config issue or bug in Squid, since copying a
previously provisioned domain from another server works perfectly.

Running with debug level 10 and comparing the logs, the only difference I
could find was that the new domain authenticated the user
with msDS-KeyVersionNumber:1, while the old working domain
used msDS-KeyVersionNumber:2

I have this exact config working on a couple of different installations,
and have compared the package lists, but have been unable to isolate the
cause.

It only seems to be occurring on newly provisioned domains, on multiple new
Debian installations.

Regards,
Jacques


On Wed, Nov 19, 2014 at 11:21 AM, L.P.H. van Belle <belle at bazuin.nl> wrote:

> Which version of squid are you running, default wheezy 3.1.x
> and you did add proxy user to the winbindd_priv group?
>
> I can suggest you recompile squid from jessie, its a pretty easy one.
> there are know problems with ntlm auth, in at the point of testing that
> one myself.
> scheduled for next week.
> I do already run 3.4.8 on my wheezy servers. 3.3.8 had some serious bugs.
>
>
>   * Urgency high due to security fixes
>   [ Amos Jeffries <amosjeffries at squid-cache.org> ]
>   * New upstream release (Closes: #737008)
>     - Fixes CVE-2014-6270: off by one in snmp subsystem (Closes: #761002)
>     - Fixes CVE-2014-CVE-2014-7141 and CVE-214-7142 (Closes: #760999)
>       + pinger remote DoS vulnerabilities
>     - Fixes CVE-2014-0128: Denial of Service in SSL-Bump (Closes: #741312)
>
> see also :
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=754339
>
>
> Greetz,
>
> Louis
>
>
>
> >-----Oorspronkelijk bericht-----
> >Van: jacques.serfontein at gmail.com
> >[mailto:samba-bounces at lists.samba.org] Namens Jacques Serfontein
> >Verzonden: maandag 17 november 2014 16:39
> >Aan: samba at lists.samba.org
> >Onderwerp: [Samba] Samba 4 Domain Provisioning
> >
> >Hi,
> >
> >I have been having issues with NTLMv2 on newly provisioned
> >domains, using
> >Samba 4.1 from backports on Debian Wheezy.
> >
> >Everything seems to be working fine, except for NTLMv2
> >authentication with
> >Squid and "ntlm_auth" on newer Windows versions.
> >
> >If I set "Lmcompatibility" down on the Windows PCs, then authentication
> >works, but that is temporary workaround at best.
> >
> >I have tried installing and reinstalling on numerous VMs,
> >trying to isolate
> >the cause, but to no avail, and I know the config is working,
> >since copying
> >a previously provisioned domain (/etc/samba/smb.conf +
> >/var/lib/samba) to
> >the new server works as expected.
> >
> >Increasing the log level yields to following:
> >
> >schannel_fetch_session_key_tdb: restored schannel info key
> >SECRETS/SCHANNEL/SERVER
> >schannel_store_session_key_tdb: stored schannel info with key
> >SECRETS/SCHANNEL/SERVER
> >auth_check_password_send: Checking password for unmapped user
> >[PC001]\[Administrator]@[PC001]
> >auth_check_password_send: mapped user is:
> >[DOMAIN]\[Administrator]@[PC001]
> >ntlm_password_check: NTLMv2 password check failed
> >ntlm_password_check: Lanman passwords NOT PERMITTED for user
> >Administrator
> >ntlm_password_check: LM password, NT MD4 password in LM field and LMv2
> >failed for user Administrator
> >auth_check_password_recv: sam_ignoredomain authentication for user
> >[DOMAIN\Administrator] FAILED with error NT_STATUS_WRONG_PASSWORD
> >
> >Any help would be greatly appreciated, since I have run out of ideas...
> >
> >Regards,
> >Jacques
> >--
> >To unsubscribe from this list go to the following URL and read the
> >instructions:  https://lists.samba.org/mailman/options/samba
> >
> >
>
>