Samba 3.0.21 & NTLMSSP with NTLMv2
Jet Info
registers at inbox.ru
Tue Feb 7 09:09:44 GMT 2006
Hello, Andrew, Jeremy & Samba Team!
We download latest version of Samba - 3.0.21b and reinstall it.
But situation has not changed.
We did perfomed the following test:
We used samba 3.0.21b for authentication squid 2.5 & windows 2003 domain users. Samba
was added to domain with "security = ads" in smb.conf. Also set keys "client NTLMv2
auth = Yes", "client lanman auth = No" because the Domain settings was "use NTLMv2
only, refuse LM&NTLM". All test worked properly: wbinfo -t, wbinfo -u, wbinfo -g,
ntlm_auth --<username> returned NT_STATUS_OK. We can successfully connect to a samba
share and successfully authorized on squid using accounts win2003 domain.
If we turn on flag "Minimum session security for NTLMSSP based (including secure RPC)
clients" on Windows XP or Windows 2003 and try connect to internet via squid proxy, we
received message in web browser: "The page can not be displayed..."
Dump of this process:(ethereal)
192.168.11.135 - client
192.168.11.153 - samba&squid
======================================================================================
Source Destination Protocol Info
192.168.11.135 192.168.11.153 HTTP GET http://www.microsoft.com
192.168.11.153 192.168.11.135 HTTP HTTP/1.0 407 Proxy Authentication
Required (text/html)
Hypertext Transfer Protocol
HTTP/1.0 407 Proxy Authentication Required\r\n
Response Code: 407
Server: squid/2.5.STABLE12-CVS\r\n
Mime-Version: 1.0\r\n
Date: Fri, 27 Jan 2006 14:59:03 GMT\r\n
Content-Type: text/html\r\n
Content-Length: 1358\r\n
Expires: Fri, 27 Jan 2006 14:59:03 GMT\r\n
X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0\r\n
Proxy-Authenticate: NTLM\r\n
Proxy-Authenticate: Basic realm="Squid first"\r\n
X-Cache: MISS from seal-first\r\n
X-Cache-Lookup: NONE from seal-first:3128\r\n
Proxy-Connection: close\r\n
Source Destination Protocol Info
192.168.11.135 192.168.11.153 HTTP GET http://www.microsoft.com HTTP/1.0,
NTLMSSP_NEGOTIATE
Hypertext Transfer Protocol
GET http://www.microsoft.com HTTP/1.0\r\n
Request Method: GET
Accept: */*\r\n
Accept-Language: ru\r\n
Proxy-Authorization: NTLM
TlRMTVNTUAABAAAAB7IIogMAAwAuAAAABgAGACgAAAAFASgKAAAAD0ZBTENPTlcySw==\r\n
NTLMSSP
NTLMSSP identifier: NTLMSSP
NTLM Message Type: NTLMSSP_NEGOTIATE (0x00000001)
Flags: 0xa208b207
Calling workstation domain: W2K
Length: 3
Maxlen: 3
Offset: 46
Calling workstation name: FALCON (192.168.11.135)
Length: 6
Maxlen: 6
Offset: 40
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
1.1.4322)\r\n
Host: www.microsoft.com\r\n
Proxy-Connection: Keep-Alive\r\n
\r\n
Source Destination Protocol Info
192.168.11.153 192.168.11.135 HTTP HTTP/1.0 407 Proxy Authentication Required,
NTLMSSP_CHALLENGE (text/html)
Hypertext Transfer Protocol
HTTP/1.0 407 Proxy Authentication Required\r\n
Response Code: 407
Server: squid/2.5.STABLE12-CVS\r\n
Mime-Version: 1.0\r\n
Date: Fri, 27 Jan 2006 14:59:03 GMT\r\n
Content-Type: text/html\r\n
Content-Length: 1358\r\n
Expires: Fri, 27 Jan 2006 14:59:03 GMT\r\n
X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0\r\n
Proxy-Authenticate: NTLM
TlRMTVNTUAACAAAAAAAAADAAAAAyAgAA8nuzCJt6TRcAAAAAAAAAAAAAAAAwAAAA\r\n
NTLMSSP
NTLMSSP identifier: NTLMSSP
NTLM Message Type: NTLMSSP_CHALLENGE (0x00000002)
Domain: NULL
Flags: 0x00000232
NTLM Challenge: F27BB3089B7A4D17
Reserved: 0000000000000000
Address List: Empty
X-Cache: MISS from seal-first\r\n
X-Cache-Lookup: NONE from seal-first:3128\r\n
Proxy-Connection: keep-alive\r\n
======================================================================================
After server sent NTLMSSP_CHALLENGE negotiate process was stoped and client's web
browser received "The pagege can not be displayed..."
What do you think about this?
Thank's!
-----Original Message-----
From: Andrew Bartlett <abartlet at samba.org>
To: Jeremy Allison <jra at samba.org>
Date: Sat, 04 Feb 2006 09:15:13 +1100
Subject: Re: Samba 3.0.21 & NTLMSSP with NTLMv2
> On Fri, 2006-02-03 at 09:06 -0800, Jeremy Allison wrote:
> > On Fri, Feb 03, 2006 at 11:34:29AM +0300, Jet Info wrote:
> > > Hi, Andrew & Samba Team!
> > >
> > > I read the archive of samba-technical posted on May 17 00:06:40 GMT 2003 (link
> > > http://lists.samba.org/archive/samba-technical/2003-May/029542.html) and I have
> > > same problem:
> > > If I configure my Domain to "use NTLMv2 only, refuse LM&NTLM" and configure
samba
> > > to use NTLMv2 (client NTLMv2 auth = Yes client lanman auth = No), I can
> > > successfully connect to a samba share.
> > > But if I also configure XP client
> > > [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0]
> > > "NtlmMinClientSec"=dword:00080000 - "Minimum session security for NTLMSSP based
> > > (including secure RPC) clients - require NTLMv2 session security. I got 'the
> > > network request is not supported.' at the XP client
> > > Does new Samba version support NTLMv2 in NTLMSSP?
> > > If not, Is it planned to include this option in future?
> >
> > Samba 3.0.21a and b support NTLMv2 in NTLMSSP (based on the
> > hard work of Andrew Bartlett !).
>
> Please try that version, and let me know. Also avoid any 'username
> map', and use it from a domain logon context, for best results.
>
> The issues with NTLMv2 are often due to a checksum over the exact form
> of the username and domain. We may need to be more careful.
>
> Andrew Bartlett
>
> --
> Andrew Bartlett http://samba.org/~abartlet/
> Authentication Developer, Samba Team http://samba.org
> Student Network Administrator, Hawker College http://hawkerc.net
>
> ATTACHMENT: application/pgp-signature ("signature.asc")
>
More information about the samba-technical
mailing list