ntlm_auth returns different answers based on smb / winbindd start order?
Alan DeKok
aland at ox.org
Fri Dec 4 03:51:58 MST 2009
This was reported to me off of the Samba list. We're using ntlm_auth
to do MS-CHAP authentication to AD. Administrators are having odd
issues authenticating with ntlm_auth.
* An ntlm_auth --username=whatever and then giving a password
returns NT_STATUS_OK: Success (0x0).
* An incorrect password returns NT_STATUS_WRONG_PASSWORD, as expected
* taking a username, challenge and nt response from an MS-CHAP session
testing on the command line returns an NT key
* Starting winbindd before smbd returns one NT key,
* Starting smbd before winbindd returns a *different* NT key
... for the same username / challenge / NT response from above.
Starting smbd before winbindd returns the correct NT key. Starting
them in the opposite order returns an incorrect NT key.
Any ideas as to what's going wrong? I would prefer that ntlm_auth
returns an error instead of a bad NT key. Returning a bad NT key makes
the admin believe that everything is working. But the user keeps
getting failed MS-CHAP authentication, even when they use the correct
password.
Alan DeKok.
More information about the samba-technical
mailing list