fixed ntlm_auth on samba4 aplha15.

rti super.rti at gmail.com
Tue May 10 03:20:20 MDT 2011 

Hi.
The ntlm_auth on samba4 aplha15 did not work well, I tried to fix.


Send the fix.
http://rtilabs.net/files/2011_05_10/ntlm_auth.c

or patch file.
http://rtilabs.net/files/2011_05_10/samba-4.0.0alpha15.ntlm_auth.patch


A))
Fixes
1)
check_plaintext_auth function not implement.
I implemented check_plaintext_auth function referring to samba3 ntlm_auth.

2)
local_pw_check_specified function not work.
E_md4hash(opt_password, nt_pw.hash) function is crash!. opt_password is NULL.
I re-implemented local_pw_check_specified function referring to samba3
ntlm_auth.

3)
"require-membership-of" option not implement.
I implemented this option referring to samba3 ntlm_auth and samba4
wbinfo.(Supplement later)

4)
verification of helper-protocol (ntlm-server-1 , squid-2.5-ntlmssp)
and verified.
I implemented "require-membership-of" option on squid-2.5-ntlmssp protocol.

I checked helper-protocol = ntlm-server-1  on  pptpd.
I checked helper-protocol = squid-2.5-ntlmssp on apache mod_auth_ntlm_winbind.


B))
"require-membership-of" option the supplement after.
"require-membership-of" option, samba3 winbind had been implemented in
the protocol side,but samba4 it somehow does not seem to be
implemented.

For example, code like this does go through the squid winbind in
samba3, samba4 is ignored. (No error is ignored)
struct winbindd_request request;
      if (opt_require_membership_of) {
              strlcpy (request.data.auth.opt_require_membership_of,
                      opt_require_membership_of,
                      sizeof (request.data.auth.opt_require_membership_of));
      }
I fixed  ntlm_auth side,
Implemented as a routine check group memberships. implemented
is_require_membership_of_sid_samba4bugfix  functions.


C))
It proposes it.
Will you set up "setuid/setgid bit" in ntlm_auth?
Currently, samba4 ntlm_auth in helper-protocol squid-2.5-ntlmssp to
use, must be "setuid/setgid bit".

chmod +s /usr/local/samba/bin/ntlm_auth


It is unquestionable for ntlm_auth of samba3 in
"/var/lib/samba/winbindd_priviledged".
However, ntlm_auth of samba4 depends on being more complex.

Various errors occur if the user (for instance, apache) etc. who are
not root execute helper-protocol squid-2.5-ntlmssp.

1)
ntml_auth samba4 writes the following directories are not authorized.
/Usr/local/samba/private/smbd.tmp/msg/

this directory 800 root.root permission.
apache user is not access.

2)
helper-protocol = squid-2.5-ntlmssp was returned error "BH Failed to
retrive session info NT_STATUS_INTERNAL_DB_CORRUPTIO" when runnig
apache user.

..the other...
If "Setuid bit" is all set up in ntlm_auth, it solves it.

This problem was written in my blog a little. (Japanese)
http://d.hatena.ne.jp/rti7743/20110510/1304856198


Thanks.

More information about the samba-technical mailing list