Samba4 and NTLM_AUTH

Ted Salmon tass2001 at hotmail.com
Wed Sep 14 03:49:25 MDT 2011 

I ended up setting up FreeRADIUS to authenticate (so I could easily steal my LANMAN-Challange and NT-Respose) and ran ntlm_auth in debuglevel=10. Here's what I have:

root at NETW1-STATS:/usr/etc/raddb# /usr/bin/ntlm_auth --debuglevel=10 --helper-protocol=ntlm-server-1
INFO: Current debug levels:
  all: 10
  tdb: 10
  printdrivers: 10
  lanman: 10
  smb: 10
  rpc_parse: 10
  rpc_srv: 10
  rpc_cli: 10
  passdb: 10
  sam: 10
  auth: 10
  winbind: 10
  vfs: 10
  idmap: 10
  quota: 10
  acls: 10
  locking: 10
  msdfs: 10
  dmapi: 10
  registry: 10
lpcfg_load: refreshing parameters from /usr/etc/samba/smb.conf
params.c:pm_process() - Processing configuration file "/usr/etc/samba/smb.conf"
Processing section "[global]"
Processing section "[netlogon]"
Processing section "[sysvol]"
Processing section "[profiles]"
Processing section "[home]"
Processing section "[share]"
Processing section "[files]"
pm_process() returned Yes
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'sasl-DIGEST-MD5' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Request-User-Session-Key: yes
Got 'Request-User-Session-Key: yes' from squid (length: 29).
Request-LanMan-Session-Key: yes
Got 'Request-LanMan-Session-Key: yes' from squid (length: 31).
NT-Domain:: RE9NQUlOLk5FVFdPUksuTkVU
Got 'NT-Domain:: RE9NQUlOLk5FVFdPUksuTkVU' from squid (length: 36).
Username:: dHNhbG1vbg==
Got 'Username:: dHNhbG1vbg==' from squid (length: 23).
LANMAN-Challenge: ed443ebef22880eb
Got 'LANMAN-Challenge: ed443ebef22880eb' from squid (length: 34).
NT-Response: 956b5c22454076daaa84b3506083eff6a400f96afd990950
Got 'NT-Response: 956b5c22454076daaa84b3506083eff6a400f96afd990950' from squid (length: 61).
.
Got '.' from squid (length: 1).
===============================================================
INTERNAL ERROR: Signal 11 in pid 4325 (4.0.0alpha17)
Please read the Trouble-Shooting section of the Samba HOWTO
===============================================================
PANIC: internal error
Aborted

I also attempted without requesting any session keys:

NT-Domain:: RE9NQUlOLk5FVFdPUksuTkVU
Got 'NT-Domain:: RE9NQUlOLk5FVFdPUksuTkVU' from squid (length: 36).
Username:: dHNhbG1vbg==
Got 'Username:: dHNhbG1vbg==' from squid (length: 23).
LANMAN-Challenge: ed443ebef22880eb
Got 'LANMAN-Challenge: ed443ebef22880eb' from squid (length: 34).
NT-Response: 956b5c22454076daaa84b3506083eff6a400f96afd990950
Got 'NT-Response: 956b5c22454076daaa84b3506083eff6a400f96afd990950' from squid (length: 61).
.
Got '.' from squid (length: 1).
===============================================================
INTERNAL ERROR: Signal 11 in pid 4329 (4.0.0alpha17)
Please read the Trouble-Shooting section of the Samba HOWTO
===============================================================
PANIC: internal error
Aborted



If I attempt to use a "Password" instead of Lanman/NT Challenge/Response I get the same output, though I guess that's because that's now how MSChap is meant to work. The process panics no matter what I use for the Lanman/NT values. Please let me know if this is adequate or if I should go about this differently. I'll also take a look at the code and see if I can make heads or tails of why ntlm_auth is dying in this manner.

Thanks!
> Date: Wed, 14 Sep 2011 08:26:50 +0200
> From: kai at samba.org
> To: tass2001 at hotmail.com
> CC: samba-technical at lists.samba.org
> Subject: Re: Samba4 and NTLM_AUTH
> 
> On 2011-09-14 07:57, Ted Salmon wrote:
> 
> Hi Ted,
> 
> > Interesting. When I run ntlm_auth from the CLI, unless I'm doing something wrong, I get no output no matter what username/password I use:
> 
> Sure, that's quite possible. I've only ever tested the
> --helper-protocol=ntlmssp-client-1 operation. That's a completely
> different codepath than what you're using. As I said, I'm ready to
> believe that the code path you need is broken. There's no unit test to
> prove otherwise, and untested code is broken code. That's why there's so
> much value in creating those tests.
> 
> Cheers,
> Kai
> 
> -- 
> Kai Blin
> Worldforge developer http://www.worldforge.org/
> Wine developer http://wiki.winehq.org/KaiBlin
> Samba team member http://www.samba.org/samba/team/
>

More information about the samba-technical mailing list