[Samba] ntlm_auth and squid authentication problems
Lombardo Federico
ego_pfe at hotmail.com
Tue Nov 11 13:58:05 GMT 2003
Hi all,
I've a little problem using ntlm_auth with squid.
Scenario: Redhat 9, Samba 3 compiled, squid-2.5 compiled.
smb.conf:
[global]
encrypt passwords = Yes
winbind separator = \
winbind cache time = 10
template homedir = /home/%D/%U
template shell = /bin/bash
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
workgroup = GRANDI_STAZIONI
server string = venere
netbios name = venere
security = ads
log file = /var/log/samba/log.%m
max log size = 50
password server = MASTER BDC
realm = GSTAZIONI.IT
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
wins server = 192.168.5.1 192.168.0.1
wins proxy = yes
dns proxy = yes
Samba is correctly configured into the domain.
Now I take a simple user... called "user" with password "password" ... what
a fantasy, I'm smart ah!? :-)
So, go on. I try to authenticate it with wbinfo:
[root at Squid root]# wbinfo -a user%password
plaintext password authentication succeeded
challenge/response password authentication succeeded
So go on, and try to authenticate it with ntlm_auth:
[root at Squid root]#
/usr/squid/libexec/ntlm_auth --username=user --nt-response
password:
NT_STATUS_OK: Success (0x0)
then, configure my squid to work with ntlm_auth, so squid.conf will be:
auth_param ntlm program
/usr/squid/libexec/ntlm_auth --debug-level=10 --helper-protocol=squid-2.5-nt
lmssp --nt-response
auth_param ntlm children 40
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
auth_param basic program
/usr/squid/libexec/ntlm_auth --debug-level=10 --helper-protocol=squid-2.5-ba
sic --nt-response
auth_param basic children 40
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
Ok ? that's ok.
then I open my IE6, latest patchlevel, tried on win2k, win2003 and XP, and
when I ask a site I receive this in squid's cache.log:
[2003/11/11 14:52:02, 10] utils/ntlm_auth.c:manage_squid_request(1061)
Got 'KK
TlRMTVNTUAADAAAAGAAYAGIAAAAYABgAegAAAA8ADwBIAAAABAAEAFcAAAAHAAcAWwAAAAAAAACS
AAAABgIAIgUCzg4AAAAPR1JBTkRJX1NUQVpJT05JVVNFUkNFUkJFUk8Sh8IeDiFr+fN1aPqFbYp8
HMPZCVVtWHOK6pqb0wMyFKr+LB7KIDwbIIJzdVWIUS8=' from squid (length: 199).
[2003/11/11 14:52:02, 10]
utils/ntlm_auth.c:manage_squid_ntlmssp_request(312)
got NTLMSSP packet:
[2003/11/11 14:52:02, 10] lib/util.c:dump_data(1825)
[000] 4E 54 4C 4D 53 53 50 00 03 00 00 00 18 00 18 00 NTLMSSP. ........
[010] 62 00 00 00 18 00 18 00 7A 00 00 00 0F 00 0F 00 b....... z.......
[020] 48 00 00 00 04 00 04 00 57 00 00 00 07 00 07 00 H....... W.......
[030] 5B 00 00 00 00 00 00 00 92 00 00 00 06 02 00 22 [....... ......."
[040] 05 02 CE 0E 00 00 00 0F 47 52 41 4E 44 49 5F 53 ........ GRANDI_S
[050] 54 41 5A 49 4F 4E 49 55 53 45 52 43 45 52 42 45 TAZIONIU SERCERBE
[060] 52 4F 12 87 C2 1E 0E 21 6B F9 F3 75 68 FA 85 6D RO.....! k..uh..m
[070] 8A 7C 1C C3 D9 09 55 6D 58 73 8A EA 9A 9B D3 03 .|....Um Xs......
[080] 32 14 AA FE 2C 1E CA 20 3C 1B 20 82 73 75 55 88 2...,.. <. .suU.
[090] 51 2F 00 Q/.
[2003/11/11 14:52:02, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(286)
Got user=[USER] domain=[GRANDI_STAZIONI] workstation=[CERBERO] len1=24
len2=24
[2003/11/11 14:52:02, 10]
utils/ntlm_auth.c:manage_squid_ntlmssp_request(325)
NTLMSSP NT_STATUS_ACCESS_DENIED
[2003/11/11 14:52:03, 10] utils/ntlm_auth.c:manage_squid_request(1061)
Got 'YR' from squid (length: 2).
[2003/11/11 14:52:03, 10]
utils/ntlm_auth.c:manage_squid_ntlmssp_request(312)
got NTLMSSP packet:
[2003/11/11 14:52:03, 10]
utils/ntlm_auth.c:manage_squid_ntlmssp_request(322)
NTLMSSP challenge
[2003/11/11 14:52:03, 10] utils/ntlm_auth.c:manage_squid_request(1061)
Got 'KK
TlRMTVNTUAADAAAAGAAYAGIAAAAYABgAegAAAA8ADwBIAAAABAAEAFcAAAAHAAcAWwAAAAAAAACS
AAAABgIAIgUCzg4AAAAPR1JBTkRJX1NUQVpJT05JVVNFUkNFUkJFUk8eZ4Km4Gp0NNEiDnO2ko2P
YaSAVmt1WAEOjvUdTWSakqTyJWkliZaHhljnTdE165I=' from squid (length: 199).
[2003/11/11 14:52:03, 10]
utils/ntlm_auth.c:manage_squid_ntlmssp_request(312)
got NTLMSSP packet:
[2003/11/11 14:52:03, 10] lib/util.c:dump_data(1825)
[000] 4E 54 4C 4D 53 53 50 00 03 00 00 00 18 00 18 00 NTLMSSP. ........
[010] 62 00 00 00 18 00 18 00 7A 00 00 00 0F 00 0F 00 b....... z.......
[020] 48 00 00 00 04 00 04 00 57 00 00 00 07 00 07 00 H....... W.......
[030] 5B 00 00 00 00 00 00 00 92 00 00 00 06 02 00 22 [....... ......."
[040] 05 02 CE 0E 00 00 00 0F 47 52 41 4E 44 49 5F 53 ........ GRANDI_S
[050] 54 41 5A 49 4F 4E 49 55 53 45 52 43 45 52 42 45 TAZIONIU SERCERBE
[060] 52 4F 1E 67 82 A6 E0 6A 74 34 D1 22 0E 73 B6 92 RO.g...j t4.".s..
[070] 8D 8F 61 A4 80 56 6B 75 58 01 0E 8E F5 1D 4D 64 ..a..Vku X.....Md
[080] 9A 92 A4 F2 25 69 25 89 96 87 86 58 E7 4D D1 35 ....%i%. ...X.M.5
[090] EB 92 00 ...
[2003/11/11 14:52:03, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(286)
Got user=[USER] domain=[GRANDI_STAZIONI] workstation=[CERBERO] len1=24
len2=24
[2003/11/11 14:52:03, 10]
utils/ntlm_auth.c:manage_squid_ntlmssp_request(325)
NTLMSSP NT_STATUS_ACCESS_DENIED
please note that these packets are REAL, not changed by me.
User: user
Password: password
Note also that using ntlm_auth with basic protocol ONLY will make all work,
with chace.log':
[2003/11/11 11:59:06, 10] utils/ntlm_auth.c:manage_squid_request(1061)
Got 'user password' from squid (length: 17).
[2003/11/11 11:59:06, 3] utils/ntlm_auth.c:check_plaintext_auth(172)
NT_STATUS_OK: Success (0x0)
but I NEED NTLM SCHEME, NOT BASIC ONE!!!
I hope someone could help me.
Thanks in advance,
Best Regards,
Federico
More information about the samba
mailing list