[Samba] Samba 3 - ntlm_auth ntlmssp failing
daniel.jarboe at custserv.com
daniel.jarboe at custserv.com
Wed Sep 3 12:35:48 GMT 2003
Is /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp supposed to be
working at this stage of samba 3? With RH EL3 beta (taroon) which comes
with samba-3.0.0-3rc1.3E packages (and squid-2.5.STABLE3-2.3E packages),
the /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic helper works
great but /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp always
fails (NTLMSSP NT_STATUS_ACCESS_DENIED). This is with an NT domain
controller. We're running samba 2.2.8a everywhere else, this is first
jump to 3.0.
Only winbindd is running, not samba. Here is the smb.conf:
[global]
workgroup = TCS_MAIN_DOM
netbios name = LINBETA
server string = Samba Server on LINBETA
interfaces = eth0 127.0.0.1/24
bind interfaces only = yes
security = DOMAIN
encrypt passwords = Yes
password server = tcs_main_pdc
username map = /etc/samba/smbusers
log level = 1
log file = /var/log/samba/%m.log
mangling method = hash2
preferred master = No
domain master = No
dns proxy = No
wins server = tcs_main_pdc
kernel oplocks = No
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
blocking locks = No
locking = No
oplocks = No
level2 oplocks = No
guest account = nobody
load printers = no
Here is a squid/ntlm_auth log of the transaction. Should I file a bug
report or is there some setting that needs to be made on the PDC?
2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user
request '(nil)'.
2003/09/03 08:15:40| authenticateValidateUser: Auth_user_request was
NULL!
2003/09/03 08:15:40| authenticateFixHeader: headertype:34 authuser:(nil)
2003/09/03 08:15:40| authenticateNTLMFixErrorHeader: Sending type:34
header: 'NTLM'
2003/09/03 08:15:40| authenticateFixErrorHeader: Sending type:34 header:
'Basic realm="Proxy"'
2003/09/03 08:15:40| authenticateAuthUserRequestLock auth_user request
'0x559ba5a8'.
2003/09/03 08:15:40| authenticateAuthUserRequestLock auth_user request
'0x559ba5a8' now at '1'.
2003/09/03 08:15:40| authenticateDecodeAuth: header = 'NTLM
TlRMTVNTUAABAAAAB7IAoAwADAAoAAAACAAIACAAAABCQzAwNjc4NFRDU19NQUlOX0RPTX==
'
2003/09/03 08:15:40| authenticateAuthUserLock auth_user '0x559ba5c0'.
2003/09/03 08:15:40| authenticateAuthUserLock auth_user '0x559ba5c0' now
at '1'.
2003/09/03 08:15:40| authenticateDecodeNTLMAuth: NTLM authentication
2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| User not fully authenticated.
2003/09/03 08:15:40| authenticateNTLMAuthenticateUser: auth state ntlm
none. NTLM
TlRMTVNTUAABAAAAB7IAoAwADAAoAAAACAAIACAAAABCQzAwNjc4NFRDU19NQUlOX0RPTX==
2003/09/03 08:15:40| authenticateNTLMAuthenticateUser: Locking auth_user
from the connection.
2003/09/03 08:15:40| authenticateAuthUserRequestLock auth_user request
'0x559ba5a8'.
2003/09/03 08:15:40| authenticateAuthUserRequestLock auth_user request
'0x559ba5a8' now at '2'.
2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| User not fully authenticated.
2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateStart: auth_user_request '0x559ba5a8'
2003/09/03 08:15:40| authenticateNTLMStart: auth state '1'
2003/09/03 08:15:40| authenticateNTLMStart: state '1'
2003/09/03 08:15:40| authenticateNTLMStart:
'TlRMTVNTUAABAAAAB7IAoAwADAAoAAAACAAIACAAAABCQzAwNjc4NFRDU19NQUlOX0RPTX=
='
2003/09/03 08:15:40| authenticateNTLMHelperServerAvailable: not starving
- returning 1
2003/09/03 08:15:40| authenticateNTLMChangeChallenge_p: first use
2003/09/03 08:15:40| authenticateNTLMStart: helper '0x557d9470' assigned
2003/09/03 08:15:40| authenticateNTLMValidChallenge: Challenge is
Invalid
[2003/09/03 08:15:40, 10] utils/ntlm_auth.c:manage_squid_request(1061)
Got 'YR' from squid (length: 2).
[2003/09/03 08:15:40, 10]
utils/ntlm_auth.c:manage_squid_ntlmssp_request(312)
got NTLMSSP packet:
[2003/09/03 08:15:40, 10]
utils/ntlm_auth.c:manage_squid_ntlmssp_request(322)
NTLMSSP challenge
2003/09/03 08:15:40| authenticateNTLMHandleReply: Helper: '0x557d9470'
{TT TlRMTVNTUAACAAAAAAAAADAAAAACAgAgJt9X786e84sAAAAAAAAAAAAAAAAwAAAA}
2003/09/03 08:15:40| authenticateNTLMHandleReply: helper '0x557d9470'
2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| User not fully authenticated.
2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| User not fully authenticated.
2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| User not fully authenticated.
2003/09/03 08:15:40| authenticateAuthUserRequestLock auth_user request
'0x559ba5a8'.
2003/09/03 08:15:40| authenticateAuthUserRequestLock auth_user request
'0x559ba5a8' now at '3'.
2003/09/03 08:15:40| authenticateAuthUserRequestUnlock auth_user request
'0x559ba5a8'.
2003/09/03 08:15:40| authenticateAuthUserRequestUnlock auth_user_request
'0x559ba5a8' now at '2'.
2003/09/03 08:15:40| authenticateAuthUserRequestLock auth_user request
'0x559ba5a8'.
2003/09/03 08:15:40| authenticateAuthUserRequestLock auth_user request
'0x559ba5a8' now at '3'.
2003/09/03 08:15:40| authenticateFixHeader: headertype:34
authuser:0x559ba5a8
2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| User not fully authenticated.
2003/09/03 08:15:40| authenticateNTLMFixErrorHeader: Sending type:34
header: 'NTLM
TlRMTVNTUAACAAAAAAAAADAAAAACAgAgJt9X786e84sAAAAAAAAAAAAAAAAwAAAA'
2003/09/03 08:15:40| authenticateFixHeader: headertype:34
authuser:0x559ba5a8
2003/09/03 08:15:40| authenticateAuthUserRequestUnlock auth_user request
'0x559ba5a8'.
2003/09/03 08:15:40| authenticateAuthUserRequestUnlock auth_user_request
'0x559ba5a8' now at '2'.
2003/09/03 08:15:40| NTLM HandleReply, telling stateful helper : 3
2003/09/03 08:15:40| authenticateNTLMHelperServerAvailable: not starving
- returning 1
2003/09/03 08:15:40| authenticateAuthUserRequestUnlock auth_user request
'0x559ba5a8'.
2003/09/03 08:15:40| authenticateAuthUserRequestUnlock auth_user_request
'0x559ba5a8' now at '1'.
2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| User not fully authenticated.
2003/09/03 08:15:40| authenticateAuthUserRequestLock auth_user request
'0x559ba5a8'.
2003/09/03 08:15:40| authenticateAuthUserRequestLock auth_user request
'0x559ba5a8' now at '2'.
2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| User not fully authenticated.
2003/09/03 08:15:40| authenticateNTLMAuthenticateUser: auth state
challenge with header NTLM
TlRMTVNTUAADAAAAGAAYAFsAAAAYABgAcwAAAAwADABAAAAABwAHAEwAAAAIAAgAUwAAAAAA
AACLAAAABgIAIFRDU19NQUlOX0RPTUpBUkJPRURCQzAwNjc4NON8EoE7fMsT6jvmLE4o/21h
ZkcIaibynLCXFLHy8rti9ODY4m9avPWULzf7R5yBzw==.
2003/09/03 08:15:40| aclMatchProxyAuth: cache lookup with key 'NTLM
TlRMTVNTUAADAAAAGAAYAFsAAAAYABgAcwAAAAwADABAAAAABwAHAEwAAAAIAAgAUwAAAAAA
AACLAAAABgIAIFRDU19NQUlOX0RPTUpBUkJPRURCQzAwNjc4NON8EoE7fMsT6jvmLE4o/21h
ZkcIaibynLCXFLHy8rti9ODY4m9avPWULzf7R5yBzw==TlRMTVNTUAACAAAAAAAAADAAAAAC
AgAgJt9X786e84sAAAAAAAAAAAAAAAAwAAAA'
2003/09/03 08:15:40| authenticateNTLMAuthenticateUser: proxy-auth cache
miss.
2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| User not fully authenticated.
2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateStart: auth_user_request '0x559ba5a8'
2003/09/03 08:15:40| authenticateNTLMStart: auth state '3'
2003/09/03 08:15:40| authenticateNTLMStart: Asking NTLMauthenticator
'0x557d9470'.
2003/09/03 08:15:40| authenticateNTLMStart: state '3'
2003/09/03 08:15:40| authenticateNTLMStart:
'TlRMTVNTUAADAAAAGAAYAFsAAAAYABgAcwAAAAwADABAAAAABwAHAEwAAAAIAAgAUwAAAAA
AAACLAAAABgIAIFRDU19NQUlOX0RPTUpBUkJPRURCQzAwNjc4NON8EoE7fMsT6jvmLE4o/21
hZkcIaibynLCXFLHy8rti9ODY4m9avPWULzf7R5yBzw=='
2003/09/03 08:15:40| authenticateNTLMstart: finished
[2003/09/03 08:15:40, 10] utils/ntlm_auth.c:manage_squid_request(1061)
Got 'KK
TlRMTVNTUAADAAAAGAAYAFsAAAAYABgAcwAAAAwADABAAAAABwAHAEwAAAAIAAgAUwAAAAAA
AACLAAAABgIAIFRDU19NQUlOX0RPTUpBUkJPRURCQzAwNjc4NON8EoE7fMsT6jvmLE4o/21h
ZkcIaibynLCXFLHy8rti9ODY4m9avPWULzf7R5yBzw==' from squid (length: 191).
[2003/09/03 08:15:40, 10]
utils/ntlm_auth.c:manage_squid_ntlmssp_request(312)
got NTLMSSP packet:
[2003/09/03 08:15:40, 10] lib/util.c:dump_data(1887)
[000] 4E 54 4C 4D 53 53 50 00 03 00 00 00 18 00 18 00 NTLMSSP.
........
[010] 5B 00 00 00 18 00 18 00 73 00 00 00 0C 00 0C 00 [.......
s.......
[020] 40 00 00 00 07 00 07 00 4C 00 00 00 08 00 08 00 @.......
L.......
[030] 53 00 00 00 00 00 00 00 8B 00 00 00 06 02 00 20 S.......
.......
[040] 54 43 53 5F 4D 41 49 4E 5F 44 4F 4D 4A 41 52 42 TCS_MAIN
_DOMJARB
[050] 4F 45 44 42 43 30 30 36 37 38 34 E3 7C 12 81 3B OEDBC006
784.|..;
[060] 7C CB 13 EA 3B E6 2C 4E 28 FF 6D 61 66 47 08 6A |...;.,N
(.mafG.j
[070] 26 F2 9C B0 97 14 B1 F2 F2 BB 62 F4 E0 D8 E2 6F &.......
..b....o
[080] 5A BC F5 94 2F 37 FB 47 9C 81 CF 00 Z.../7.G ....
[2003/09/03 08:15:40, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(292)
Got user=[JARBOED] domain=[TCS_MAIN_DOM] workstation=[BC006784]
len1=24 len2=24
[2003/09/03 08:15:40, 10]
utils/ntlm_auth.c:manage_squid_ntlmssp_request(325)
NTLMSSP NT_STATUS_ACCESS_DENIED
2003/09/03 08:15:40| authenticateNTLMHandleReply: Helper: '0x557d9470'
{NA NT_STATUS_ACCESS_DENIED}
2003/09/03 08:15:40| authenticateNTLMHandleReply: Error validating user
via NTLM. Error returned 'NA NT_STATUS_ACCESS_DENIED'
2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| User not fully authenticated.
2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| User not fully authenticated.
2003/09/03 08:15:40| authenticateNTLMAuthenticateUser: auth state ntlm
failed. NTLM
TlRMTVNTUAADAAAAGAAYAFsAAAAYABgAcwAAAAwADABAAAAABwAHAEwAAAAIAAgAUwAAAAAA
AACLAAAABgIAIFRDU19NQUlOX0RPTUpBUkJPRURCQzAwNjc4NON8EoE7fMsT6jvmLE4o/21h
ZkcIaibynLCXFLHy8rti9ODY4m9avPWULzf7R5yBzw==
2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| User not fully authenticated.
2003/09/03 08:15:40| authenticateAuthUserRequestUnlock auth_user request
'0x559ba5a8'.
2003/09/03 08:15:40| authenticateAuthUserRequestUnlock auth_user_request
'0x559ba5a8' now at '1'.
2003/09/03 08:15:40| authenticateAuthUserRequestLock auth_user request
'0x559ba5a8'.
2003/09/03 08:15:40| authenticateAuthUserRequestLock auth_user request
'0x559ba5a8' now at '2'.
2003/09/03 08:15:40| authenticateFixHeader: headertype:34
authuser:0x559ba5a8
2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| User not fully authenticated.
2003/09/03 08:15:40| authenticateNTLMFixErrorHeader: Sending type:34
header: 'NTLM'
2003/09/03 08:15:40| authenticateAuthUserRequestUnlock auth_user request
'0x559ba5a8'.
2003/09/03 08:15:40| authenticateAuthUserRequestUnlock auth_user_request
'0x559ba5a8' now at '1'.
2003/09/03 08:15:40| NTLM HandleReply, telling stateful helper : 2
2003/09/03 08:15:40| authenticateNTLMHelperServerAvailable: not starving
- returning 1
2003/09/03 08:15:40| authenticateAuthUserRequestUnlock auth_user request
'0x559ba5a8'.
2003/09/03 08:15:40| authenticateAuthUserRequestUnlock auth_user_request
'0x559ba5a8' now at '0'.
2003/09/03 08:15:40| authenticateAuthUserRequestFree: freeing request
0x559ba5a8
2003/09/03 08:15:40| authenticateAuthUserUnlock auth_user '0x559ba5c0'.
2003/09/03 08:15:40| authenticateAuthUserUnlock auth_user '0x559ba5c0'
now at '0'.
2003/09/03 08:15:40| authenticateFreeProxyAuthUser: Freeing auth_user
'0x559ba5c0' with refcount '0'.
2003/09/03 08:15:40| authenticateNTLMFreeUser: Clearing NTLM scheme data
-----------------------------------------------------------------------
This message is the property of Time Inc. or its affiliates. It may be
legally privileged and/or confidential and is intended only for the use
of the addressee(s). No addressee should forward, print, copy, or
otherwise reproduce this message in any manner that would allow it to be
viewed by any individual not originally listed as a recipient. If the
reader of this message is not the intended recipient, you are hereby
notified that any unauthorized disclosure, dissemination, distribution,
copying or the taking of any action in reliance on the information
herein is strictly prohibited. If you have received this communication
in error, please immediately notify the sender and delete this message.
Thank you.
More information about the samba
mailing list