[Samba] Problems with 'ntlm_auth --require-membership-of' using Samba 3.0.6

Matt Doran samba.10.matt_doran at spamgourmet.com
Tue Sep 7 13:08:07 GMT 2004 

Hi there,

I'm trying to configure Squid to use a windows domain for 
authentication, and all goes well until I add the 
"--require-membership-of" option on ntlm_auth.   I need to restrict 
access based on group membership, however ntlm_auth does not seem to be 
behaving correctly.  I'm using Samba 3.0.6 on Debian and I'm using a 
Windows 2000 (SP4) Domain Controller.  I configured winbind as discussed 
here: http://www.squid-cache.org/Doc/FAQ/FAQ-23.html#ss23.5

ntlm_auth seems to report the membership of some groups correctly, but 
incorrectly for others.

Checking the group membership using getent, shows that the user "matt" 
belongs to the "Domain Admins", "Domain Users" and "TestGroup" groups.

    ~$ getent group -s winbind | grep matt
    VM-DOMAIN\Domain Admins:x:10002:VM-DOMAIN\Administrator,VM-DOMAIN\matt
    VM-DOMAIN\Domain Users:x:10000:VM-DOMAIN\Administrator, <snip....>,
    VM-DOMAIN\matt
    VM-DOMAIN\TestGroup:x:10022:VM-DOMAIN\Administrator,VM-DOMAIN\matt


Then using ntlm_auth to check for membership to the "Domain Users" or 
"Domain Admins" groups works as expected.

    ~$ ntlm_auth --require-membership-of='VM-DOMAIN\Domain Users'
    --username=matt --password=XXXX
    NT_STATUS_OK: Success (0x0)

    ~$ ntlm_auth --require-membership-of='VM-DOMAIN\Domain Admins'
    --username=matt --password=XXXX
    NT_STATUS_OK: Success (0x0)

But when I check for membership of the "TestGroup" (which is a Global 
group just like Domain Admins) it fails:

    ~$ ntlm_auth --require-membership-of='VM-DOMAIN\TestGroup'
    --username=matt --password=XXXX
    NT_STATUS_LOGON_FAILURE: Logon failure (0xc000006d)

So the getent output above, shows that "matt" is a member of the 
"TestGroup" group, but ntlm_auth seems to produce the incorrect output.  
It appears to know that the group and user exists and the password is 
valid because varying these params gives different error messages:

    ~$ ntlm_auth --require-membership-of='VM-DOMAIN\TestGroup2'
    --username=matt --password=XXXX
    [2004/09/07 22:48:18, 0]
    utils/ntlm_auth.c:get_require_membership_sid(237)
      Winbindd lookupname failed to resolve VM-DOMAIN\TestGroup2 into a SID!

    ~$ ntlm_auth --require-membership-of='VM-DOMAIN\TestGroup'
    --username=matt2 --password=XXXX
    NT_STATUS_NO_SUCH_USER: No such user (0xc0000064)

    ~$ ntlm_auth --require-membership-of='VM-DOMAIN\TestGroup'
    --username=matt --password=WRONG_PWD
    NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)



Now for the really weird part.  If I test to see if the "Administrator" 
user belongs to this group (which it does ... see the getent output 
above) then it succeeds:

    ~$ ntlm_auth --require-membership-of='VM-DOMAIN\TestGroup'
    --username=Administrator --password=password
    NT_STATUS_OK: Success (0x0)


The logs don't produce anything that looks relevant.  I'm stumped.  I've 
tried many different things, but I can't figure out the pattern as to 
why these are failing.   Something to do with user defined 
groups/users.  Could there be something wrong missing from the windows 
user/group setup?    The domain controller is a clean install of W2K 
SP4, which was then activated as a domain controller.

Any ideas would be greatly appreciated!

Regards,

-- 
Matt Doran
PaperCut Software Pty. Ltd.
Web:     http://www.papercut.biz
Blog:    http://blogs.papercutsoftware.com/matt.doran/

More information about the samba mailing list