[Samba] Internet explorer not authenticating properly

Andrew Bartlett abartlet at samba.org
Fri Dec 2 08:45:05 GMT 2005

On Fri, 2005-12-02 at 14:16 +1100, Adam Clark wrote:
> Hi all,
>   We are having a an ongoing problem with out NTLM authentication on out
> squid system.
> The problem tends to arise when users change their passwords.
> I have read a KB article that says that DC's will still continue to
> authenticate
> Old password for an hour or so after the password is changed.

This seems to happen on win2k3 SP1 DCs, from my testing. (But not
earlier versions).

> But I think it is between IE and winbindd that is the problem.
> Below is a trace at debug level 5 from winbindd.  The first is a correct
> authentication
> Attempt from boh\mobeid.  The second is the user that had chaged his
> password
> 2.5 hours before this trace.  NTLM authentication has failed and he is
> Prompted for basic, he types in his name and it attempts to authenticate
> as
> Proxy\james.clavering, which no such user exists.
> If I manually use ntlm_auth to authenticate with the new password I get
> a result code 0,
> So I know that the DC's are working correctly.
> [22734]: pam auth crap domain: BOH user: MOBEID
> Using cleartext machine password
> cred_create
> cred_create
> cred_assert
> [22734]: pam auth crap domain: PROXY user: JAMES.CLAVERING
> Using cleartext machine password
> cred_create
> cred_create
> cred_assert
> NTLM CRAP authentication for user [PROXY]\[JAMES.CLAVERING] returned
> [22734]: pam auth crap domain: BOH user: MVELLA
> Using cleartext machine password
> cred_create
> cred_create
> cred_assert
> Has anybody else experienced these problems with NTLM auth.
> Our installation is RedHad ES Linux 3, with samba-3.0.9-1.3E.5

The problem with the [PROXY] domain is that the user is entering no
domain.  They should enter domain\\username for the basic
authentication.  You could set 'winbind use default domain = yes' to get
the behaviour your users are after.

It is frustrating that IE isn't picking up the new password after the
change.  It would be interesting to see how firefox reacts (as a

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20051202/825826ef/attachment.bin

More information about the samba mailing list