[Samba] Internet explorer not authenticating properly

Adam Clark adam.clark at ngv.vic.gov.au
Tue Dec 6 01:11:42 GMT 2005 

Is it possible to test the challenge/response strings that internet
explorer 
Uses to validate where the problem lies using the following options 

  --challenge=STRING                           challenge (HEX encoded)
  --lm-response=STRING                         LM Response to the
challenge
                                               (HEX encoded)
  --nt-response=STRING                         NT or NTLMv2 Response to
the
                                               challenge (HEX encoded)

This raises another questions, is the challenge/response questions the
same over a period
Of time or are the challenges unique each time?

Below is some output from a successful ntlm response:


GET http://www.google.com/ HTTP/1.0 
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, */* Accept-Language:
en-au 
Proxy-Authorization: NTLM
TlRMTVNTUAADAAAAGAAYAFsAAAAYABgAcwAAAAMAAwBIAAAABgAGAEsAAAAKAAoAUQAAAAAA
AACLAAAABgIAAgUBKAoAAAAPQk9IQUNMQVJLV1MwMDAwNDA2Mcqy1BlECOrX/0aK5lXSDRv3
Vyl/Cz0QPqBFYp3vsixnzBGbbNsq13AjQeJgdduJAA== 
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) 
Host: www.google.com 
Proxy-Connection: Keep-Alive

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org] 
Sent: Friday, 2 December 2005 7:45 PM
To: Adam Clark
Cc: samba at lists.samba.org
Subject: Re: [Samba] Internet explorer not authenticating properly

On Fri, 2005-12-02 at 14:16 +1100, Adam Clark wrote:
> Hi all,
>   We are having a an ongoing problem with out NTLM authentication on 
> out squid system.
> The problem tends to arise when users change their passwords.
> 
> I have read a KB article that says that DC's will still continue to 
> authenticate Old password for an hour or so after the password is 
> changed.

This seems to happen on win2k3 SP1 DCs, from my testing. (But not
earlier versions).

> But I think it is between IE and winbindd that is the problem.
> 
> Below is a trace at debug level 5 from winbindd.  The first is a 
> correct authentication Attempt from boh\mobeid.  The second is the 
> user that had chaged his password
> 2.5 hours before this trace.  NTLM authentication has failed and he is

> Prompted for basic, he types in his name and it attempts to 
> authenticate as Proxy\james.clavering, which no such user exists.
> 
> If I manually use ntlm_auth to authenticate with the new password I 
> get a result code 0, So I know that the DC's are working correctly.
> 
> [22734]: pam auth crap domain: BOH user: MOBEID Using cleartext 
> machine password cred_create cred_create cred_assert
> [22734]: pam auth crap domain: PROXY user: JAMES.CLAVERING Using 
> cleartext machine password cred_create cred_create cred_assert NTLM 
> CRAP authentication for user [PROXY]\[JAMES.CLAVERING] returned 
> NT_STATUS_NO_SUCH_USER (PAM: 10)
> [22734]: pam auth crap domain: BOH user: MVELLA Using cleartext 
> machine password cred_create cred_create cred_assert
> 
> Has anybody else experienced these problems with NTLM auth.
> 
> Our installation is RedHad ES Linux 3, with samba-3.0.9-1.3E.5

The problem with the [PROXY] domain is that the user is entering no
domain.  They should enter domain\\username for the basic
authentication.  You could set 'winbind use default domain = yes' to get
the behaviour your users are after.

It is frustrating that IE isn't picking up the new password after the
change.  It would be interesting to see how firefox reacts (as a
comparison/contrast).

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net

More information about the samba mailing list