[Samba] Re: NTLM Problems

Ian Barnes ian at opteqint.net
Tue Nov 1 11:24:30 GMT 2005


Hi,

This is an example of the config. The workgroup is different at the client.

[global]
winbind separator = +
winbind cache time = 10
workgroup = MASTERMIND
security = domain
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind use default domain = yes
realm =  
client ntlmv2 auth = yes


Thanks for the help
Cheers
Ian


-----Original Message-----
From: samba-bounces+ian=opteqint.net at lists.samba.org
[mailto:samba-bounces+ian=opteqint.net at lists.samba.org] On Behalf Of samba
Sent: 01 November 2005 12:38 PM
To: samba at lists.samba.org
Subject: [Samba] Re: NTLM Problems

Please, post your smb.conf



"Ian Barnes" <ian at opteqint.net> ha scritto nel messaggio 
news:20051031194912.84207162C52 at lists.samba.org...
> Hi,
>
> I am running squid and samba to auth users against a 2003 domain. My squid
> setup is something like this:
>
> auth_param ntlm program /usr/local/libexec/squid/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm max_challenge_reuses 0
> auth_param ntlm max_challenge_lifetime 2 minutes
> auth_param ntlm children 2
> auth_param basic program /usr/local/libexec/squid/ntlm_auth
> --helper-protocol=squid-2.5-basic
> auth_param basic children 2
> auth_param basic realm Cache NTLM Authentication
> auth_param basic credentialsttl 2 hours
>
> I then join the domain as follows:
> Net join -S server -w Domain -U username%password
>
> Once that has succeeded I then run winbindd and nmbd. Once that is done, 
> if
> I do a wbinfo -u or -g I can see the users and groups of the users I am
> authenticating. All seems fine, but when a user tries to auth, the 
> following
> error occurs:
>
> [2005/10/31 11:43:36, 0] utils/ntlm_auth.c:winbind_pw_check(427)
>  Login for user [Domain]\[Proxy2]@[ianb] failed due to [Access denied]
> [2005/10/31 11:43:36, 0] 
> utils/ntlm_auth.c:manage_squid_ntlmssp_request(600)
>  NTLMSSP BH: NT_STATUS_ACCESS_DENIED
>
> If I run a wbinfo -a Proxy2%Password_1 (A valid user and password), I get
> this:
> [root at cont] ~ # wbinfo -a Proxy2%Password_1
> plaintext password authentication failed
> error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
> error messsage was: Access denied
> Could not authenticate user Proxy2%Password_1 with plaintext password
> challenge/response password authentication failed
> error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
> error messsage was: Access denied
> Could not authenticate user Proxy2 with challenge/response
> [root at cont] ~ #
>
> The user that I am joining the domain with (in net join) has the following
> set:
> * The account is a local administrator on the device, specified within AD
> * The account has full read access to all user information, it was 
> delegated
> to me.
>
> Something else that's strange is that I saw this error a while ago, and
> while trying to debug it, it just stopped occurring, and my users could 
> auth
> fine. The domain im authing to has over 1000 users (in the lab where we 
> are
> testing) and over 2000 groups.
>
> Could anyone provide some more insight as to why this is happening?
>
> Cheers
> Ian
>
>
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
> 



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba



More information about the samba mailing list