[Samba] Urgent Samba / Squid NTLM Auth Problems

Ian Barnes ian at opteqint.net
Mon Nov 7 21:21:47 GMT 2005


Hi, 

We are having problems setting up a squid cache server to use NTLMv2
authentication to authenticate users against AD.

We have narrowed the problems down to being a problem between samba and
squid when using NTLMv2. It constantly moans about the password being wrong
when using squid, but doing a direct samba auth works fine. We have
(believedly) narrowed it down to this: the domain requires client ntlmv2 =
yes in samba to work - however it seems ntlm_auth does not support this!

Our process was as follows:

On the domain controller, we set the "Network Security: LAN Manager
authentication level properties" option to be "Send Send NTLM response
only". We then set smb.conf to look something like this:

[global]
winbind separator = +
winbind cache time = 10
workgroup = DOMAIN
security = ads
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind use default domain = yes
#realm = S058DS1001001.DOMAIN.COM
#client ntlmv2 auth = yes
log file = /var/log/log.%m

That works, when joining the domain we can see the users, groups etc. Some
of the commands we ran:
[root at cont] ~ # wbinfo -a Proxy2%Password_1 
plaintext password authentication succeeded challenge/response password
authentication succeeded [root at cont] ~ # wbinfo -t checking the trust secret
via RPC calls succeeded

All worked fine, and squid could auth the user as could a wbinfo -a. 

We then switched the option in AD to "Send NTLMv2 response only\refuse LM &
NTLM" and the smb.conf to the following:

[global]
winbind separator = +
winbind cache time = 10
workgroup = DOMAIN
security = ads
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind use default domain = yes
realm = S058DS1001001.DOMAIN.COM
client ntlmv2 auth = yes
log file = /var/log/log.%m

When we join the domain, it joins fine, we run winbindd and nmbd and we can
then lookup the users and groups. We can do a net ads testjoin which works
fine aswell"

[root at cont] ~ # net ads testjoin
Join is OK

Note that client ntlmv2 is on now. The problem comes in when trying to use
squid to do the authentication. We get the following error in the squid log
file if we set the authenticators debugging to level 9:

[2005/11/07 13:36:35, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(606)
  Got user=[Proxy4] domain=[DOMAIN] workstation=[ianb] len1=24 len2=24
[2005/11/07 13:36:35, 3] utils/ntlm_auth.c:winbind_pw_check(427)
  Login for user [DOMAIN]\[Proxy4]@[ianb] failed due to [Wrong Password]

If we type in a username that doesn't exist, it complains that the username
is invalid, so we know that it has todo with the password. We also know that
the password is correct as we tried this numerous times and we also tried
copy pasting the password into the required field.

Our squid.conf looks like this:
auth_param ntlm program /usr/local/libexec/squid/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp -d9
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes auth_param ntlm children 2
auth_param basic program /usr/local/libexec/squid/ntlm_auth
--helper-protocol=squid-2.5-basic -d9
auth_param basic children 2
auth_param basic realm Cache NTLM Authentication auth_param basic
credentialsttl 2 hours

Anyone have any idea as to why that would happen when only using squid? Is
there an option that we need to set to make the authenticator use ntlmv2
only or something like we had to do for samba? Does ntlm_auth not understand
the v2 protocol properly?


Onto another question, when I join the domain for the first time, I get this
error when trying to do anything besides a wbinfo -u or wbinfo -g. Here are
a few examples:

[root at cont] ~ # wbinfo -t
checking the trust secret via RPC calls 
failed error code was NT_STATUS_ACCESS_DENIED (0xc0000022) 
Could not check secret

And this from the squid log if we try and auth a user:
[2005/10/31 11:43:36, 0] utils/ntlm_auth.c:winbind_pw_check(427)
  Login for user [Domain]\[Proxy2]@[ianb] failed due to [Access denied]
[2005/10/31 11:43:36, 0] utils/ntlm_auth.c:manage_squid_ntlmssp_request(600)
  NTLMSSP BH: NT_STATUS_ACCESS_DENIED

The strange thing is these errors stop happening from anywhere between 5 and
15 minutes after joining the domain. Any ideas as to why they are occurring
in the first place? Basically: We are able to list users, and groups - but
wbinfo -t doesn't work until we've been logged on for 5-15 minutes
(randomly)?

Thanks in advance,
Ian





More information about the samba mailing list