[Samba] Urgent Samba / Squid NTLM Auth Problems

Ian Barnes ian at opteqint.net
Wed Nov 9 11:53:21 GMT 2005


We asked the squid guys the following, but no response and we thought you
guys might understand better.

We are trying todo NTLMv2 authentication using samba and squid. We tried and
nothing worked so we upgraded our squid (to 2.5Stable12), and samba to
3.0.20b. Once we upgraded squid, the ntlm_auth program was different so we
used the samba ntlm_auth instead.

We then had the problem that we kept on getting invalid password when using
squid to handle the authentication and have narrowed down the problem to do
with ntlmssp. If I only have a basic authenticator - which looks like the
following, it works perfectly:

auth_param basic program /usr/optec/ntlm_auth.sh basic
auth_param basic children 10
auth_param basic realm server.opteqint.net Cache NTLM Authentication
auth_param basic credentialsttl 2 hours

(ntlm_auth.sh runs the ntlm_auth squid-2.5-basic helper) 

I see the following debug messages:

[2005/11/09 13:20:43, 3] utils/ntlm_auth.c:check_plaintext_auth(292)
  NT_STATUS_OK: Success (0x0)

However, when I use ntlmssp in the squid config, shown below, it does not

auth_param ntlm program /usr/optec/ntlm_auth.sh ntlmssp 
auth_param ntlm children 10 
auth_param ntlm use_ntlm_negotiate yes 

I see the following debug messages:
[2005/11/09 13:22:37, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(606)
  Got user=[ianb] domain=[MASTERMIND] workstation=[LUCY] len1=24 len2=24
[2005/11/09 13:22:37, 3] utils/ntlm_auth.c:winbind_pw_check(427)
  Login for user [MASTERMIND]\[ianb]@[LUCY] failed due to [Wrong Password]

If I type ian instead of ianb, I see an error saying the user does not
exist. This must mean that somehow the wrong password is being passed in the
wrong way - even though it is typed right. 

This only happens with the security option on the AD server set to ONLY
allow NTLMv2/LMv2 and not anything else. If we turn that off it works

As I understand it the password doesn't come to squid in plaintext when its
using ntlmssp, and I believe that there is some kind of handling problem
with that now? If I type in the password on the command line with the
ntlm_auth program, it is able to validate it just fine using NTLMv2 -
enforcing my belief that something is wrong here...

Any suggestions AT ALL would be appreciated...


More information about the samba mailing list