[Samba] Urgent Samba / Squid NTLM Auth Problems
Dave Raven
dave at raven.za.net
Thu Nov 10 06:44:57 GMT 2005
Hi again all,
I have a few questions regarding NTLMv2. Do you have to be in a
domain for NTLMv2 authentication to work (specifically through a program
like squid). I found an article that says:
"These computers will use Kerberos when they are communicating with Active
Directory and the members of Active Directory. When these computers are in a
workgroup, they will use NTLMv2."
Also, when I am not in the same domain (or when I am) I see the following
from ntlm_auth:
Got 'YR TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' from squid
(length: 59).
As far as I understand it that is NTLMv2 - or not? I also see
Got NTLMSSP neg_flags=0xa2088207
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_NEGOTIATE_OEM
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_NTLM2
NTLMSSP_NEGOTIATE_128
Which specifies NTLM2. Does that mean my negotiation is working properly?
The main problem is that I am getting a NT_STATUS_WRONG_PASSWORD always, and
am trying to decipher why... It still happens when I'm in the domain.
The way this all started happening was after turning 'Network security: LAN
Manager authentication level' to be 'Send NTLMv2 response only/refuse LM &
NTLM'.
Anyone have any ideas?
Thanks
Dave
-----Original Message-----
From: samba-bounces+dave=raven.za.net at lists.samba.org
[mailto:samba-bounces+dave=raven.za.net at lists.samba.org] On Behalf Of Dave
Raven
Sent: 09 November 2005 10:23 PM
To: samba at lists.samba.org
Subject: RE: [Samba] Urgent Samba / Squid NTLM Auth Problems
Below are new debug messages with proper YR string being passed from squid.
I'm not sure what changed to get it to happen, but I still see the incorrect
password error now - whereas if I type it in on the command line:
[root at server] ~ # wbinfo -a ianb%PASSWORD plaintext password authentication
succeeded challenge/response password authentication succeeded
Here are the debug messages:
[2005/11/09 22:21:03, 10] utils/ntlm_auth.c:manage_squid_request(1612)
Got 'YR TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' from
squid (length: 59).
[2005/11/09 22:21:03, 10]
utils/ntlm_auth.c:manage_squid_ntlmssp_request(587)
got NTLMSSP packet:
[2005/11/09 22:21:03, 10] lib/util.c:dump_data(2053)
[000] 4E 54 4C 4D 53 53 50 00 01 00 00 00 07 82 08 A2 NTLMSSP. ........
[010] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
[020] 05 01 28 0A 00 00 00 0F ..(.....
[2005/11/09 22:21:03, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
Got NTLMSSP neg_flags=0xa2088207
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_NEGOTIATE_OEM
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_NTLM2
NTLMSSP_NEGOTIATE_128
[2005/11/09 22:21:03, 10]
utils/ntlm_auth.c:manage_squid_ntlmssp_request(597)
NTLMSSP challenge
[2005/11/09 22:21:04, 10] utils/ntlm_auth.c:manage_squid_request(1612)
Got 'KK
TlRMTVNTUAADAAAAGAAYAGwAAAAYABgAhAAAABQAFABIAAAACAAIAFwAAAAIAAgAZAAAAAAAAACc
AAAABYKIIgUBKAoAAAAPTQBBAFMAVABFAFIATQBJAE4ARABpAGEAbgBiAEwAVQBDAFkADOX7q+T+
EVYAAAAAAAAAAAAAAAAAAAAA/VL3EzBrcSSDmFlns7FTQ5qs/NU+tIPO' from squid
(length: 211).
[2005/11/09 22:21:04, 10]
utils/ntlm_auth.c:manage_squid_ntlmssp_request(587)
got NTLMSSP packet:
[2005/11/09 22:21:04, 10] lib/util.c:dump_data(2053)
[000] 4E 54 4C 4D 53 53 50 00 03 00 00 00 18 00 18 00 NTLMSSP. ........
[010] 6C 00 00 00 18 00 18 00 84 00 00 00 14 00 14 00 l....... ........
[020] 48 00 00 00 08 00 08 00 5C 00 00 00 08 00 08 00 H....... \.......
[030] 64 00 00 00 00 00 00 00 9C 00 00 00 05 82 88 22 d....... ......."
[040] 05 01 28 0A 00 00 00 0F 4D 00 41 00 53 00 54 00 ..(..... M.A.S.T.
[050] 45 00 52 00 4D 00 49 00 4E 00 44 00 69 00 61 00 E.R.M.I. N.D.i.a.
[060] 6E 00 62 00 4C 00 55 00 43 00 59 00 0C E5 FB AB n.b.L.U. C.Y.....
[070] E4 FE 11 56 00 00 00 00 00 00 00 00 00 00 00 00 ...V.... ........
[080] 00 00 00 00 FD 52 F7 13 30 6B 71 24 83 98 59 67 .....R.. 0kq$..Yg
[090] B3 B1 53 43 9A AC FC D5 3E B4 83 CE ..SC.... >...
[2005/11/09 22:21:04, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(606)
Got user=[ianb] domain=[MASTERMIND] workstation=[LUCY] len1=24 len2=24
[2005/11/09 22:21:04, 3] utils/ntlm_auth.c:winbind_pw_check(427)
Login for user [MASTERMIND]\[ianb]@[LUCY] failed due to [Wrong Password]
[2005/11/09 22:21:04, 10]
utils/ntlm_auth.c:manage_squid_ntlmssp_request(605)
NTLMSSP NT_STATUS_WRONG_PASSWORD
-----Original Message-----
From: samba-bounces+dave=raven.za.net at lists.samba.org
[mailto:samba-bounces+dave=raven.za.net at lists.samba.org] On Behalf Of Dave
Raven
Sent: 09 November 2005 09:22 PM
To: samba at lists.samba.org
Subject: RE: [Samba] Urgent Samba / Squid NTLM Auth Problems
I have an update on the problem Ian posted about (I am working with him to
solve it)...
The problem is isolated to the use of the
utils/ntlm_auth.c:winbind_pw_check, and libsmb/ntlmssp.c:ntlmssp_server_auth
functions as far as I can tell. When using basic auth, or using the command
line tools available NTLMv2 authentication works fine.
These are some more indepth error messages seen when trying with a valid
user (an invalid user does infact reply invalid user), and a random valid
password (note: changing to use -basic instead of -ntlmssp results in this
all working perfectly - and I have tried 4 different browsers):
[2005/11/09 21:16:38, 10] utils/ntlm_auth.c:manage_squid_request(1609)
Got 'YR' from squid (length: 2).
[2005/11/09 21:16:38, 10]
utils/ntlm_auth.c:manage_squid_ntlmssp_request(587)
got NTLMSSP packet:
[2005/11/09 21:16:38, 10]
utils/ntlm_auth.c:manage_squid_ntlmssp_request(597)
NTLMSSP challenge
[2005/11/09 21:16:38, 10] utils/ntlm_auth.c:manage_squid_request(1609)
Got 'KK
TlRMTVNTUAADAAAAGAAYAFoAAAAYABgAcgAAAAoACgBIAAAABAAEAFIAAAAEAAQAVgAAAAAAAACK
AAAABgIAAgUBKAoAAAAPTUFTVEVSTUlORElBTkJMVUNZYu0jXv1m1KFd5vnkrpFlwOJD5420tN0z
XyXbhlZLKwpoe2FSZ5eadsZLxQ1IVOBC' from squid (length: 187).
[2005/11/09 21:16:38, 10]
utils/ntlm_auth.c:manage_squid_ntlmssp_request(587)
got NTLMSSP packet:
[2005/11/09 21:16:38, 10] lib/util.c:dump_data(2053)
[000] 4E 54 4C 4D 53 53 50 00 03 00 00 00 18 00 18 00 NTLMSSP. ........
[010] 5A 00 00 00 18 00 18 00 72 00 00 00 0A 00 0A 00 Z....... r.......
[020] 48 00 00 00 04 00 04 00 52 00 00 00 04 00 04 00 H....... R.......
[030] 56 00 00 00 00 00 00 00 8A 00 00 00 06 02 00 02 V....... ........
[040] 05 01 28 0A 00 00 00 0F 4D 41 53 54 45 52 4D 49 ..(..... MASTERMI
[050] 4E 44 49 41 4E 42 4C 55 43 59 62 ED 23 5E FD 66 NDIANBLU CYb.#^.f
[060] D4 A1 5D E6 F9 E4 AE 91 65 C0 E2 43 E7 8D B4 B4 ..]..... e..C....
[070] DD 33 5F 25 DB 86 56 4B 2B 0A 68 7B 61 52 67 97 .3_%..VK +.h{aRg.
[080] 9A 76 C6 4B C5 0D 48 54 E0 42 .v.K..HT .B
[2005/11/09 21:16:38, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(606)
Got user=[IANB] domain=[MASTERMIND] workstation=[LUCY] len1=24 len2=24
[2005/11/09 21:16:38, 3] utils/ntlm_auth.c:winbind_pw_check(427)
Login for user [MASTERMIND]\[IANB]@[LUCY] failed due to [Wrong Password]
[2005/11/09 21:16:38, 10]
utils/ntlm_auth.c:manage_squid_ntlmssp_request(605)
NTLMSSP NT_STATUS_WRONG_PASSWORD
As you can see, it is receiving the domain, workstation and user perfectly.
If I manually run it it seems to work fine as well:
[root at server] ~ # ntlm_auth -d10 --helper-protocol=squid-2.5-ntlmssp
[2005/11/09 21:20:28, 5] lib/debug.c:debug_dump_status(368)
YR
[2005/11/09 21:20:32, 10] utils/ntlm_auth.c:manage_squid_request(1609)
Got 'YR' from squid (length: 2).
[2005/11/09 21:20:32, 10]
utils/ntlm_auth.c:manage_squid_ntlmssp_request(587)
got NTLMSSP packet:
TT TlRMTVNTUAACAAAAAAAAADAAAAASAgAAPOox0vgWvkoAAAAAAAAAAAAAAAAwAAAA
[2005/11/09 21:20:32, 10]
utils/ntlm_auth.c:manage_squid_ntlmssp_request(597)
NTLMSSP challenge
What could be the problem ? I'm willing to anything - even arrange remote
access. Whatever is required...
Thank you
Dave
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
More information about the samba
mailing list