[Samba] NTLM Problems

Ian Barnes ian at opteqint.net
Mon Oct 31 19:48:52 GMT 2005


Hi,

I am running squid and samba to auth users against a 2003 domain. My squid
setup is something like this:

auth_param ntlm program /usr/local/libexec/squid/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes 
auth_param ntlm children 2 
auth_param basic program /usr/local/libexec/squid/ntlm_auth
--helper-protocol=squid-2.5-basic 
auth_param basic children 2 
auth_param basic realm Cache NTLM Authentication 
auth_param basic credentialsttl 2 hours

I then join the domain as follows:
Net join -S server -w Domain -U username%password

Once that has succeeded I then run winbindd and nmbd. Once that is done, if
I do a wbinfo -u or -g I can see the users and groups of the users I am
authenticating. All seems fine, but when a user tries to auth, the following
error occurs:

[2005/10/31 11:43:36, 0] utils/ntlm_auth.c:winbind_pw_check(427)
  Login for user [Domain]\[Proxy2]@[ianb] failed due to [Access denied]
[2005/10/31 11:43:36, 0] utils/ntlm_auth.c:manage_squid_ntlmssp_request(600)
  NTLMSSP BH: NT_STATUS_ACCESS_DENIED

If I run a wbinfo -a Proxy2%Password_1 (A valid user and password), I get
this:
[root at cont] ~ # wbinfo -a Proxy2%Password_1
plaintext password authentication failed
error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
error messsage was: Access denied
Could not authenticate user Proxy2%Password_1 with plaintext password
challenge/response password authentication failed
error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
error messsage was: Access denied
Could not authenticate user Proxy2 with challenge/response
[root at cont] ~ #

The user that I am joining the domain with (in net join) has the following
set:
* The account is a local administrator on the device, specified within AD
* The account has full read access to all user information, it was delegated
to me.

Something else that's strange is that I saw this error a while ago, and
while trying to debug it, it just stopped occurring, and my users could auth
fine. The domain im authing to has over 1000 users (in the lab where we are
testing) and over 2000 groups. 

Could anyone provide some more insight as to why this is happening?

Cheers
Ian





More information about the samba mailing list