[Samba] Urgent Samba / Squid NTLM Auth Problems

Alex Sharaz A.Sharaz at Hull.ac.uk
Wed Mar 8 09:43:28 GMT 2006 

hi,
I've been having the same problem here with ntlm_auth and NTLMv2 except that
in my case I'm trying to get a radius server to authenticate against our AD
server. 

Our desktop services team have configured their end to only accept NTLMv2.
The radius server expects the linux box to be a member of the AD domain and
then uses ntlm_auth as shown in  the log snippet below. You always get a
wrong password error message irrespective of whether the user exists or not.

I am using the Red Hat version of samba as supplied in RHEL V4.0

(Samba version 3.0.10-1.4E.2)

The program uses

       /usr/bin/ntlm_auth --helper-protocol=ntlm-server-1

if I use ntlm-auth --username=xxx --password=yyy --domain=a.b.c.d

then everything works just fine.

in a previous message Andrew said that ntlm_auth requires 
use_ntlm_negotiate on set up in squid.conf
Given that I seem to have the same problem is there any general smb.conf
param i can set to configure the equivalent functionality?

My smb.conf file has

[global]
   workgroup = ADIR
   security = domain
   password server = 150.237.54.198
   realm = ADIR.HULL.AC.UK
   preferred master = no
   server string = Hull Comms support server
   security = ADS
   use spnego = yes
   encrypt passwords = yes
   log level = 3
   log file = /var/log/samba/%m
   max log size = 50
   winbind separator = +
   bind interfaces only =yes
   interfaces =150.237.47.22 127.0.0.1
   client NTLMv2 auth=yes
#  ldap ssl = start_tls


TIA
alex


Tue Mar  7 11:16:39 2006: DEBUG: Handling request with Handler
'ConvertedFromEAPMSCHAPV2=1'
Tue Mar  7 11:16:39 2006: DEBUG: Handling with Radius::AuthNTLM: 
Tue Mar  7 11:16:39 2006: DEBUG: Radius::AuthNTLM looks for match with fred
[fred]
Tue Mar  7 11:16:39 2006: INFO: Starting NtlmAuthProg: /usr/bin/ntlm_auth
--helper-protocol=ntlm-server-1
Tue Mar  7 11:16:39 2006: DEBUG: Passing attribute Request-User-Session-Key:
Yes
Tue Mar  7 11:16:39 2006: DEBUG: Passing attribute
Request-LanMan-Session-Key: Yes
Tue Mar  7 11:16:39 2006: DEBUG: Passing attribute LANMAN-Challenge:
c5b8a3ec1c76b78d
Tue Mar  7 11:16:39 2006: DEBUG: Passing attribute NT-Response:
b2f40e83aab003b7e7d0c0e36b7d5b1a5652b49f5da06026
Tue Mar  7 11:16:39 2006: DEBUG: Passing attribute NT-Domain::
QURJUi5IVUxMLkFDLlVL
Tue Mar  7 11:16:39 2006: DEBUG: Passing attribute Username:: ZnJlZA==
Tue Mar  7 11:16:39 2006: DEBUG: Received attribute: Authenticated: No
Tue Mar  7 11:16:39 2006: DEBUG: Received attribute: Authentication-Error:
Wrong Password
Tue Mar  7 11:16:39 2006: DEBUG: Received attribute: .
Tue Mar  7 11:16:39 2006: WARNING: NTLM Could not authenticate user: Wrong
Password
Tue Mar  7 11:16:39 2006: DEBUG: Radius::AuthNTLM REJECT: AuthBy NTLM
Password check failed: fred [fred]
Tue Mar  7 11:16:39 2006: DEBUG: AuthBy NTLM result: REJECT, AuthBy NTLM
Password check failed
Tue Mar  7 11:16:39 2006: DEBUG: calling_station_hook:Access-Request called
Tue Mar  7 11:16:39 2006: DEBUG: calling_station_hook:exited
Tue Mar  7 11:16:39 2006: INFO: Access rejected for fred: AuthBy NTLM
Password check failed
Tue Mar  7 11:16:39 2006: DEBUG: Converted EAP-MSCHAPV2 response Packet
dump:

--
View this message in context: http://www.nabble.com/Urgent-Samba-Squid-NTLM-Auth-Problems-t507168.html#a3297403
Sent from the Samba - General forum at Nabble.com.

More information about the samba mailing list