[Samba] Ntlm_auth Problem (resend)

Drew Daugherty thadrewid at gmail.com
Tue Nov 28 17:00:52 GMT 2006


I sent this message and realized I hadn't included info on the
environment so I am resending it.  I am running red hat enterprise
linux 4 with samba version 3.0.10-1.4E.2.  Apache version is 2.0.52.
I also included output from running ntlm_auth on the command line with
diagnostics.  This fails but it only seems to try plaintext auth which
will not work (see below).

I am having problems with mod_auth_ntlm_winbind. The httpd error_log
shows an NT_STATUS_INVALID_PARAMETER error when I try to log in from
browsers (firefox, ie). Winbind seems to be functioning properly as I
can start smb and log in via smbclient. wbinfo and getent work well
also.  Use NTLMv2 only switch is set on the Windows 2003 domain server.
What am I doing wrong?

-drew

== ntlm_auth ==
 ntlm_auth --username <username> --diagnostics --request-nt-key
password:
Wrong Password (0xc000006a)
[2006/11/28 10:52:09, 1] utils/ntlm_auth_diagnostics.c:diagnose_ntlm_auth(594)
  Test LM failed!
[2006/11/28 10:52:09, 1] utils/ntlm_auth_diagnostics.c:test_lm_ntlm_broken(117)
  LM Key does not match expectations!
[2006/11/28 10:52:09, 1] utils/ntlm_auth_diagnostics.c:test_lm_ntlm_broken(118)
  lm_key:
[2006/11/28 10:52:09, 1] lib/util.c:dump_data(1999)
  [000] 00 00 00 00 00 00 00 00                           ........
[2006/11/28 10:52:09, 1] utils/ntlm_auth_diagnostics.c:test_lm_ntlm_broken(120)
  expected:
[2006/11/28 10:52:09, 1] lib/util.c:dump_data(1999)
  [000] A4 4D 0C 79 81 C2 0D 7F                           .M.y....
[2006/11/28 10:52:09, 1] utils/ntlm_auth_diagnostics.c:diagnose_ntlm_auth(594)
  Test LM and NTLM failed!
[2006/11/28 10:52:09, 1] utils/ntlm_auth_diagnostics.c:test_lm_ntlm_broken(117)
  LM Key does not match expectations!
[2006/11/28 10:52:09, 1] utils/ntlm_auth_diagnostics.c:test_lm_ntlm_broken(118)
  lm_key:
[2006/11/28 10:52:09, 1] lib/util.c:dump_data(1999)
  [000] 00 00 00 00 00 00 00 00                           ........
[2006/11/28 10:52:09, 1] utils/ntlm_auth_diagnostics.c:test_lm_ntlm_broken(120)
  expected:
[2006/11/28 10:52:09, 1] lib/util.c:dump_data(1999)
  [000] A4 4D 0C 79 81 C2 0D 7F                           .M.y....
[2006/11/28 10:52:09, 1] utils/ntlm_auth_diagnostics.c:diagnose_ntlm_auth(594)
  Test NTLM failed!
[2006/11/28 10:52:09, 1] utils/ntlm_auth_diagnostics.c:test_ntlm_in_lm(216)
  LM Key does not match expectations!
[2006/11/28 10:52:09, 1] utils/ntlm_auth_diagnostics.c:test_ntlm_in_lm(217)
  lm_key:
[2006/11/28 10:52:09, 1] lib/util.c:dump_data(1999)
  [000] 5F F4 27 8C 39 2C 77 68                           _.'.9,wh
[2006/11/28 10:52:09, 1] utils/ntlm_auth_diagnostics.c:test_ntlm_in_lm(219)
  expected:
[2006/11/28 10:52:09, 1] lib/util.c:dump_data(1999)
  [000] A4 4D 0C 79 81 C2 0D 7F                           .M.y....
[2006/11/28 10:52:09, 1] utils/ntlm_auth_diagnostics.c:test_ntlm_in_lm(224)
  Session Key (first 8 lm hash) does not match expectations!
[2006/11/28 10:52:09, 1] utils/ntlm_auth_diagnostics.c:test_ntlm_in_lm(225)
  user_session_key:
[2006/11/28 10:52:09, 1] lib/util.c:dump_data(1999)
  [000] AA D3 B4 35 B5 14 04 EE  00 00 00 00 00 00 00 00  ...5.... ........
[2006/11/28 10:52:09, 1] utils/ntlm_auth_diagnostics.c:test_ntlm_in_lm(227)
  expected:
[2006/11/28 10:52:09, 1] lib/util.c:dump_data(1999)
  [000] A4 4D 0C 79 81 C2 0D 7F                           .M.y....
[2006/11/28 10:52:09, 1] utils/ntlm_auth_diagnostics.c:diagnose_ntlm_auth(594)
  Test NTLM in LM failed!
[2006/11/28 10:52:09, 1] utils/ntlm_auth_diagnostics.c:test_ntlm_in_both(287)
  LM Key does not match expectations!
[2006/11/28 10:52:09, 1] utils/ntlm_auth_diagnostics.c:test_ntlm_in_both(288)
  lm_key:
[2006/11/28 10:52:09, 1] lib/util.c:dump_data(1999)
  [000] 00 00 00 00 00 00 00 00                           ........
[2006/11/28 10:52:09, 1] utils/ntlm_auth_diagnostics.c:test_ntlm_in_both(290)
  expected:
[2006/11/28 10:52:09, 1] lib/util.c:dump_data(1999)
  [000] A4 4D 0C 79 81 C2 0D 7F                           .M.y....
[2006/11/28 10:52:09, 1] utils/ntlm_auth_diagnostics.c:diagnose_ntlm_auth(594)
  Test NTLM in both failed!
[2006/11/28 10:52:09, 1] utils/ntlm_auth_diagnostics.c:test_lm_ntlm_broken(117)
  LM Key does not match expectations!
[2006/11/28 10:52:09, 1] utils/ntlm_auth_diagnostics.c:test_lm_ntlm_broken(118)
  lm_key:
[2006/11/28 10:52:09, 1] lib/util.c:dump_data(1999)
  [000] 00 00 00 00 00 00 00 00                           ........
[2006/11/28 10:52:09, 1] utils/ntlm_auth_diagnostics.c:test_lm_ntlm_broken(120)
  expected:
[2006/11/28 10:52:09, 1] lib/util.c:dump_data(1999)
  [000] A4 4D 0C 79 81 C2 0D 7F                           .M.y....
[2006/11/28 10:52:09, 1] utils/ntlm_auth_diagnostics.c:diagnose_ntlm_auth(594)
  Test NTLM and LM, LM broken failed!
Wrong Password (0xc000006a)
Wrong Password (0xc000006a)
[2006/11/28 10:52:09, 1] utils/ntlm_auth_diagnostics.c:diagnose_ntlm_auth(594)
  Test Plaintext failed!
Wrong Password (0xc000006a)
[2006/11/28 10:52:09, 1] utils/ntlm_auth_diagnostics.c:diagnose_ntlm_auth(594)
  Test Plaintext LM broken failed!
Wrong Password (0xc000006a)
Wrong Password (0xc000006a)
[2006/11/28 10:52:09, 1] utils/ntlm_auth_diagnostics.c:diagnose_ntlm_auth(594)
  Test Plaintext NT only failed!
Wrong Password (0xc000006a)
[2006/11/28 10:52:09, 1] utils/ntlm_auth_diagnostics.c:diagnose_ntlm_auth(594)
  Test Plaintext LM only failed!

== httpd.conf ==
<Directory "/tmp/test">
Order allow,deny
Allow from all
AuthName "Domain Logon"
NTLMAuth On
NegotiateAuth On
NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp -d9"
NegotiateAuthHelper "/usr/bin/ntlm_auth --helper-protocol=gss-spnego"
NTLMBasicAuthoritative On
AuthType NTLM
AuthType Negotiate
Require valid-user
</Directory>

== httpd error_log ==
[Mon Nov 27 16:36:10 2006] [debug] mod_auth_ntlm_winbind.c(1018):
[client 10.0.1.14] doing ntlm auth dance
[Mon Nov 27 16:36:10 2006] [debug] mod_auth_ntlm_winbind.c(482):
[client 10.0.1.14] Launched ntlm_helper, pid 17034
[Mon Nov 27 16:36:10 2006] [debug] mod_auth_ntlm_winbind.c(652):
[client 10.0.1.14] creating auth user
[Mon Nov 27 16:36:10 2006] [debug] mod_auth_ntlm_winbind.c(703):
[client 10.0.1.14] parsing reply from helper to YR
TlRMTVNTUAADAAAAGAAYAGIAAAAYABgAegAAAAAAAABAAAAADAAMAEAAAAAWABYATAAAAAAAAAAAAAAABYIIAGQAcgBlAHcAaQBkAHMAYQBuAGYAZQByAG4AYQBuAGQAbwAkv/0BQK1sfAAAAAAAAAAAAAAAAAAAAACqF7oNvIilkIv2m3p/nQymm2TFvtxyGHM=\n
[2006/11/27 16:36:10, 5] lib/debug.c:debug_dump_status(366)
  INFO: Current debug levels:
    all: True/9
    tdb: False/0
    printdrivers: False/0
    lanman: False/0
    smb: False/0
    rpc_parse: False/0
    rpc_srv: False/0
    rpc_cli: False/0
    passdb: False/0
    sam: False/0
    auth: False/0
    winbind: False/0
    vfs: False/0
    idmap: False/0
    quota: False/0
    acls: False/0
[2006/11/27 16:36:10, 1] libsmb/ntlmssp.c:ntlmssp_update(252)
  got NTLMSSP command 3, expected 1
[Mon Nov 27 16:36:10 2006] [debug] mod_auth_ntlm_winbind.c(741):
[client 10.0.1.14] got response: NA NT_STATUS_INVALID_PARAMETER
[Mon Nov 27 16:36:10 2006] [debug] mod_auth_ntlm_winbind.c(765):
[client 10.0.1.14] user not authenticated: NT_STATUS_INVALID_PARAMETER


More information about the samba mailing list