[Samba] NTLM-Auth fails agains Win200SP5

Michael.Kaiser at InfraServ.Gendorf.de Michael.Kaiser at InfraServ.Gendorf.de
Tue Aug 7 13:44:19 GMT 2007 

Hello List,

i have a Problem with NTLM-Auth (squid with ntlm_auth) against Win2000SP5.
After updating Win2000SP4 to Win200SP5 no authentification via ntlm is possible:

Linux Version: SuSE Linux 8.1 (i386) 2.4.19-4GB
Samba Version: samba-3.0.14a
Squid Version: squid-2.5.STABLE14

If i try to auth. via console there is no Problem (see below 4,5,6). 
I attached some tests and the regarding output:

Domain where i want to authenticate: "DOMAIN6"

--------------------------------cut--------------------------------------
1)
gilbi:~ # wbinfo -t        
checking the trust secret via RPC calls succeeded

2)
gilbi:~ # wbinfo --sequence
GILBI : 1
BUILTIN : 1
DOMAIN1 : 45
DOMAIN2: DISCONNECTED
DOMAIN3: 743
DOMAIN4: 1
DOMAIN5: DISCONNECTED
DOMAIN6 : DISCONNECTED

3)
gilbi:~ # wbinfo -m
GILBI
BUILTIN
DOMAIN1
DOMAIN2
DOMAIN3
DOMAIN4
DOMAIN5
		# COMMENT: ---- no DOMAIN6 ----- no trust?????

4)
gilbi:~ # wbinfo -a DOMAIN6\\user%password
plaintext password authentication succeeded
challenge/response password authentication succeeded

5)
gilbi:~ # /usr/local/samba/bin/ntlm_auth --username=user --domain=DOMAIN6 --password=password
NT_STATUS_OK: Success (0x0)

6)
gilbi:~ # /usr/local/samba/bin/ntlm_auth --helper-protocol=squid-2.5-basic
DOMAIN6\user password
OK
--------------------------------cut--------------------------------------

How can I test the "/usr/local/samba/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp" option via command line?
What does "wbinfo --sequence" exactly lists?
At the Win2000 Logs i couldn`t see anything.

here my smb.conf
--------------------------------cut_-------------------------------------
[global]
   workgroup = DOMAIN6
   server string = Proxyauthmodule 
   hosts allow = 10. 127.
   log file = /var/log/messages
   security = domain
   password server = DOMAINCONTROLER-DNS 
   encrypt passwords = yes
   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
   remote browse sync = 10.255.255.255
   dns proxy = no
   domain master = no
   local master = no
   preferred master = no
   os level = 0
   winbind uid = 10000-20000
   winbind gid = 10000-20000
   winbind use default domain = yes
--------------------------------cut_-------------------------------------

PS: The Update (to win200SP5) also includes the actual LDAP-Patch (KB926122 - http://www.microsoft.com/germany/technet/sicherheit/bulletins/ms07-039.mspx). Could this cause a Problem with winbindd? No, or?

Mit freundlichen Grüßen

Michael Kaiser 
Business Unit IT-Services
Network Solutions
InfraServ GmbH & Co. Gendorf KG
Industriepark Werk GENDORF

More information about the samba mailing list