[Samba] squid, ntlm_auth, winbind problem

Frank Matthieß frankm at lug-owl.de
Thu Feb 11 01:05:31 MST 2010 

Hi all,

please cc me, i'm not on the list.

Second: All google findable information about problems setting up
		ntlm_auth for squid with winbind are read and checked more than
		three times.

After breaking a running setup under debian squeeze, i go back to debian
lenny to circumvent the actual  MIT kerberos problem[1].

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=566977#57

Now i face the problem, that no ntlm_auth version[2] authenticate against
the running w2k3 ad. The winbind runs correct. wbinfo -g|-u|-t runs quite
well.

[2] samba-*  2:3.4.3-1~bpo50+2
    sernet-* 3.4.5-27

To get the most stable samba version, i get them from www.backports.org
including the 2.6.30 kernel package.

The used configuration is copied from the formerly running machine.

Doing this on the shell will get this result:
~# /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of='SWB+Internetbenutzer'
SWB\user mypassword
[2010/02/11 08:51:14,  1] utils/ntlm_auth.c:802(manage_squid_ntlmssp_request)
BH NTLMSSP query invalid

Here a list of information about the system with the problem:

debian_version 5.0.4
with linux-image form backpots.org
with sernet-samba packages from http://ftp.sernet.de/pub/samba/experimental/debian

ii  sernet-libwbclient0               3.4.5-27                 client library for interfacing with winbind service
ii  sernet-samba                      3.4.5-27                 a LanManager-like file and printer server for Unix
ii  sernet-samba-common               3.4.5-27                 Samba common files used by both the server and the
ii  sernet-samba-keyring              1.1                      GnuPG archive keys of the SerNet Samba archive
ii  sernet-winbind                    3.4.5-27                 service to resolve user and group information from


ii  squid                             2.7.STABLE7-1~bpo50+1    Internet object cache (WWW proxy cache)
ii  squid-common                      2.7.STABLE7-1~bpo50+1    Internet object cache (WWW proxy cache) - co
ii  squid-langpack                    20090921-2~bpo50+1       Localized error pages for Squid

ii  linux-image-2.6.30-bpo.2-686      2.6.30-8~bpo50+2         Linux 2.6.30 image on PPro/Celeron/PII/PIII/



getent passwd:
proxy:x:13:13:proxy:/bin:/bin/sh

getent group:
proxy:x:13:
winbindd_priv:x:104:proxy

ls -ld /var/lib/samba/winbindd_privileged
drwxr-x--- 2 root winbindd_priv 4096 10. Feb 14:55 /var/lib/samba/winbindd_privileged
ls -ld /var/lib/samba/winbindd_privileged/*
srwxrwxrwx 1 root root 0 10. Feb 14:55 /var/lib/samba/winbindd_privileged/pipe

squid.conf:
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of='SWB+Internetbenutzer'
auth_param ntlm children 5
auth_param ntlm keep_alive on
auth_param basic program  /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of='SWB+Internetbenutzer'
auth_param basic children 5
auth_param basic realm "SWB Internetfreigabe-Anmeldung"
auth_param basic credentialsttl 4 hours
auth_param basic casesensitive off

wbinfo --seperator:
+

net ads testjoin:
Join is OK
[global]
   workgroup = SWB
   netbiosname = PROXY-TEST
   server string = Proxyserver Test
   realm = SWB.LAN
   encrypt passwords = true
   security = ADS
   password server = hauptserver.swb.lan
   log level = 3
   log file = /var/log/samba/%m.log
   max log size = 50
   syslog = yes
   prefered master = no
   dns proxy = no
   ldap ssl = no
   idmap uid = 10000 - 20000
   idmap gid = 10000 - 20000
   winbind use default domain = yes
   winbind enum users = yes
   winbind enum groups = yes
   winbind expand groups = 3
   ;template homedir = /home/%D/%U
   ;template shell = /bin/bash
   ;
   ;
   ;
   winbind separator = +


;   name resolve order = lmhosts host wins bcast
   interfaces = 127.0.0.0/8 eth0
   bind interfaces only = yes
   panic action = /usr/share/samba/panic-action %d
   passdb backend = tdbsam
   obey pam restrictions = yes

[hier-gibt-es-nix-zu-sehen]
   path = /tmp
   comment = Hier gibt es nix zu sehen
   guest ok = no
   read only = yes

 wbinfo -n  'SWB+Internetbenutzer'
S-1-5-21-1063980897-116165429-615769971-1201 Domain Group (2)

 wbinfo -s S-1-5-21-1063980897-116165429-615769971-1201
SWB+internetbenutzer 2


/var/log/squid&/cache.log:
[2010/02/10 14:37:18,  3] libsmb/ntlmssp.c:62(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0xa2088207
[2010/02/10 14:37:18,  3] libsmb/ntlmssp.c:745(ntlmssp_server_auth)
  Got user=[fmat] domain=[SWB] workstation=[TS1] len1=24 len2=24
[2010/02/10 14:37:18,  0] utils/ntlm_auth.c:271(get_require_membership_sid)
  Winbindd lookupname failed to resolve 'SWB+Internetbenutzer' into a SID!
  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  Failed lookup at the first access to ntlm_auth


[2010/02/10 14:37:18,  3] utils/ntlm_auth.c:558(winbind_pw_check)
  Login for user [SWB]\[fmat]@[TS1] failed due to [unknown error (NULL)]
[2010/02/10 14:37:22,  3] libsmb/ntlmssp.c:62(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0x00088207
[2010/02/10 14:37:22,  3] libsmb/ntlmssp.c:745(ntlmssp_server_auth)
  Got user=[fmat] domain=[] workstation=[ts1] len1=24 len2=24
[2010/02/10 14:37:22,  0] utils/ntlm_auth.c:271(get_require_membership_sid)
  Winbindd lookupname failed to resolve 'SWB+Internetbenutzer' into a SID!
[2010/02/10 14:37:22,  3] utils/ntlm_auth.c:558(winbind_pw_check)
  Login for user []\[fmat]@[ts1] failed due to [unknown error (NULL)]


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20100211/f26627d1/attachment.pgp>

More information about the samba mailing list