[Samba] Winbind/ntlm_auth issues

Baird, Josh jbaird at follett.com
Thu Jul 19 19:41:54 MDT 2012


I think you nailed it.  I was running 3.0 from RHEL5.  I'm seeing much more promising results so far with 3.6.  


From: Andrew Bartlett [abartlet at samba.org]
Sent: Thursday, July 19, 2012 5:25 PM
To: Baird, Josh
Cc: samba at lists.samba.org
Subject: Re: [Samba] Winbind/ntlm_auth issues

On Thu, 2012-07-19 at 15:11 +0000, Baird, Josh wrote:
> Hi,
> I'm struggling to get squid+ntlm_auth working correctly.  I have successfully joined the domain, and I am able to successfully enumerate groups and users using wbinfo.  I can also successfully run "wbinfo -a."
> However, once I configure Squid to use ntlm_auth per:
> auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --debug-level=10 --nt-response
> auth_param ntlm children 5
> auth_param ntlm keep_alive on
> .. Squid does not authenticate and prompts me for credentials.  My domain credentials do not work, and this is displayed in Samba/WB's log:
> [2012/07/19 09:58:14, 0] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1767)
>   winbindd_pam_auth_crap: invalid password length 24/336
> Does anyone have any ideas on what is causing this?  I apologize that this message is Squid-related, but I can't seem to find any answers elsewhere.

This looks like a Samba issue to me.  Try a much more recent version of
Samba.  I see code in current master for a BIG_NTLMV2_BLOB that smells
exactly like what you have here.  Long domain names are padding out one
of the response values (the 336) and going over an internal arbitrary
limit that shouldn't have been there.

The fix is in:

commit 9264f4891484b0316e8e574e256ca0b0a5e9f007
Author: Günther Deschner <gd at samba.org>
Date:   Tue Sep 1 11:58:05 2009 +0200

    wbclient: Fix Bug #6680: always activate handling of large (> 256
byte) ntlmv2
    blobs in wbcAuthenticateUserEx().


Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba mailing list