[Samba] Winbind/ntlm_auth issues
jbaird at follett.com
Thu Jul 19 19:41:54 MDT 2012
I think you nailed it. I was running 3.0 from RHEL5. I'm seeing much more promising results so far with 3.6.
From: Andrew Bartlett [abartlet at samba.org]
Sent: Thursday, July 19, 2012 5:25 PM
To: Baird, Josh
Cc: samba at lists.samba.org
Subject: Re: [Samba] Winbind/ntlm_auth issues
On Thu, 2012-07-19 at 15:11 +0000, Baird, Josh wrote:
> I'm struggling to get squid+ntlm_auth working correctly. I have successfully joined the domain, and I am able to successfully enumerate groups and users using wbinfo. I can also successfully run "wbinfo -a."
> However, once I configure Squid to use ntlm_auth per:
> auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --debug-level=10 --nt-response
> auth_param ntlm children 5
> auth_param ntlm keep_alive on
> .. Squid does not authenticate and prompts me for credentials. My domain credentials do not work, and this is displayed in Samba/WB's log:
> [2012/07/19 09:58:14, 0] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1767)
> winbindd_pam_auth_crap: invalid password length 24/336
> Does anyone have any ideas on what is causing this? I apologize that this message is Squid-related, but I can't seem to find any answers elsewhere.
This looks like a Samba issue to me. Try a much more recent version of
Samba. I see code in current master for a BIG_NTLMV2_BLOB that smells
exactly like what you have here. Long domain names are padding out one
of the response values (the 336) and going over an internal arbitrary
limit that shouldn't have been there.
The fix is in:
Author: Günther Deschner <gd at samba.org>
Date: Tue Sep 1 11:58:05 2009 +0200
wbclient: Fix Bug #6680: always activate handling of large (> 256
blobs in wbcAuthenticateUserEx().
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba