[Samba] samba4 and squid with NTLM auth

Andrew Bartlett abartlet at samba.org
Wed Aug 7 23:33:32 MDT 2013


On Wed, 2013-08-07 at 15:57 +0600, Eugene M. Zheganin wrote:
> Hi.
> 
> Samba-4.0.7
> FreeBSD 10.0-CURRENT
> 
> Besides serving files I'm using Samba to authenticate users in the
> Windows AD with squid.
> After having issues with samba 3.6.16 I decided to see if samba4 will
> fit me more. I was surprised, but I found that Samba 4 is fully
> functional in my environment and is nearly production-ready.
> 
> After that I tried to setup squid to use samba for NTLM authentication.
> I found something that may be a bug, but may be also a misconfiguration
> of some sort. In short words - it doesn't work.
> To describe what's not working, I should say that in my configuration
> squid is authorizing user in two stages:
> - ntlm_auth is authenticating user
> - external squid helper is authorizing user's access to an URL using a
> supplied by ntlm_auth name and the group membership information from the AD.
> 
> It turns out that for some reason ntlm_auth authenticates user just
> fine, but then it is supplying squid with some sort of corrupted username:
> 
> squid access log:
> 
> 1375868558.129 1957 192.168.7.71 TCP_DENIED/403 2338 GET
> http://www.ru/rus/index.php ZZZZZZZZZZZZZZZZ%a0%92%03\r%08 HI
> ER_NONE/- text/html
> 
> This ZZZZ[...] is actually my username - 'emz', but looks it's
> authenticated by ntlm_auth. Squid also thinks that this username has
> been just authenticated, and tries to look it's group membership
> information.
> 
> Squid cache log:
> 
> support_member.cc(124): pid=12390 :2013/08/07 15:42:38|
> kerberos_ldap_group: INFO: User ZZZZZZZZZZZZZZZZ═..
> . is not member of group at domain Internet Users - Crystal at NULL
> 
> Considering that everything is fine when using samba 3.5.x, I suppose
> the answer is is samba software.
> Is this some bug or a misconfiguration ?

Certainly this looks like an missing NULL terminator, if if it as you
describe.  Can you operate ntlm_auth manually (operate one ntlm_auth in
client mode, another in squid-2.5-ntlmssp mode and copy the blobs back
and forth), and demonstrate it?  This will avoid all the complexity of
squid, and help isolate the issue.

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Catalyst IT                   http://catalyst.net.nz




More information about the samba mailing list