[Samba] Samba 4, ntlm_auth testing ...

Dirk Brenken dirk at brenken.org
Mon Jun 9 11:41:19 MDT 2014 

Am 06/09/2014 12:39 PM, schrieb Dirk Brenken:
> Am 06/09/2014 07:20 AM, schrieb Dirk Brenken:
>> Hi,
>>
>> currently I've setup Samba 4 (sernet 4.1.8 on debian jessie)
>> successfully as an AD-Server ... domain logins from WIN-Clients etc. are
>> working quite fine.
>> Now I'm trying to test ntlm_auth on cli for later Squid-integration ...
>>
>> *wbinfo output:*
>> wbinfo -a PRAXISAD\\Administrator%xxxxxx
>> plaintext password authentication succeeded
>> challenge/response password authentication succeeded
>>
>> *ntlm_auth with basic helper output:*
>> root at praxis-server:/etc/squid3# ntlm_auth
>> --helper-protocol=squid-2.5-basic --domain=PRAXISAD
>> PRAXISAD\Administrator xxxxxx
>> *OK*
>>
>> *ntlm_auth with ntlmssp helper output:*
>> root at praxis-server:/etc/squid3# ntlm_auth
>> --helper-protocol=squid-2.5-ntlmssp --domain=PRAXISAD
>> PRAXISAD\Administrator xxxxxx
>> *BH SPNEGO request invalid prefix*
>>
>> *ntlm_auth with gss-spnego helper output:**
>> *root at praxis-server:/etc/squid3# ntlm_auth --helper-protocol=gss-spnego
>> --domain=PRAXISAD
>> PRAXISAD\Administrator xxxxxx
>> *BH SPNEGO request invalid prefix*
>>
>>
>> Any ideas what's going wrong here?
>>
>> Thanks & best regards
>> Dirk
> I did further testing directly in SQUID and gss-spnego helper works as
> expected - thanks!
>
> br
> Dirk
>
The "--require-membership-of" parm of ntlm_auth seems to have no effect.
It's not failing, even if the user is *not* member of the group!

Example:

SID of Test-User "dirk":
root at praxis-server:/etc/squid3# wbinfo -n dirk
S-1-5-21-3041413330-2355144718-3205532893-1104 SID_USER (1)

SID of Test-Group "Test":
wbinfo -n PRAXISAD\\Test
S-1-5-21-3041413330-2355144718-3205532893-1105 SID_DOM_GROUP (2)

Test-User is only in Group "Domain Users":
root at praxis-server:/etc/squid3# wbinfo --user-domgroups
S-1-5-21-3041413330-2355144718-3205532893-1104
S-1-5-21-3041413330-2355144718-3205532893-513

Result for check against (non-member) Test-Group:
root at praxis-server:/etc/squid3# ntlm_auth
--require-membership-of=S-1-5-21-3041413330-2355144718-3205532893-1105
--helper-protocol=squid-2.5-basic
dirk xxxxxx
OK

Is this a known bug of ntlm_auth (sernet samba 4.1.8)!?

best regards
dirk

More information about the samba mailing list