[Samba] Samba 4, ntlm_auth testing ...

Andrew Bartlett abartlet at samba.org
Tue Jun 10 03:19:16 MDT 2014 

On Mon, 2014-06-09 at 19:41 +0200, Dirk Brenken wrote:
> Am 06/09/2014 12:39 PM, schrieb Dirk Brenken:
> > Am 06/09/2014 07:20 AM, schrieb Dirk Brenken:
> >> Hi,
> >>
> >> currently I've setup Samba 4 (sernet 4.1.8 on debian jessie)
> >> successfully as an AD-Server ... domain logins from WIN-Clients etc. are
> >> working quite fine.
> >> Now I'm trying to test ntlm_auth on cli for later Squid-integration ...
> >>
> >> *wbinfo output:*
> >> wbinfo -a PRAXISAD\\Administrator%xxxxxx
> >> plaintext password authentication succeeded
> >> challenge/response password authentication succeeded
> >>
> >> *ntlm_auth with basic helper output:*
> >> root at praxis-server:/etc/squid3# ntlm_auth
> >> --helper-protocol=squid-2.5-basic --domain=PRAXISAD
> >> PRAXISAD\Administrator xxxxxx
> >> *OK*
> >>
> >> *ntlm_auth with ntlmssp helper output:*
> >> root at praxis-server:/etc/squid3# ntlm_auth
> >> --helper-protocol=squid-2.5-ntlmssp --domain=PRAXISAD
> >> PRAXISAD\Administrator xxxxxx
> >> *BH SPNEGO request invalid prefix*
> >>
> >> *ntlm_auth with gss-spnego helper output:**
> >> *root at praxis-server:/etc/squid3# ntlm_auth --helper-protocol=gss-spnego
> >> --domain=PRAXISAD
> >> PRAXISAD\Administrator xxxxxx
> >> *BH SPNEGO request invalid prefix*
> >>
> >>
> >> Any ideas what's going wrong here?
> >>
> >> Thanks & best regards
> >> Dirk
> > I did further testing directly in SQUID and gss-spnego helper works as
> > expected - thanks!
> >
> > br
> > Dirk
> >
> The "--require-membership-of" parm of ntlm_auth seems to have no effect.
> It's not failing, even if the user is *not* member of the group!
> 
> Example:
> 
> SID of Test-User "dirk":
> root at praxis-server:/etc/squid3# wbinfo -n dirk
> S-1-5-21-3041413330-2355144718-3205532893-1104 SID_USER (1)
> 
> SID of Test-Group "Test":
> wbinfo -n PRAXISAD\\Test
> S-1-5-21-3041413330-2355144718-3205532893-1105 SID_DOM_GROUP (2)
> 
> Test-User is only in Group "Domain Users":
> root at praxis-server:/etc/squid3# wbinfo --user-domgroups
> S-1-5-21-3041413330-2355144718-3205532893-1104
> S-1-5-21-3041413330-2355144718-3205532893-513
> 
> Result for check against (non-member) Test-Group:
> root at praxis-server:/etc/squid3# ntlm_auth
> --require-membership-of=S-1-5-21-3041413330-2355144718-3205532893-1105
> --helper-protocol=squid-2.5-basic
> dirk xxxxxx
> OK
> 
> Is this a known bug of ntlm_auth (sernet samba 4.1.8)!?

I can't reproduce this in our 'make testenv' in git master.

~/samba/config.abartlet && make -j && SELFTEST_TESTENV=s3member make
testenv

[abartlet at jesse samba]$ bin/wbinfo -n administrator
S-1-5-21-2617796569-3988300915-1045095420-500 SID_USER (1)
[abartlet at jesse samba]$ bin/ntlm_auth
--require-membership-of=S-1-5-21-2617796569-3988300915-1045095420-500
--helper-protocol=squid-2.5-basic
SAMBADOMAIN/Administrator locDCpass1
OK
[abartlet at jesse samba]$ bin/ntlm_auth
--require-membership-of=S-1-5-21-2617796569-3988300915-1045095420-5
--helper-protocol=squid-2.5-basic
SAMBADOMAIN/Administrator locDCpass1
ERR
[abartlet at jesse samba]$ bin/ntlm_auth
--require-membership-of=S-1-5-21-2617796569-3988300915-1045095420-512
--helper-protocol=squid-2.5-basic
SAMBADOMAIN/Administrator locDCpass1
OK
[abartlet at jesse samba]$ bin/ntlm_auth
--require-membership-of=S-1-5-21-2617796569-3988300915-1045095420-513
--helper-protocol=squid-2.5-basic
SAMBADOMAIN/Administrator locDCpass1
OK
[abartlet at jesse samba]$ bin/ntlm_auth
--require-membership-of=S-1-5-21-2617796569-3988300915-1045095420-5130
--helper-protocol=squid-2.5-basic
SAMBADOMAIN/Administrator locDCpass1
ERR

Are you sure your user really, really isn't a member of that group,
perhaps as an alias?

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list