[Samba] Samba 4, ntlm_auth testing ...

L.P.H. van Belle belle at bazuin.nl
Tue Jun 10 03:47:13 MDT 2014 

which squid version is used ? 

There are some known bugs with squid3 and kerberos.  

Im installing the same here atm, i'll check if this also happens with me. 
My setup. Debian wheezy, samba from backports 4.1.7, squid 3.3.8-1 recompiled from jessie.
I need 3.3.8-1 minimal for ssl-bump in squid on one proxy.
but i'll test the other proxy with 3.1.20 which is default wheezy. 


Louis
 

>-----Oorspronkelijk bericht-----
>Van: abartlet at samba.org [mailto:samba-bounces at lists.samba.org] 
>Namens Andrew Bartlett
>Verzonden: dinsdag 10 juni 2014 11:19
>Aan: Dirk Brenken
>CC: samba at lists.samba.org
>Onderwerp: Re: [Samba] Samba 4, ntlm_auth testing ...
>
>On Mon, 2014-06-09 at 19:41 +0200, Dirk Brenken wrote:
>> Am 06/09/2014 12:39 PM, schrieb Dirk Brenken:
>> > Am 06/09/2014 07:20 AM, schrieb Dirk Brenken:
>> >> Hi,
>> >>
>> >> currently I've setup Samba 4 (sernet 4.1.8 on debian jessie)
>> >> successfully as an AD-Server ... domain logins from 
>WIN-Clients etc. are
>> >> working quite fine.
>> >> Now I'm trying to test ntlm_auth on cli for later 
>Squid-integration ...
>> >>
>> >> *wbinfo output:*
>> >> wbinfo -a PRAXISAD\\Administrator%xxxxxx
>> >> plaintext password authentication succeeded
>> >> challenge/response password authentication succeeded
>> >>
>> >> *ntlm_auth with basic helper output:*
>> >> root at praxis-server:/etc/squid3# ntlm_auth
>> >> --helper-protocol=squid-2.5-basic --domain=PRAXISAD
>> >> PRAXISAD\Administrator xxxxxx
>> >> *OK*
>> >>
>> >> *ntlm_auth with ntlmssp helper output:*
>> >> root at praxis-server:/etc/squid3# ntlm_auth
>> >> --helper-protocol=squid-2.5-ntlmssp --domain=PRAXISAD
>> >> PRAXISAD\Administrator xxxxxx
>> >> *BH SPNEGO request invalid prefix*
>> >>
>> >> *ntlm_auth with gss-spnego helper output:**
>> >> *root at praxis-server:/etc/squid3# ntlm_auth 
>--helper-protocol=gss-spnego
>> >> --domain=PRAXISAD
>> >> PRAXISAD\Administrator xxxxxx
>> >> *BH SPNEGO request invalid prefix*
>> >>
>> >>
>> >> Any ideas what's going wrong here?
>> >>
>> >> Thanks & best regards
>> >> Dirk
>> > I did further testing directly in SQUID and gss-spnego 
>helper works as
>> > expected - thanks!
>> >
>> > br
>> > Dirk
>> >
>> The "--require-membership-of" parm of ntlm_auth seems to 
>have no effect.
>> It's not failing, even if the user is *not* member of the group!
>> 
>> Example:
>> 
>> SID of Test-User "dirk":
>> root at praxis-server:/etc/squid3# wbinfo -n dirk
>> S-1-5-21-3041413330-2355144718-3205532893-1104 SID_USER (1)
>> 
>> SID of Test-Group "Test":
>> wbinfo -n PRAXISAD\\Test
>> S-1-5-21-3041413330-2355144718-3205532893-1105 SID_DOM_GROUP (2)
>> 
>> Test-User is only in Group "Domain Users":
>> root at praxis-server:/etc/squid3# wbinfo --user-domgroups
>> S-1-5-21-3041413330-2355144718-3205532893-1104
>> S-1-5-21-3041413330-2355144718-3205532893-513
>> 
>> Result for check against (non-member) Test-Group:
>> root at praxis-server:/etc/squid3# ntlm_auth
>> 
>--require-membership-of=S-1-5-21-3041413330-2355144718-3205532893-1105
>> --helper-protocol=squid-2.5-basic
>> dirk xxxxxx
>> OK
>> 
>> Is this a known bug of ntlm_auth (sernet samba 4.1.8)!?
>
>I can't reproduce this in our 'make testenv' in git master.
>
>~/samba/config.abartlet && make -j && SELFTEST_TESTENV=s3member make
>testenv
>
>[abartlet at jesse samba]$ bin/wbinfo -n administrator
>S-1-5-21-2617796569-3988300915-1045095420-500 SID_USER (1)
>[abartlet at jesse samba]$ bin/ntlm_auth
>--require-membership-of=S-1-5-21-2617796569-3988300915-1045095420-500
>--helper-protocol=squid-2.5-basic
>SAMBADOMAIN/Administrator locDCpass1
>OK
>[abartlet at jesse samba]$ bin/ntlm_auth
>--require-membership-of=S-1-5-21-2617796569-3988300915-1045095420-5
>--helper-protocol=squid-2.5-basic
>SAMBADOMAIN/Administrator locDCpass1
>ERR
>[abartlet at jesse samba]$ bin/ntlm_auth
>--require-membership-of=S-1-5-21-2617796569-3988300915-1045095420-512
>--helper-protocol=squid-2.5-basic
>SAMBADOMAIN/Administrator locDCpass1
>OK
>[abartlet at jesse samba]$ bin/ntlm_auth
>--require-membership-of=S-1-5-21-2617796569-3988300915-1045095420-513
>--helper-protocol=squid-2.5-basic
>SAMBADOMAIN/Administrator locDCpass1
>OK
>[abartlet at jesse samba]$ bin/ntlm_auth
>--require-membership-of=S-1-5-21-2617796569-3988300915-1045095420-5130
>--helper-protocol=squid-2.5-basic
>SAMBADOMAIN/Administrator locDCpass1
>ERR
>
>Are you sure your user really, really isn't a member of that group,
>perhaps as an alias?
>
>Thanks,
>
>Andrew Bartlett
>
>-- 
>Andrew Bartlett                       http://samba.org/~abartlet/
>Authentication Developer, Samba Team  http://samba.org
>Samba Developer, Catalyst IT          
>http://catalyst.net.nz/services/samba
>
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>

More information about the samba mailing list