[Samba] Samba 4, ntlm_auth testing ...

Dirk Brenken dirk at brenken.org
Tue Jun 10 08:11:36 MDT 2014 

Am 06/10/2014 11:19 AM, schrieb Andrew Bartlett:
> On Mon, 2014-06-09 at 19:41 +0200, Dirk Brenken wrote:
>> Am 06/09/2014 12:39 PM, schrieb Dirk Brenken:
>>> Am 06/09/2014 07:20 AM, schrieb Dirk Brenken:
>>>> Hi,
>>>>
>>>> currently I've setup Samba 4 (sernet 4.1.8 on debian jessie)
>>>> successfully as an AD-Server ... domain logins from WIN-Clients etc. are
>>>> working quite fine.
>>>> Now I'm trying to test ntlm_auth on cli for later Squid-integration ...
>>>>
>>>> *wbinfo output:*
>>>> wbinfo -a PRAXISAD\\Administrator%xxxxxx
>>>> plaintext password authentication succeeded
>>>> challenge/response password authentication succeeded
>>>>
>>>> *ntlm_auth with basic helper output:*
>>>> root at praxis-server:/etc/squid3# ntlm_auth
>>>> --helper-protocol=squid-2.5-basic --domain=PRAXISAD
>>>> PRAXISAD\Administrator xxxxxx
>>>> *OK*
>>>>
>>>> *ntlm_auth with ntlmssp helper output:*
>>>> root at praxis-server:/etc/squid3# ntlm_auth
>>>> --helper-protocol=squid-2.5-ntlmssp --domain=PRAXISAD
>>>> PRAXISAD\Administrator xxxxxx
>>>> *BH SPNEGO request invalid prefix*
>>>>
>>>> *ntlm_auth with gss-spnego helper output:**
>>>> *root at praxis-server:/etc/squid3# ntlm_auth --helper-protocol=gss-spnego
>>>> --domain=PRAXISAD
>>>> PRAXISAD\Administrator xxxxxx
>>>> *BH SPNEGO request invalid prefix*
>>>>
>>>>
>>>> Any ideas what's going wrong here?
>>>>
>>>> Thanks & best regards
>>>> Dirk
>>> I did further testing directly in SQUID and gss-spnego helper works as
>>> expected - thanks!
>>>
>>> br
>>> Dirk
>>>
>> The "--require-membership-of" parm of ntlm_auth seems to have no effect.
>> It's not failing, even if the user is *not* member of the group!
>>
>> Example:
>>
>> SID of Test-User "dirk":
>> root at praxis-server:/etc/squid3# wbinfo -n dirk
>> S-1-5-21-3041413330-2355144718-3205532893-1104 SID_USER (1)
>>
>> SID of Test-Group "Test":
>> wbinfo -n PRAXISAD\\Test
>> S-1-5-21-3041413330-2355144718-3205532893-1105 SID_DOM_GROUP (2)
>>
>> Test-User is only in Group "Domain Users":
>> root at praxis-server:/etc/squid3# wbinfo --user-domgroups
>> S-1-5-21-3041413330-2355144718-3205532893-1104
>> S-1-5-21-3041413330-2355144718-3205532893-513
>>
>> Result for check against (non-member) Test-Group:
>> root at praxis-server:/etc/squid3# ntlm_auth
>> --require-membership-of=S-1-5-21-3041413330-2355144718-3205532893-1105
>> --helper-protocol=squid-2.5-basic
>> dirk xxxxxx
>> OK
>>
>> Is this a known bug of ntlm_auth (sernet samba 4.1.8)!?
> I can't reproduce this in our 'make testenv' in git master.
>
> ~/samba/config.abartlet && make -j && SELFTEST_TESTENV=s3member make
> testenv
>
> [abartlet at jesse samba]$ bin/wbinfo -n administrator
> S-1-5-21-2617796569-3988300915-1045095420-500 SID_USER (1)
> [abartlet at jesse samba]$ bin/ntlm_auth
> --require-membership-of=S-1-5-21-2617796569-3988300915-1045095420-500
> --helper-protocol=squid-2.5-basic
> SAMBADOMAIN/Administrator locDCpass1
> OK
> [abartlet at jesse samba]$ bin/ntlm_auth
> --require-membership-of=S-1-5-21-2617796569-3988300915-1045095420-5
> --helper-protocol=squid-2.5-basic
> SAMBADOMAIN/Administrator locDCpass1
> ERR
> [abartlet at jesse samba]$ bin/ntlm_auth
> --require-membership-of=S-1-5-21-2617796569-3988300915-1045095420-512
> --helper-protocol=squid-2.5-basic
> SAMBADOMAIN/Administrator locDCpass1
> OK
> [abartlet at jesse samba]$ bin/ntlm_auth
> --require-membership-of=S-1-5-21-2617796569-3988300915-1045095420-513
> --helper-protocol=squid-2.5-basic
> SAMBADOMAIN/Administrator locDCpass1
> OK
> [abartlet at jesse samba]$ bin/ntlm_auth
> --require-membership-of=S-1-5-21-2617796569-3988300915-1045095420-5130
> --helper-protocol=squid-2.5-basic
> SAMBADOMAIN/Administrator locDCpass1
> ERR
>
> Are you sure your user really, really isn't a member of that group,
> perhaps as an alias?
>
> Thanks,
>
> Andrew Bartlett
>
Hi Andrew,

thanks for looking into this ... it's still reproducible in my environment:

Setup an new/empty group in Windows AD (with Windows Remote Admin Tools) :
wbinfo -n Empty
S-1-5-21-3041413330-2355144718-3205532893-1107 SID_DOM_GROUP (2)

Test-User:
root at praxis-server:/var/log/samba# wbinfo -n dirk
S-1-5-21-3041413330-2355144718-3205532893-1104 SID_USER (1)

Group listing for Test-User:
root at praxis-server:/var/log/samba# wbinfo --user-domgroups
S-1-5-21-3041413330-2355144718-3205532893-1104
S-1-5-21-3041413330-2355144718-3205532893-513

Test-User is only member of "Domain Users":
root at praxis-server:/var/log/samba# wbinfo -n "Domain Users"
S-1-5-21-3041413330-2355144718-3205532893-513 SID_DOM_GROUP (2)

Finally let ntlm_auth check against empty group "Empty" ;-):
root at praxis-server:/var/log/samba# ntlm_auth
--require-membership-of=S-1-5-21-3041413330-2355144718-3205532893-1107
--helper-protocol=squid-2.5-basic
PRAXISAD\dirk xxxxxx
Got 'PRAXISAD\dirk xxxxxx' from squid (length: 22).
NT_STATUS_OK: Success (0x0)
OK


As you can see, user "dirk" got still an "OK" for an empty group. Maybe
you have an idea for further testing or additional checks ...

Thanks & best regards
Dirk

P.S. SAMBA and SQUID are running on the same server test environment.
P.P.S. Some version information ...

root at praxis-server:/etc/samba# uname -a
Linux praxis-server 3.14-1-amd64 #1 SMP Debian 3.14.4-1 (2014-05-13)
x86_64 GNU/Linux

root at praxis-server:/etc/samba# ntlm_auth --version
Version 4.1.8-SerNet-Debian-8.wheezy

root at praxis-server:/etc/samba# squid3 -version
Squid Cache: Version 3.3.8
configure options:  '--build=x86_64-linux-gnu' '--prefix=/usr'
'--includedir=${prefix}/include' '--mandir=${prefix}/share/man'
'--infodir=${prefix}/share/info' '--sysconfdir=/etc'
'--localstatedir=/var' '--libexecdir=${prefix}/lib/squid3' '--srcdir=.'
'--disable-maintainer-mode' '--disable-dependency-tracking'
'--disable-silent-rules' '--datadir=/usr/share/squid3'
'--sysconfdir=/etc/squid3' '--mandir=/usr/share/man' '--enable-inline'
'--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd,rock'
'--enable-removal-policies=lru,heap' '--enable-delay-pools'
'--enable-cache-digests' '--enable-underscores' '--enable-icap-client'
'--enable-follow-x-forwarded-for'
'--enable-auth-basic=DB,fake,getpwnam,LDAP,MSNT,MSNT-multi-domain,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB'
'--enable-auth-digest=file,LDAP'
'--enable-auth-negotiate=kerberos,wrapper'
'--enable-auth-ntlm=fake,smb_lm'
'--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,unix_group,wbinfo_group'
'--enable-url-rewrite-helpers=fake' '--enable-eui' '--enable-esi'
'--enable-icmp' '--enable-zph-qos' '--enable-ecap'
'--disable-translation' '--with-swapdir=/var/spool/squid3'
'--with-logdir=/var/log/squid3' '--with-pidfile=/var/run/squid3.pid'
'--with-filedescriptors=65536' '--with-large-files'
'--with-default-user=proxy' '--enable-linux-netfilter'
'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fPIE -fstack-protector
--param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wall'
'LDFLAGS=-fPIE -pie -Wl,-z,relro -Wl,-z,now'
'CPPFLAGS=-D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fPIE -fstack-protector
--param=ssp-buffer-size=4 -Wformat -Werror=format-security'

More information about the samba mailing list