[Samba] Samba 4, ntlm_auth testing ...

Garming Sam garming at catalyst.net.nz
Sun Jun 29 16:32:19 MDT 2014 

Hi there,

Apparently, the issue is actually a known failure. The current winbind 
code which is being used in the AD-DC only, doesn't handle the 
require-membership-of flag.
We're attempting to try and get this changed but there's still a good 
deal of work to be done.

In the meantime, you should use ntlm_auth on a member server.


Thanks,

Garming Sam


On 11/06/14 14:36, Garming Sam wrote:
> Hi there,
>
> I'm helping out Andrew, seeing if I can replicate this issue.
>
> Using the same command as Andrew did previously, with samba 4.1.8 I 
> get the same results as him.
>
> SELFTEST_TESTENV=s3member make testenv
>
>
> Would it be possible to generate level 10 logs for ntlm_auth and 
> winbindd? They should be able to give a much
> better idea of what's actually going on? If you'd prefer, you can send 
> the logs directly to me or Andrew instead
> of posting them to the list.
>
>
>
> Cheers,
>
> Garming Sam
>
>
> On 11/06/14 02:11, Dirk Brenken wrote:
>> Am 06/10/2014 11:19 AM, schrieb Andrew Bartlett:
>>> On Mon, 2014-06-09 at 19:41 +0200, Dirk Brenken wrote:
>>>> Am 06/09/2014 12:39 PM, schrieb Dirk Brenken:
>>>>> Am 06/09/2014 07:20 AM, schrieb Dirk Brenken:
>>>>>> Hi,
>>>>>>
>>>>>> currently I've setup Samba 4 (sernet 4.1.8 on debian jessie)
>>>>>> successfully as an AD-Server ... domain logins from WIN-Clients 
>>>>>> etc. are
>>>>>> working quite fine.
>>>>>> Now I'm trying to test ntlm_auth on cli for later 
>>>>>> Squid-integration ...
>>>>>>
>>>>>> *wbinfo output:*
>>>>>> wbinfo -a PRAXISAD\\Administrator%xxxxxx
>>>>>> plaintext password authentication succeeded
>>>>>> challenge/response password authentication succeeded
>>>>>>
>>>>>> *ntlm_auth with basic helper output:*
>>>>>> root at praxis-server:/etc/squid3# ntlm_auth
>>>>>> --helper-protocol=squid-2.5-basic --domain=PRAXISAD
>>>>>> PRAXISAD\Administrator xxxxxx
>>>>>> *OK*
>>>>>>
>>>>>> *ntlm_auth with ntlmssp helper output:*
>>>>>> root at praxis-server:/etc/squid3# ntlm_auth
>>>>>> --helper-protocol=squid-2.5-ntlmssp --domain=PRAXISAD
>>>>>> PRAXISAD\Administrator xxxxxx
>>>>>> *BH SPNEGO request invalid prefix*
>>>>>>
>>>>>> *ntlm_auth with gss-spnego helper output:**
>>>>>> *root at praxis-server:/etc/squid3# ntlm_auth 
>>>>>> --helper-protocol=gss-spnego
>>>>>> --domain=PRAXISAD
>>>>>> PRAXISAD\Administrator xxxxxx
>>>>>> *BH SPNEGO request invalid prefix*
>>>>>>
>>>>>>
>>>>>> Any ideas what's going wrong here?
>>>>>>
>>>>>> Thanks & best regards
>>>>>> Dirk
>>>>> I did further testing directly in SQUID and gss-spnego helper 
>>>>> works as
>>>>> expected - thanks!
>>>>>
>>>>> br
>>>>> Dirk
>>>>>
>>>> The "--require-membership-of" parm of ntlm_auth seems to have no 
>>>> effect.
>>>> It's not failing, even if the user is *not* member of the group!
>>>>
>>>> Example:
>>>>
>>>> SID of Test-User "dirk":
>>>> root at praxis-server:/etc/squid3# wbinfo -n dirk
>>>> S-1-5-21-3041413330-2355144718-3205532893-1104 SID_USER (1)
>>>>
>>>> SID of Test-Group "Test":
>>>> wbinfo -n PRAXISAD\\Test
>>>> S-1-5-21-3041413330-2355144718-3205532893-1105 SID_DOM_GROUP (2)
>>>>
>>>> Test-User is only in Group "Domain Users":
>>>> root at praxis-server:/etc/squid3# wbinfo --user-domgroups
>>>> S-1-5-21-3041413330-2355144718-3205532893-1104
>>>> S-1-5-21-3041413330-2355144718-3205532893-513
>>>>
>>>> Result for check against (non-member) Test-Group:
>>>> root at praxis-server:/etc/squid3# ntlm_auth
>>>> --require-membership-of=S-1-5-21-3041413330-2355144718-3205532893-1105
>>>> --helper-protocol=squid-2.5-basic
>>>> dirk xxxxxx
>>>> OK
>>>>
>>>> Is this a known bug of ntlm_auth (sernet samba 4.1.8)!?
>>> I can't reproduce this in our 'make testenv' in git master.
>>>
>>> ~/samba/config.abartlet && make -j && SELFTEST_TESTENV=s3member make
>>> testenv
>>>
>>> [abartlet at jesse samba]$ bin/wbinfo -n administrator
>>> S-1-5-21-2617796569-3988300915-1045095420-500 SID_USER (1)
>>> [abartlet at jesse samba]$ bin/ntlm_auth
>>> --require-membership-of=S-1-5-21-2617796569-3988300915-1045095420-500
>>> --helper-protocol=squid-2.5-basic
>>> SAMBADOMAIN/Administrator locDCpass1
>>> OK
>>> [abartlet at jesse samba]$ bin/ntlm_auth
>>> --require-membership-of=S-1-5-21-2617796569-3988300915-1045095420-5
>>> --helper-protocol=squid-2.5-basic
>>> SAMBADOMAIN/Administrator locDCpass1
>>> ERR
>>> [abartlet at jesse samba]$ bin/ntlm_auth
>>> --require-membership-of=S-1-5-21-2617796569-3988300915-1045095420-512
>>> --helper-protocol=squid-2.5-basic
>>> SAMBADOMAIN/Administrator locDCpass1
>>> OK
>>> [abartlet at jesse samba]$ bin/ntlm_auth
>>> --require-membership-of=S-1-5-21-2617796569-3988300915-1045095420-513
>>> --helper-protocol=squid-2.5-basic
>>> SAMBADOMAIN/Administrator locDCpass1
>>> OK
>>> [abartlet at jesse samba]$ bin/ntlm_auth
>>> --require-membership-of=S-1-5-21-2617796569-3988300915-1045095420-5130
>>> --helper-protocol=squid-2.5-basic
>>> SAMBADOMAIN/Administrator locDCpass1
>>> ERR
>>>
>>> Are you sure your user really, really isn't a member of that group,
>>> perhaps as an alias?
>>>
>>> Thanks,
>>>
>>> Andrew Bartlett
>>>
>> Hi Andrew,
>>
>> thanks for looking into this ... it's still reproducible in my 
>> environment:
>>
>> Setup an new/empty group in Windows AD (with Windows Remote Admin 
>> Tools) :
>> wbinfo -n Empty
>> S-1-5-21-3041413330-2355144718-3205532893-1107 SID_DOM_GROUP (2)
>>
>> Test-User:
>> root at praxis-server:/var/log/samba# wbinfo -n dirk
>> S-1-5-21-3041413330-2355144718-3205532893-1104 SID_USER (1)
>>
>> Group listing for Test-User:
>> root at praxis-server:/var/log/samba# wbinfo --user-domgroups
>> S-1-5-21-3041413330-2355144718-3205532893-1104
>> S-1-5-21-3041413330-2355144718-3205532893-513
>>
>> Test-User is only member of "Domain Users":
>> root at praxis-server:/var/log/samba# wbinfo -n "Domain Users"
>> S-1-5-21-3041413330-2355144718-3205532893-513 SID_DOM_GROUP (2)
>>
>> Finally let ntlm_auth check against empty group "Empty" ;-):
>> root at praxis-server:/var/log/samba# ntlm_auth
>> --require-membership-of=S-1-5-21-3041413330-2355144718-3205532893-1107
>> --helper-protocol=squid-2.5-basic
>> PRAXISAD\dirk xxxxxx
>> Got 'PRAXISAD\dirk xxxxxx' from squid (length: 22).
>> NT_STATUS_OK: Success (0x0)
>> OK
>>
>>
>> As you can see, user "dirk" got still an "OK" for an empty group. Maybe
>> you have an idea for further testing or additional checks ...
>>
>> Thanks & best regards
>> Dirk
>>
>> P.S. SAMBA and SQUID are running on the same server test environment.
>> P.P.S. Some version information ...
>>
>> root at praxis-server:/etc/samba# uname -a
>> Linux praxis-server 3.14-1-amd64 #1 SMP Debian 3.14.4-1 (2014-05-13)
>> x86_64 GNU/Linux
>>
>> root at praxis-server:/etc/samba# ntlm_auth --version
>> Version 4.1.8-SerNet-Debian-8.wheezy
>>
>> root at praxis-server:/etc/samba# squid3 -version
>> Squid Cache: Version 3.3.8
>> configure options:  '--build=x86_64-linux-gnu' '--prefix=/usr'
>> '--includedir=${prefix}/include' '--mandir=${prefix}/share/man'
>> '--infodir=${prefix}/share/info' '--sysconfdir=/etc'
>> '--localstatedir=/var' '--libexecdir=${prefix}/lib/squid3' '--srcdir=.'
>> '--disable-maintainer-mode' '--disable-dependency-tracking'
>> '--disable-silent-rules' '--datadir=/usr/share/squid3'
>> '--sysconfdir=/etc/squid3' '--mandir=/usr/share/man' '--enable-inline'
>> '--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd,rock'
>> '--enable-removal-policies=lru,heap' '--enable-delay-pools'
>> '--enable-cache-digests' '--enable-underscores' '--enable-icap-client'
>> '--enable-follow-x-forwarded-for'
>> '--enable-auth-basic=DB,fake,getpwnam,LDAP,MSNT,MSNT-multi-domain,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB' 
>>
>> '--enable-auth-digest=file,LDAP'
>> '--enable-auth-negotiate=kerberos,wrapper'
>> '--enable-auth-ntlm=fake,smb_lm'
>> '--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,unix_group,wbinfo_group' 
>>
>> '--enable-url-rewrite-helpers=fake' '--enable-eui' '--enable-esi'
>> '--enable-icmp' '--enable-zph-qos' '--enable-ecap'
>> '--disable-translation' '--with-swapdir=/var/spool/squid3'
>> '--with-logdir=/var/log/squid3' '--with-pidfile=/var/run/squid3.pid'
>> '--with-filedescriptors=65536' '--with-large-files'
>> '--with-default-user=proxy' '--enable-linux-netfilter'
>> 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fPIE -fstack-protector
>> --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wall'
>> 'LDFLAGS=-fPIE -pie -Wl,-z,relro -Wl,-z,now'
>> 'CPPFLAGS=-D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fPIE -fstack-protector
>> --param=ssp-buffer-size=4 -Wformat -Werror=format-security'
>>
>>
>

More information about the samba mailing list