[Samba] Samba 4 Domain Provisioning

L.P.H. van Belle belle at bazuin.nl
Wed Nov 19 02:21:35 MST 2014


Which version of squid are you running, default wheezy 3.1.x 
and you did add proxy user to the winbindd_priv group?  

I can suggest you recompile squid from jessie, its a pretty easy one. 
there are know problems with ntlm auth, in at the point of testing that one myself. 
scheduled for next week. 
I do already run 3.4.8 on my wheezy servers. 3.3.8 had some serious bugs.


  * Urgency high due to security fixes
  [ Amos Jeffries <amosjeffries at squid-cache.org> ]
  * New upstream release (Closes: #737008)
    - Fixes CVE-2014-6270: off by one in snmp subsystem (Closes: #761002)
    - Fixes CVE-2014-CVE-2014-7141 and CVE-214-7142 (Closes: #760999)
      + pinger remote DoS vulnerabilities
    - Fixes CVE-2014-0128: Denial of Service in SSL-Bump (Closes: #741312)

see also : 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=754339 


Greetz, 

Louis



>-----Oorspronkelijk bericht-----
>Van: jacques.serfontein at gmail.com 
>[mailto:samba-bounces at lists.samba.org] Namens Jacques Serfontein
>Verzonden: maandag 17 november 2014 16:39
>Aan: samba at lists.samba.org
>Onderwerp: [Samba] Samba 4 Domain Provisioning
>
>Hi,
>
>I have been having issues with NTLMv2 on newly provisioned 
>domains, using
>Samba 4.1 from backports on Debian Wheezy.
>
>Everything seems to be working fine, except for NTLMv2 
>authentication with
>Squid and "ntlm_auth" on newer Windows versions.
>
>If I set "Lmcompatibility" down on the Windows PCs, then authentication
>works, but that is temporary workaround at best.
>
>I have tried installing and reinstalling on numerous VMs, 
>trying to isolate
>the cause, but to no avail, and I know the config is working, 
>since copying
>a previously provisioned domain (/etc/samba/smb.conf + 
>/var/lib/samba) to
>the new server works as expected.
>
>Increasing the log level yields to following:
>
>schannel_fetch_session_key_tdb: restored schannel info key
>SECRETS/SCHANNEL/SERVER
>schannel_store_session_key_tdb: stored schannel info with key
>SECRETS/SCHANNEL/SERVER
>auth_check_password_send: Checking password for unmapped user
>[PC001]\[Administrator]@[PC001]
>auth_check_password_send: mapped user is: 
>[DOMAIN]\[Administrator]@[PC001]
>ntlm_password_check: NTLMv2 password check failed
>ntlm_password_check: Lanman passwords NOT PERMITTED for user 
>Administrator
>ntlm_password_check: LM password, NT MD4 password in LM field and LMv2
>failed for user Administrator
>auth_check_password_recv: sam_ignoredomain authentication for user
>[DOMAIN\Administrator] FAILED with error NT_STATUS_WRONG_PASSWORD
>
>Any help would be greatly appreciated, since I have run out of ideas...
>
>Regards,
>Jacques
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>



More information about the samba mailing list