Andrew, I think you nailed it. I was running 3.0 from RHEL5. I'm seeing much more promising results so far with 3.6.
Thanks, Josh ________________________________________ From: Andrew Bartlett [abart...@samba.org] Sent: Thursday, July 19, 2012 5:25 PM To: Baird, Josh Cc: samba@lists.samba.org Subject: Re: [Samba] Winbind/ntlm_auth issues On Thu, 2012-07-19 at 15:11 +0000, Baird, Josh wrote: > Hi, > > I'm struggling to get squid+ntlm_auth working correctly. I have successfully > joined the domain, and I am able to successfully enumerate groups and users > using wbinfo. I can also successfully run "wbinfo -a." > > However, once I configure Squid to use ntlm_auth per: > > auth_param ntlm program /usr/bin/ntlm_auth > --helper-protocol=squid-2.5-ntlmssp --debug-level=10 --nt-response > auth_param ntlm children 5 > auth_param ntlm keep_alive on > > .. Squid does not authenticate and prompts me for credentials. My domain > credentials do not work, and this is displayed in Samba/WB's log: > > [2012/07/19 09:58:14, 0] > nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1767) > winbindd_pam_auth_crap: invalid password length 24/336 > > Does anyone have any ideas on what is causing this? I apologize that this > message is Squid-related, but I can't seem to find any answers elsewhere. This looks like a Samba issue to me. Try a much more recent version of Samba. I see code in current master for a BIG_NTLMV2_BLOB that smells exactly like what you have here. Long domain names are padding out one of the response values (the 336) and going over an internal arbitrary limit that shouldn't have been there. The fix is in: commit 9264f4891484b0316e8e574e256ca0b0a5e9f007 Author: Günther Deschner <g...@samba.org> Date: Tue Sep 1 11:58:05 2009 +0200 wbclient: Fix Bug #6680: always activate handling of large (> 256 byte) ntlmv2 blobs in wbcAuthenticateUserEx(). Guenther Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba