RE: [squid-users] RE: Urgent Samba / Squid NTLM Auth Problems
Hi Adam, We are currently talking to samba, but we are able to join the domain. Where we sit right now is that if we use -basic instead of -ntlmssp it works fine. I've narrowed it down to the password that's the problem - its obtaining the user, domain and workstation just fine. All the command line tools work perfectly - only when using auth_param ntlm * does it fail... As far as I have been able to understand it, there is either a problem with the way squid is passing the reply to the ntlm challenge to the helper, or a problem with the helper... At the moment I'll take any options that are possible... -Original Message- From: news [mailto:[EMAIL PROTECTED] On Behalf Of Adam Aube Sent: 09 November 2005 09:12 PM To: squid-users@squid-cache.org Subject: [squid-users] RE: Urgent Samba / Squid NTLM Auth Problems Dave Raven wrote: > Okay I have an update with more progress - it seems the problem is > only to do with ntlmssp. If I only have a basic authenticator - which > looks like the following, it works perfectly: > However, when I use ntlmssp in the squid config, shown below, it does > not > work: > > auth_param ntlm program /usr/optec/ntlm_auth.sh ntlmssp auth_param > ntlm children 10 auth_param ntlm use_ntlm_negotiate yes > > I see the following debug messages: > [2005/11/09 13:22:37, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(606) > Got user=[ianb] domain=[MASTERMIND] workstation=[LUCY] len1=24 > len2=24 > [2005/11/09 13:22:37, 3] utils/ntlm_auth.c:winbind_pw_check(427) > Login for user [EMAIL PROTECTED] failed due to [Wrong > Password] > > If I type ian instead of ianb, I see an error saying the user does not > exist. This must mean that somehow the wrong password is being passed > in the wrong way - even though it is typed right. > > For anyone who hasn't read the rest of this thread please note: this > only happens with the security option on the AD server set to ONLY > allow > NTLMv2/LMv2 and not anything else. If we turn that off it works > perfectly... It looks like this might be a Samba issue - Ian had stated that if only NTLMv2 is allowed, then Samba can't even join the domain. I would suggest taking this to the Samba list. Adam
RE: [squid-users] RE: Urgent Samba / Squid NTLM Auth Problems
Hi Adam, We are currently talking to samba, but we are able to join the domain. Where we sit right now is that if we use -basic instead of -ntlmssp it works fine. I've narrowed it down to the password that's the problem - its obtaining the user, domain and workstation just fine. All the command line tools work perfectly - only when using auth_param ntlm * does it fail... As far as I have been able to understand it, there is either a problem with the way squid is passing the reply to the ntlm challenge to the helper, or a problem with the helper... At the moment I'll take any options that are possible... -Original Message- From: news [mailto:[EMAIL PROTECTED] On Behalf Of Adam Aube Sent: 09 November 2005 09:12 PM To: squid-users@squid-cache.org Subject: [squid-users] RE: Urgent Samba / Squid NTLM Auth Problems Dave Raven wrote: > Okay I have an update with more progress - it seems the problem is > only to do with ntlmssp. If I only have a basic authenticator - which > looks like the following, it works perfectly: > However, when I use ntlmssp in the squid config, shown below, it does > not > work: > > auth_param ntlm program /usr/optec/ntlm_auth.sh ntlmssp auth_param > ntlm children 10 auth_param ntlm use_ntlm_negotiate yes > > I see the following debug messages: > [2005/11/09 13:22:37, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(606) > Got user=[ianb] domain=[MASTERMIND] workstation=[LUCY] len1=24 > len2=24 > [2005/11/09 13:22:37, 3] utils/ntlm_auth.c:winbind_pw_check(427) > Login for user [EMAIL PROTECTED] failed due to [Wrong > Password] > > If I type ian instead of ianb, I see an error saying the user does not > exist. This must mean that somehow the wrong password is being passed > in the wrong way - even though it is typed right. > > For anyone who hasn't read the rest of this thread please note: this > only happens with the security option on the AD server set to ONLY > allow > NTLMv2/LMv2 and not anything else. If we turn that off it works > perfectly... It looks like this might be a Samba issue - Ian had stated that if only NTLMv2 is allowed, then Samba can't even join the domain. I would suggest taking this to the Samba list. Adam
[squid-users] Re: Urgent Samba / Squid NTLM Auth Problems
Abbas Salehi wrote: > I succeeded to joined to the domain and active directory , i can see the > domain users and groups > net ads testjoin > Join is OK > > net ads join administrator > Joined 'squid-server' to realm 'TEST.COM' > > But ntlm_auth does not work properly, > > I have following error when i run it : > > ntlm_auth --username=administrator > password: ** > NT_STATUS_CANT_ACCESS_DOMAIN_INFO: NT_STATUS_CANT_ACCESS_DOMAIN_INFO > (0xc0da) Since you seem to be using Samba 3.x, make sure you are using the ntlm_auth helper that comes with Samba, not the helper that comes with Squid (which is for Samba 2.x only). Adam
[squid-users] RE: Urgent Samba / Squid NTLM Auth Problems
Dave Raven wrote: > Okay I have an update with more progress - it seems the problem is only to > do with ntlmssp. If I only have a basic authenticator - which looks like > the following, it works perfectly: > However, when I use ntlmssp in the squid config, shown below, it does not > work: > > auth_param ntlm program /usr/optec/ntlm_auth.sh ntlmssp > auth_param ntlm children 10 > auth_param ntlm use_ntlm_negotiate yes > > I see the following debug messages: > [2005/11/09 13:22:37, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(606) > Got user=[ianb] domain=[MASTERMIND] workstation=[LUCY] len1=24 len2=24 > [2005/11/09 13:22:37, 3] utils/ntlm_auth.c:winbind_pw_check(427) > Login for user [EMAIL PROTECTED] failed due to [Wrong Password] > > If I type ian instead of ianb, I see an error saying the user does not > exist. This must mean that somehow the wrong password is being passed in > the wrong way - even though it is typed right. > > For anyone who hasn't read the rest of this thread please note: this only > happens with the security option on the AD server set to ONLY allow > NTLMv2/LMv2 and not anything else. If we turn that off it works > perfectly... It looks like this might be a Samba issue - Ian had stated that if only NTLMv2 is allowed, then Samba can't even join the domain. I would suggest taking this to the Samba list. Adam