[Samba] ntlm_auth and squid authentication problems
Hi all, I've a little problem using ntlm_auth with squid. Scenario: Redhat 9, Samba 3 compiled, squid-2.5 compiled. smb.conf: [global] encrypt passwords = Yes winbind separator = \ winbind cache time = 10 template homedir = /home/%D/%U template shell = /bin/bash idmap uid = 1-2 idmap gid = 1-2 winbind uid = 1-2 winbind gid = 1-2 winbind enum users = yes winbind enum groups = yes winbind use default domain = yes workgroup = GRANDI_STAZIONI server string = venere netbios name = venere security = ads log file = /var/log/samba/log.%m max log size = 50 password server = MASTER BDC realm = GSTAZIONI.IT socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 wins server = 192.168.5.1 192.168.0.1 wins proxy = yes dns proxy = yes Samba is correctly configured into the domain. Now I take a simple user... called user with password password ... what a fantasy, I'm smart ah!? :-) So, go on. I try to authenticate it with wbinfo: [EMAIL PROTECTED] root]# wbinfo -a user%password plaintext password authentication succeeded challenge/response password authentication succeeded So go on, and try to authenticate it with ntlm_auth: [EMAIL PROTECTED] root]# /usr/squid/libexec/ntlm_auth --username=user --nt-response password: NT_STATUS_OK: Success (0x0) then, configure my squid to work with ntlm_auth, so squid.conf will be: auth_param ntlm program /usr/squid/libexec/ntlm_auth --debug-level=10 --helper-protocol=squid-2.5-nt lmssp --nt-response auth_param ntlm children 40 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes auth_param basic program /usr/squid/libexec/ntlm_auth --debug-level=10 --helper-protocol=squid-2.5-ba sic --nt-response auth_param basic children 40 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours Ok ? that's ok. then I open my IE6, latest patchlevel, tried on win2k, win2003 and XP, and when I ask a site I receive this in squid's cache.log: [2003/11/11 14:52:02, 10] utils/ntlm_auth.c:manage_squid_request(1061) Got 'KK TlRMTVNTUAADGAAYAGIYABgAeg8ADwBIBAAEAFcHAAcAWwCS BgIAIgUCzg4PR1JBTkRJX1NUQVpJT05JVVNFUkNFUkJFUk8Sh8IeDiFr+fN1aPqFbYp8 HMPZCVVtWHOK6pqb0wMyFKr+LB7KIDwbIIJzdVWIUS8=' from squid (length: 199). [2003/11/11 14:52:02, 10] utils/ntlm_auth.c:manage_squid_ntlmssp_request(312) got NTLMSSP packet: [2003/11/11 14:52:02, 10] lib/util.c:dump_data(1825) [000] 4E 54 4C 4D 53 53 50 00 03 00 00 00 18 00 18 00 NTLMSSP. [010] 62 00 00 00 18 00 18 00 7A 00 00 00 0F 00 0F 00 b... z... [020] 48 00 00 00 04 00 04 00 57 00 00 00 07 00 07 00 H... W... [030] 5B 00 00 00 00 00 00 00 92 00 00 00 06 02 00 22 [... ... [040] 05 02 CE 0E 00 00 00 0F 47 52 41 4E 44 49 5F 53 GRANDI_S [050] 54 41 5A 49 4F 4E 49 55 53 45 52 43 45 52 42 45 TAZIONIU SERCERBE [060] 52 4F 12 87 C2 1E 0E 21 6B F9 F3 75 68 FA 85 6D RO.! k..uh..m [070] 8A 7C 1C C3 D9 09 55 6D 58 73 8A EA 9A 9B D3 03 .|Um Xs.. [080] 32 14 AA FE 2C 1E CA 20 3C 1B 20 82 73 75 55 88 2...,.. . .suU. [090] 51 2F 00 Q/. [2003/11/11 14:52:02, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(286) Got user=[USER] domain=[GRANDI_STAZIONI] workstation=[CERBERO] len1=24 len2=24 [2003/11/11 14:52:02, 10] utils/ntlm_auth.c:manage_squid_ntlmssp_request(325) NTLMSSP NT_STATUS_ACCESS_DENIED [2003/11/11 14:52:03, 10] utils/ntlm_auth.c:manage_squid_request(1061) Got 'YR' from squid (length: 2). [2003/11/11 14:52:03, 10] utils/ntlm_auth.c:manage_squid_ntlmssp_request(312) got NTLMSSP packet: [2003/11/11 14:52:03, 10] utils/ntlm_auth.c:manage_squid_ntlmssp_request(322) NTLMSSP challenge [2003/11/11 14:52:03, 10] utils/ntlm_auth.c:manage_squid_request(1061) Got 'KK TlRMTVNTUAADGAAYAGIYABgAeg8ADwBIBAAEAFcHAAcAWwCS BgIAIgUCzg4PR1JBTkRJX1NUQVpJT05JVVNFUkNFUkJFUk8eZ4Km4Gp0NNEiDnO2ko2P YaSAVmt1WAEOjvUdTWSakqTyJWkliZaHhljnTdE165I=' from squid (length: 199). [2003/11/11 14:52:03, 10] utils/ntlm_auth.c:manage_squid_ntlmssp_request(312) got NTLMSSP packet: [2003/11/11 14:52:03, 10] lib/util.c:dump_data(1825) [000] 4E 54 4C 4D 53 53 50 00 03 00 00 00 18 00 18 00 NTLMSSP. [010] 62 00 00 00 18 00 18 00 7A 00 00 00 0F 00 0F 00 b... z... [020] 48 00 00 00 04 00 04 00 57 00 00 00 07 00 07 00 H... W... [030] 5B 00 00 00 00 00 00 00 92 00 00 00 06 02 00 22 [... ... [040] 05 02 CE 0E 00 00 00 0F 47 52 41 4E 44 49 5F 53 GRANDI_S [050] 54 41 5A 49 4F 4E 49 55 53 45 52 43 45 52 42 45 TAZIONIU SERCERBE [060] 52 4F 1E 67 82 A6 E0 6A 74 34 D1 22 0E 73 B6 92 RO.g...j t4..s.. [070] 8D 8F 61 A4 80 56 6B 75 58 01 0E 8E F5 1D 4D 64 ..a..Vku X.Md [080] 9A 92 A4 F2 25 69 25 89 96 87 86 58 E7 4D D1 35 %i%. ...X.M.5 [090] EB 92 00 ... [2003/11/11 14:52:03, 3]
[Samba] winbinb problem related to kerberos.
I've a little stupid problem with winbindd when I start it I can read in winbind log: [2003/10/17 10:17:47, 1] nsswitch/winbindd_util.c:add_trusted_domain(149) Added domain GRANDI_STAZIONI GSTAZIONI.IT [2003/10/17 10:17:47, 1] libsmb/clikrb5.c:ads_krb5_mk_req(269) krb5_cc_get_principal failed (No credentials cache found) [2003/10/17 10:17:47, 0] libads/kerberos.c:ads_kinit_password(133) kerberos_kinit_password HOST/[EMAIL PROTECTED] failed: Client not found in Kerberos database [2003/10/17 10:17:47, 1] nsswitch/winbindd_ads.c:ads_cached_connection(64) ads_connect for domain GRANDI_STAZIONI failed: Operations error [2003/10/17 10:17:47, 1] nsswitch/winbindd_util.c:add_trusted_domains(206) scanning trusted domain list [2003/10/17 10:17:47, 1] nsswitch/winbindd_util.c:add_trusted_domain(149) Added domain GSTEST S-1-5-21-602162358-220523388-725345543 [2003/10/17 10:17:47, 1] nsswitch/winbindd_util.c:add_trusted_domains(206) scanning trusted domain list from my smb.conf: [global] encrypt passwords = Yes winbind separator = + winbind cache time = 10 template homedir = /home/%D/%U template shell = /bin/bash idmap uid = 1-2 idmap gid = 1-2 winbind uid = 1-2 winbind gid = 1-2 winbind enum users = yes winbind enum groups = yes winbind use default domain = yes workgroup = GRANDI_STAZIONI server string = norad security = ads log file = /var/log/samba/log.%m max log size = 50 password server = MASTER BDC realm = GSTAZIONI.IT passdb backend = tdbsam socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 wins server = 192.168.5.1 192.168.0.1 wins proxy = yes dns proxy = yes [public] comment = none writeable = yes public = yes browseable = yes path = /home/samba read only = No create mask = 0777 directory mask = 0777 guest ok = No Note that I've successfully created a machine account into the domain with the command: net ads join -U administrator. from my krb5.conf: [libdefaults] default_realm = GSTAZIONI.IT default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 permitted_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true v4_instance_resolve = false v4_name_convert = { host = { rcmd = host ftp = ftp } plain = { something = something-else } } [realms] GSTAZIONI.IT = { kdc = 192.168.5.1:88 kdc = 192.168.0.1:88 } [domain_realm] .gstazioni.it = GSTAZIONI.IT gstazioni.it = GSTAZIONI.IT [login] krb4_convert = true krb4_get_tickets = true which thing cause this problem ? how to solve ? another problem is that I can list users and group with the net ads users command, but not with wbinfo, why ? Thank in advance, Best regards. Federico -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] samba 3.0.0 winbind starting problems.
I've a little problem starting winbindd. using It on a redhat 9 linux, compiled from source. I've configured nsswitch.conf with winbind and kerberos. Naturally joined my ADS realm with the following command: net ads join -U administrator successfully. now the problem is that smbd and nmbd work correclty but I can't start winbindd due the following error and I can't manage why, from the log.winbindd: [2003/10/15 10:54:24, 2] lib/interface.c:add_interface(79) added interface ip=192.168.5.13 bcast=192.168.5.255 nmask=255.255.254.0 [2003/10/15 10:54:24, 5] lib/util.c:init_names(270) Netbios name list:- my_netbios_names[0]=NORAD [2003/10/15 10:54:24, 2] lib/interface.c:add_interface(79) added interface ip=192.168.5.13 bcast=192.168.5.255 nmask=255.255.254.0 [2003/10/15 10:54:24, 5] lib/gencache.c:gencache_init(59) Opening cache file at /usr/samba/var/locks/gencache.tdb [2003/10/15 10:54:24, 5] libsmb/namecache.c:namecache_enable(58) namecache_enable: enabling netbios namecache, timeout 660 seconds [2003/10/15 10:54:24, 0] nsswitch/winbindd_util.c:winbindd_param_init(445) winbindd: idmap uid range missing or invalid [2003/10/15 10:54:24, 0] nsswitch/winbindd_util.c:winbindd_param_init(446) winbindd: cannot continue, exiting. Naturally my smb.conf is: [global] encrypt passwords = Yes workgroup = MYREALM.IT server string = norad security = ads log file = /var/log/samba/log.%m max log size = 50 password server = MASTER BDC realm = MYREALM.IT passdb backend = tdbsam socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 local master = no wins server = 192.168.5.1 192.168.0.1 wins proxy = yes dns proxy = yes [public] comment = nora-d ? chi e` nora-d ? writeable = yes public = yes browseable = yes path = /home/samba read only = No create mask = 0777 directory mask = 0777 guest ok = No ;*** winbindd ** winbind separator = \ winbind cache time = 10 template homedir = /home/%D/%U template shell = /bin/bash winbind uid = 1-2 winbind gid = 1-2 winbind enum users = yes winbind enum groups = yes winbind use default domain = yes It is quite stupid ok ? when I start winbindd with the following option I receive: winbindd version 3.0.0 started. Copyright The Samba Team 2000-2003 lp_load: refreshing parameters Initialising global parameters params.c:pm_process() - Processing configuration file /usr/samba/lib/smb.conf Processing section [global] doing parameter encrypt passwords = Yes doing parameter workgroup = MYREALM.IT doing parameter server string = norad doing parameter security = ads doing parameter log file = /var/log/samba/log.%m doing parameter max log size = 50 doing parameter password server = MASTER BDC doing parameter realm = MYREALM.IT doing parameter passdb backend = tdbsam doing parameter socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 doing parameter wins server = 192.168.5.1 192.168.0.1 doing parameter wins proxy = yes doing parameter dns proxy = yes Processing section [public] doing parameter comment = nora-d ? chi e` nora-d ? doing parameter writeable = yes doing parameter public = yes doing parameter browseable = yes doing parameter path = /home/samba doing parameter read only = No doing parameter create mask = 0777 doing parameter directory mask = 0777 doing parameter guest ok = No doing parameter winbind separator = + Global parameter winbind separator found in service section! doing parameter winbind cache time = 10 Global parameter winbind cache time found in service section! doing parameter template homedir = /home/%D/%U Global parameter template homedir found in service section! doing parameter template shell = /bin/bash Global parameter template shell found in service section! doing parameter winbind uid = 1-2 Global parameter winbind uid found in service section! doing parameter winbind gid = 1-2 Global parameter winbind gid found in service section! doing parameter winbind enum users = yes Global parameter winbind enum users found in service section! doing parameter winbind enum groups = yes Global parameter winbind enum groups found in service section! doing parameter winbind use default domain = yes Global parameter winbind use default domain found in service section! pm_process() returned Yes lp_servicenumber: couldn't find homes adding IPC service adding IPC service set_server_role: role = ROLE_DOMAIN_MEMBER Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE added interface ip=192.168.5.13 bcast=192.168.5.255 nmask=255.255.254.0 Netbios name list:- my_netbios_names[0]=NORAD added interface ip=192.168.5.13 bcast=192.168.5.255 nmask=255.255.254.0 Opening cache file