[Samba] ntlm_auth and squid authentication problems

2003-11-11 Thread Lombardo Federico 
Hi all,

I've a little problem using ntlm_auth with squid.

Scenario: Redhat 9, Samba 3 compiled, squid-2.5 compiled.

smb.conf:

[global]
encrypt passwords = Yes
winbind separator = \
winbind cache time = 10
template homedir = /home/%D/%U
template shell = /bin/bash
idmap uid = 1-2
idmap gid = 1-2
winbind uid = 1-2
winbind gid = 1-2
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
workgroup = GRANDI_STAZIONI
server string = venere
netbios name = venere
security = ads
log file = /var/log/samba/log.%m
max log size = 50
password server = MASTER BDC
realm = GSTAZIONI.IT
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
wins server = 192.168.5.1 192.168.0.1
wins proxy = yes
dns proxy = yes




Samba is correctly configured into the domain.

Now I take a simple user... called user with password password ... what
a fantasy, I'm smart ah!? :-)
So, go on. I try to authenticate it with wbinfo:

[EMAIL PROTECTED] root]# wbinfo -a user%password
plaintext password authentication succeeded
challenge/response password authentication succeeded

So go on, and try to authenticate it with ntlm_auth:

[EMAIL PROTECTED] root]#
/usr/squid/libexec/ntlm_auth --username=user --nt-response
password:
NT_STATUS_OK: Success (0x0)


then, configure my squid to work with ntlm_auth, so squid.conf will be:

auth_param ntlm program
/usr/squid/libexec/ntlm_auth --debug-level=10 --helper-protocol=squid-2.5-nt
lmssp --nt-response
auth_param ntlm children 40
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes

auth_param basic program
/usr/squid/libexec/ntlm_auth --debug-level=10 --helper-protocol=squid-2.5-ba
sic --nt-response
auth_param basic children 40
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

Ok ? that's ok.

then I open my IE6, latest patchlevel, tried on win2k, win2003 and XP, and
when I ask a site I receive this in squid's cache.log:

[2003/11/11 14:52:02, 10] utils/ntlm_auth.c:manage_squid_request(1061)
  Got 'KK
TlRMTVNTUAADGAAYAGIYABgAeg8ADwBIBAAEAFcHAAcAWwCS
BgIAIgUCzg4PR1JBTkRJX1NUQVpJT05JVVNFUkNFUkJFUk8Sh8IeDiFr+fN1aPqFbYp8
HMPZCVVtWHOK6pqb0wMyFKr+LB7KIDwbIIJzdVWIUS8=' from squid (length: 199).
[2003/11/11 14:52:02, 10]
utils/ntlm_auth.c:manage_squid_ntlmssp_request(312)
  got NTLMSSP packet:
[2003/11/11 14:52:02, 10] lib/util.c:dump_data(1825)
  [000] 4E 54 4C 4D 53 53 50 00  03 00 00 00 18 00 18 00  NTLMSSP. 
  [010] 62 00 00 00 18 00 18 00  7A 00 00 00 0F 00 0F 00  b... z...
  [020] 48 00 00 00 04 00 04 00  57 00 00 00 07 00 07 00  H... W...
  [030] 5B 00 00 00 00 00 00 00  92 00 00 00 06 02 00 22  [... ...
  [040] 05 02 CE 0E 00 00 00 0F  47 52 41 4E 44 49 5F 53   GRANDI_S
  [050] 54 41 5A 49 4F 4E 49 55  53 45 52 43 45 52 42 45  TAZIONIU SERCERBE
  [060] 52 4F 12 87 C2 1E 0E 21  6B F9 F3 75 68 FA 85 6D  RO.! k..uh..m
  [070] 8A 7C 1C C3 D9 09 55 6D  58 73 8A EA 9A 9B D3 03  .|Um Xs..
  [080] 32 14 AA FE 2C 1E CA 20  3C 1B 20 82 73 75 55 88  2...,..  . .suU.
  [090] 51 2F 00  Q/.
[2003/11/11 14:52:02, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(286)
  Got user=[USER] domain=[GRANDI_STAZIONI] workstation=[CERBERO] len1=24
len2=24
[2003/11/11 14:52:02, 10]
utils/ntlm_auth.c:manage_squid_ntlmssp_request(325)
  NTLMSSP NT_STATUS_ACCESS_DENIED
[2003/11/11 14:52:03, 10] utils/ntlm_auth.c:manage_squid_request(1061)
  Got 'YR' from squid (length: 2).
[2003/11/11 14:52:03, 10]
utils/ntlm_auth.c:manage_squid_ntlmssp_request(312)
  got NTLMSSP packet:
[2003/11/11 14:52:03, 10]
utils/ntlm_auth.c:manage_squid_ntlmssp_request(322)
  NTLMSSP challenge
[2003/11/11 14:52:03, 10] utils/ntlm_auth.c:manage_squid_request(1061)
  Got 'KK
TlRMTVNTUAADGAAYAGIYABgAeg8ADwBIBAAEAFcHAAcAWwCS
BgIAIgUCzg4PR1JBTkRJX1NUQVpJT05JVVNFUkNFUkJFUk8eZ4Km4Gp0NNEiDnO2ko2P
YaSAVmt1WAEOjvUdTWSakqTyJWkliZaHhljnTdE165I=' from squid (length: 199).
[2003/11/11 14:52:03, 10]
utils/ntlm_auth.c:manage_squid_ntlmssp_request(312)
  got NTLMSSP packet:
[2003/11/11 14:52:03, 10] lib/util.c:dump_data(1825)
  [000] 4E 54 4C 4D 53 53 50 00  03 00 00 00 18 00 18 00  NTLMSSP. 
  [010] 62 00 00 00 18 00 18 00  7A 00 00 00 0F 00 0F 00  b... z...
  [020] 48 00 00 00 04 00 04 00  57 00 00 00 07 00 07 00  H... W...
  [030] 5B 00 00 00 00 00 00 00  92 00 00 00 06 02 00 22  [... ...
  [040] 05 02 CE 0E 00 00 00 0F  47 52 41 4E 44 49 5F 53   GRANDI_S
  [050] 54 41 5A 49 4F 4E 49 55  53 45 52 43 45 52 42 45  TAZIONIU SERCERBE
  [060] 52 4F 1E 67 82 A6 E0 6A  74 34 D1 22 0E 73 B6 92  RO.g...j t4..s..
  [070] 8D 8F 61 A4 80 56 6B 75  58 01 0E 8E F5 1D 4D 64  ..a..Vku X.Md
  [080] 9A 92 A4 F2 25 69 25 89  96 87 86 58 E7 4D D1 35  %i%. ...X.M.5
  [090] EB 92 00  ...
[2003/11/11 14:52:03, 3]

[Samba] winbinb problem related to kerberos.

2003-10-17 Thread Lombardo Federico 
I've a little stupid problem with winbindd
when I start it I can read in winbind log:

[2003/10/17 10:17:47, 1] nsswitch/winbindd_util.c:add_trusted_domain(149)
  Added domain GRANDI_STAZIONI GSTAZIONI.IT
[2003/10/17 10:17:47, 1] libsmb/clikrb5.c:ads_krb5_mk_req(269)
  krb5_cc_get_principal failed (No credentials cache found)
[2003/10/17 10:17:47, 0] libads/kerberos.c:ads_kinit_password(133)
  kerberos_kinit_password HOST/[EMAIL PROTECTED] failed: Client not found
in Kerberos database
[2003/10/17 10:17:47, 1] nsswitch/winbindd_ads.c:ads_cached_connection(64)
  ads_connect for domain GRANDI_STAZIONI failed: Operations error
[2003/10/17 10:17:47, 1] nsswitch/winbindd_util.c:add_trusted_domains(206)
  scanning trusted domain list
[2003/10/17 10:17:47, 1] nsswitch/winbindd_util.c:add_trusted_domain(149)
  Added domain GSTEST  S-1-5-21-602162358-220523388-725345543
[2003/10/17 10:17:47, 1] nsswitch/winbindd_util.c:add_trusted_domains(206)
  scanning trusted domain list


from my smb.conf:

[global]
encrypt passwords = Yes
winbind separator = +
winbind cache time = 10
template homedir = /home/%D/%U
template shell = /bin/bash
idmap uid = 1-2
idmap gid = 1-2
winbind uid = 1-2
winbind gid = 1-2
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
workgroup = GRANDI_STAZIONI
server string = norad
security = ads
log file = /var/log/samba/log.%m
max log size = 50
password server = MASTER BDC
realm = GSTAZIONI.IT
passdb backend = tdbsam
socket options = TCP_NODELAY  SO_RCVBUF=8192 SO_SNDBUF=8192
wins server = 192.168.5.1 192.168.0.1
wins proxy = yes
dns proxy = yes
[public]
comment = none
writeable = yes
public = yes
browseable = yes
path = /home/samba
read only = No
create mask = 0777
directory mask = 0777
guest ok = No


Note that I've successfully created a machine account into the domain with
the command: net ads join -U administrator.

from my krb5.conf:

[libdefaults]
 default_realm = GSTAZIONI.IT
 default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
 default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
 permitted_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
 krb4_config = /etc/krb.conf
 krb4_realms = /etc/krb.realms
 kdc_timesync = 1
 ccache_type = 4
 forwardable = true
 proxiable = true
 v4_instance_resolve = false
 v4_name_convert = {
 host = {
 rcmd = host
ftp = ftp
 }
 plain = {
 something = something-else
}
 }
[realms]
GSTAZIONI.IT = {
  kdc = 192.168.5.1:88
  kdc = 192.168.0.1:88
}
[domain_realm]
.gstazioni.it = GSTAZIONI.IT
gstazioni.it = GSTAZIONI.IT
[login]
 krb4_convert = true
 krb4_get_tickets = true


which thing cause this problem ?
how to solve ?
another problem is that I can list users and group with the net ads users
command, but not with wbinfo, why ?


Thank in advance,

Best regards.

Federico
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] samba 3.0.0 winbind starting problems.

2003-10-15 Thread Lombardo Federico 
I've a little problem starting winbindd.
using It on a redhat 9 linux, compiled from source.

I've configured nsswitch.conf with winbind and kerberos. Naturally joined my
ADS realm with the following command: net ads join -U administrator
successfully.


now the problem is that smbd and nmbd work correclty but I can't start
winbindd due the following error and I can't manage why, from the
log.winbindd:

[2003/10/15 10:54:24, 2] lib/interface.c:add_interface(79)
  added interface ip=192.168.5.13 bcast=192.168.5.255 nmask=255.255.254.0
[2003/10/15 10:54:24, 5] lib/util.c:init_names(270)
  Netbios name list:-
  my_netbios_names[0]=NORAD
[2003/10/15 10:54:24, 2] lib/interface.c:add_interface(79)
  added interface ip=192.168.5.13 bcast=192.168.5.255 nmask=255.255.254.0
[2003/10/15 10:54:24, 5] lib/gencache.c:gencache_init(59)
  Opening cache file at /usr/samba/var/locks/gencache.tdb
[2003/10/15 10:54:24, 5] libsmb/namecache.c:namecache_enable(58)
  namecache_enable: enabling netbios namecache, timeout 660 seconds
[2003/10/15 10:54:24, 0] nsswitch/winbindd_util.c:winbindd_param_init(445)
  winbindd: idmap uid range missing or invalid
[2003/10/15 10:54:24, 0] nsswitch/winbindd_util.c:winbindd_param_init(446)
  winbindd: cannot continue, exiting.


Naturally my smb.conf is:

[global]
encrypt passwords = Yes
workgroup = MYREALM.IT
server string = norad
security = ads
log file = /var/log/samba/log.%m
max log size = 50
password server = MASTER BDC
realm = MYREALM.IT
passdb backend = tdbsam
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
local master = no
wins server = 192.168.5.1 192.168.0.1
wins proxy = yes
dns proxy = yes
[public]
comment = nora-d ? chi e` nora-d ?
writeable = yes
public = yes
browseable = yes
path = /home/samba
read only = No
create mask = 0777
directory mask = 0777
guest ok = No
;*** winbindd **
winbind separator = \
winbind cache time = 10
template homedir = /home/%D/%U
template shell = /bin/bash
winbind uid = 1-2
winbind gid = 1-2
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes



It is quite stupid ok ?

when I start winbindd with the following option I receive:

winbindd version 3.0.0 started.
Copyright The Samba Team 2000-2003
lp_load: refreshing parameters
Initialising global parameters
params.c:pm_process() - Processing configuration file
/usr/samba/lib/smb.conf
Processing section [global]
doing parameter encrypt passwords = Yes
doing parameter workgroup = MYREALM.IT
doing parameter server string = norad
doing parameter security = ads
doing parameter log file = /var/log/samba/log.%m
doing parameter max log size = 50
doing parameter password server = MASTER BDC
doing parameter realm = MYREALM.IT
doing parameter passdb backend = tdbsam
doing parameter socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
doing parameter wins server = 192.168.5.1 192.168.0.1
doing parameter wins proxy = yes
doing parameter dns proxy = yes
Processing section [public]
doing parameter comment = nora-d ? chi e` nora-d ?
doing parameter writeable = yes
doing parameter public = yes
doing parameter browseable = yes
doing parameter path = /home/samba
doing parameter read only = No
doing parameter create mask = 0777
doing parameter directory mask = 0777
doing parameter guest ok = No
doing parameter winbind separator = +
Global parameter winbind separator found in service section!
doing parameter winbind cache time = 10
Global parameter winbind cache time found in service section!
doing parameter template homedir = /home/%D/%U
Global parameter template homedir found in service section!
doing parameter template shell = /bin/bash
Global parameter template shell found in service section!
doing parameter winbind uid = 1-2
Global parameter winbind uid found in service section!
doing parameter winbind gid = 1-2
Global parameter winbind gid found in service section!
doing parameter winbind enum users = yes
Global parameter winbind enum users found in service section!
doing parameter winbind enum groups = yes
Global parameter winbind enum groups found in service section!
doing parameter winbind use default domain = yes
Global parameter winbind use default domain found in service section!
pm_process() returned Yes
lp_servicenumber: couldn't find homes
adding IPC service
adding IPC service
set_server_role: role = ROLE_DOMAIN_MEMBER
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
added interface ip=192.168.5.13 bcast=192.168.5.255 nmask=255.255.254.0
Netbios name list:-
my_netbios_names[0]=NORAD
added interface ip=192.168.5.13 bcast=192.168.5.255 nmask=255.255.254.0
Opening cache file