Re: [squid-users] Urgent Samba / Squid NTLM Auth Problems
Dear sir I did all of your recommanded from document step by step I succeeded to joined to the domain and active directory , i can see the domain users and groups kinit command works properly, net ads testjoin Join is OK net ads join administrator Joined 'squid-server' to realm 'TEST.COM' But ntlm_auth does not work properly, I have following error when i run it : ntlm_auth --username=administrator password: ** NT_STATUS_CANT_ACCESS_DOMAIN_INFO: NT_STATUS_CANT_ACCESS_DOMAIN_INFO (0xc0da) when i run the squid and set the the machine as proxy,the squid authenticate but does not accept the user When i browes some web pages, bring the dialog box, contain user and password and domian, but does not accept, We have following error in my logs Winbind : [2005/10/30 14:02:11, 0] nsswitch/winbindd_util.c:get_trust_pw(1033) get_trust_pw: could not fetch trust account password for my domain TEST.COM Can anybody help me, How can i solve this problem, Regards Abbas Salehi - Original Message - From: Dave Raven [EMAIL PROTECTED] To: 'Serassio Guido' [EMAIL PROTECTED]; 'Ian Barnes' [EMAIL PROTECTED]; squid-users@squid-cache.org Sent: Tuesday, November 08, 2005 6:49 PM Subject: RE: [squid-users] Urgent Samba / Squid NTLM Auth Problems Hi all, I'm currently working on this problem with Ian. It seems like ntlm_auth is handling the requests fine - [EMAIL PROTECTED] /usr/local/bin # ./ntlm_auth --username=ianb --configfile=/usr/local/etc/smb.conf password: NT_STATUS_OK: Success (0x0) It also works through squid when using wget [2005/11/08 17:15:09, 3] utils/ntlm_auth.c:check_plaintext_auth(292) NT_STATUS_OK: Success (0x0) Note that it says check_plaintext_auth though, when using a browser (e.g. IE) we see the following messages [2005/11/08 15:16:36, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(606) Got user=[IANB] domain=[MASTERMIND] workstation=[IANB] len1=24 len2=24 [2005/11/08 15:16:37, 3] utils/ntlm_auth.c:winbind_pw_check(427) Login for user [EMAIL PROTECTED] failed due to [Wrong Password] Why is it using a different method? It seems like the problem only occurs when it doesn't use check_plaintext_auth. Is there anything we can do to learn more? Thanks for all the help so far Dave
RE: [squid-users] Urgent Samba / Squid NTLM Auth Problems
Hi Abbas, Unfortunately we're still experimenting with ntlm_auth ourselves - it would probably be best to ask the samba user group your question. I suspect your smb.conf may not be setup correctly... Does anyone have any idea's on our problem below? Sorry to nag - we're willing to try anything Thanks Dave -Original Message- From: Abbas Salehi [mailto:[EMAIL PROTECTED] Sent: 09 November 2005 12:22 PM To: Dave Raven Cc: squid-users@squid-cache.org Subject: Re: [squid-users] Urgent Samba / Squid NTLM Auth Problems Dear sir I did all of your recommanded from document step by step I succeeded to joined to the domain and active directory , i can see the domain users and groups kinit command works properly, net ads testjoin Join is OK net ads join administrator Joined 'squid-server' to realm 'TEST.COM' But ntlm_auth does not work properly, I have following error when i run it : ntlm_auth --username=administrator password: ** NT_STATUS_CANT_ACCESS_DOMAIN_INFO: NT_STATUS_CANT_ACCESS_DOMAIN_INFO (0xc0da) when i run the squid and set the the machine as proxy,the squid authenticate but does not accept the user When i browes some web pages, bring the dialog box, contain user and password and domian, but does not accept, We have following error in my logs Winbind : [2005/10/30 14:02:11, 0] nsswitch/winbindd_util.c:get_trust_pw(1033) get_trust_pw: could not fetch trust account password for my domain TEST.COM Can anybody help me, How can i solve this problem, Regards Abbas Salehi - Original Message - From: Dave Raven [EMAIL PROTECTED] To: 'Serassio Guido' [EMAIL PROTECTED]; 'Ian Barnes' [EMAIL PROTECTED]; squid-users@squid-cache.org Sent: Tuesday, November 08, 2005 6:49 PM Subject: RE: [squid-users] Urgent Samba / Squid NTLM Auth Problems Hi all, I'm currently working on this problem with Ian. It seems like ntlm_auth is handling the requests fine - [EMAIL PROTECTED] /usr/local/bin # ./ntlm_auth --username=ianb --configfile=/usr/local/etc/smb.conf password: NT_STATUS_OK: Success (0x0) It also works through squid when using wget [2005/11/08 17:15:09, 3] utils/ntlm_auth.c:check_plaintext_auth(292) NT_STATUS_OK: Success (0x0) Note that it says check_plaintext_auth though, when using a browser (e.g. IE) we see the following messages [2005/11/08 15:16:36, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(606) Got user=[IANB] domain=[MASTERMIND] workstation=[IANB] len1=24 len2=24 [2005/11/08 15:16:37, 3] utils/ntlm_auth.c:winbind_pw_check(427) Login for user [EMAIL PROTECTED] failed due to [Wrong Password] Why is it using a different method? It seems like the problem only occurs when it doesn't use check_plaintext_auth. Is there anything we can do to learn more? Thanks for all the help so far Dave
RE: [squid-users] Urgent Samba / Squid NTLM Auth Problems
Hi Abbas, Unfortunately we're still experimenting with ntlm_auth ourselves - it would probably be best to ask the samba user group your question. I suspect your smb.conf may not be setup correctly... Does anyone have any idea's on our problem below? Sorry to nag - we're willing to try anything Thanks Dave -Original Message- From: Abbas Salehi [mailto:[EMAIL PROTECTED] Sent: 09 November 2005 12:22 PM To: Dave Raven Cc: squid-users@squid-cache.org Subject: Re: [squid-users] Urgent Samba / Squid NTLM Auth Problems Dear sir I did all of your recommanded from document step by step I succeeded to joined to the domain and active directory , i can see the domain users and groups kinit command works properly, net ads testjoin Join is OK net ads join administrator Joined 'squid-server' to realm 'TEST.COM' But ntlm_auth does not work properly, I have following error when i run it : ntlm_auth --username=administrator password: ** NT_STATUS_CANT_ACCESS_DOMAIN_INFO: NT_STATUS_CANT_ACCESS_DOMAIN_INFO (0xc0da) when i run the squid and set the the machine as proxy,the squid authenticate but does not accept the user When i browes some web pages, bring the dialog box, contain user and password and domian, but does not accept, We have following error in my logs Winbind : [2005/10/30 14:02:11, 0] nsswitch/winbindd_util.c:get_trust_pw(1033) get_trust_pw: could not fetch trust account password for my domain TEST.COM Can anybody help me, How can i solve this problem, Regards Abbas Salehi - Original Message - From: Dave Raven [EMAIL PROTECTED] To: 'Serassio Guido' [EMAIL PROTECTED]; 'Ian Barnes' [EMAIL PROTECTED]; squid-users@squid-cache.org Sent: Tuesday, November 08, 2005 6:49 PM Subject: RE: [squid-users] Urgent Samba / Squid NTLM Auth Problems Hi all, I'm currently working on this problem with Ian. It seems like ntlm_auth is handling the requests fine - [EMAIL PROTECTED] /usr/local/bin # ./ntlm_auth --username=ianb --configfile=/usr/local/etc/smb.conf password: NT_STATUS_OK: Success (0x0) It also works through squid when using wget [2005/11/08 17:15:09, 3] utils/ntlm_auth.c:check_plaintext_auth(292) NT_STATUS_OK: Success (0x0) Note that it says check_plaintext_auth though, when using a browser (e.g. IE) we see the following messages [2005/11/08 15:16:36, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(606) Got user=[IANB] domain=[MASTERMIND] workstation=[IANB] len1=24 len2=24 [2005/11/08 15:16:37, 3] utils/ntlm_auth.c:winbind_pw_check(427) Login for user [EMAIL PROTECTED] failed due to [Wrong Password] Why is it using a different method? It seems like the problem only occurs when it doesn't use check_plaintext_auth. Is there anything we can do to learn more? Thanks for all the help so far Dave
RE: [squid-users] Urgent Samba / Squid NTLM Auth Problems
Okay I have an update with more progress - it seems the problem is only to do with ntlmssp. If I only have a basic authenticator - which looks like the following, it works perfectly: auth_param basic program /usr/optec/ntlm_auth.sh basic auth_param basic children 10 auth_param basic realm server.opteqint.net Cache NTLM Authentication auth_param basic credentialsttl 2 hours (ntlm_auth.sh runs the ntlm_auth squid-2.5-basic helper) I see the following debug messages: [2005/11/09 13:20:43, 3] utils/ntlm_auth.c:check_plaintext_auth(292) NT_STATUS_OK: Success (0x0) However, when I use ntlmssp in the squid config, shown below, it does not work: auth_param ntlm program /usr/optec/ntlm_auth.sh ntlmssp auth_param ntlm children 10 auth_param ntlm use_ntlm_negotiate yes I see the following debug messages: [2005/11/09 13:22:37, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(606) Got user=[ianb] domain=[MASTERMIND] workstation=[LUCY] len1=24 len2=24 [2005/11/09 13:22:37, 3] utils/ntlm_auth.c:winbind_pw_check(427) Login for user [EMAIL PROTECTED] failed due to [Wrong Password] If I type ian instead of ianb, I see an error saying the user does not exist. This must mean that somehow the wrong password is being passed in the wrong way - even though it is typed right. For anyone who hasn't read the rest of this thread please note: this only happens with the security option on the AD server set to ONLY allow NTLMv2/LMv2 and not anything else. If we turn that off it works perfectly... As I understand it the password doesn't come to squid in plaintext when its using ntlmssp, and I believe that there is some kind of handling problem with that now? If I type in the password on the command line with the ntlm_auth program, it is able to validate it just fine using NTLMv2 - enforcing my belief that something is wrong here... Any suggestions AT ALL would be appreciated... Thanks Dave
RE: [squid-users] Urgent Samba / Squid NTLM Auth Problems
Okay I have an update with more progress - it seems the problem is only to do with ntlmssp. If I only have a basic authenticator - which looks like the following, it works perfectly: auth_param basic program /usr/optec/ntlm_auth.sh basic auth_param basic children 10 auth_param basic realm server.opteqint.net Cache NTLM Authentication auth_param basic credentialsttl 2 hours (ntlm_auth.sh runs the ntlm_auth squid-2.5-basic helper) I see the following debug messages: [2005/11/09 13:20:43, 3] utils/ntlm_auth.c:check_plaintext_auth(292) NT_STATUS_OK: Success (0x0) However, when I use ntlmssp in the squid config, shown below, it does not work: auth_param ntlm program /usr/optec/ntlm_auth.sh ntlmssp auth_param ntlm children 10 auth_param ntlm use_ntlm_negotiate yes I see the following debug messages: [2005/11/09 13:22:37, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(606) Got user=[ianb] domain=[MASTERMIND] workstation=[LUCY] len1=24 len2=24 [2005/11/09 13:22:37, 3] utils/ntlm_auth.c:winbind_pw_check(427) Login for user [EMAIL PROTECTED] failed due to [Wrong Password] If I type ian instead of ianb, I see an error saying the user does not exist. This must mean that somehow the wrong password is being passed in the wrong way - even though it is typed right. For anyone who hasn't read the rest of this thread please note: this only happens with the security option on the AD server set to ONLY allow NTLMv2/LMv2 and not anything else. If we turn that off it works perfectly... As I understand it the password doesn't come to squid in plaintext when its using ntlmssp, and I believe that there is some kind of handling problem with that now? If I type in the password on the command line with the ntlm_auth program, it is able to validate it just fine using NTLMv2 - enforcing my belief that something is wrong here... Any suggestions AT ALL would be appreciated... Thanks Dave
RE: [squid-users] Urgent Samba / Squid NTLM Auth Problems
Hi Guido, Thanks for the help, I feel kinda daft for not looking in the file first. Anyway, this hasn't resolved the problem. We upgraded our squid (to 2.5Stable12), and samba to 3.0.20b. Once we upgraded squid, the ntlm_auth program was different so we used the samba ntlm_auth instead. What does the auth_param use_ntlm_negotiate on|off actually do? Is it reliant on a certain helper? Because that didn't make any difference to the outcome. We where told to put this option into our smb.conf to enable NTLMv2: client ntlmv2 auth = yes, would this have any effect on whats happening? Adding that option makes all the difference with out setup - with it wbinfo -a works perfectly, without it we see the same error squid is getting. Here is a copy of the error message again: [2005/11/08 15:16:36, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(606) Got user=[IANB] domain=[MASTERMIND] workstation=[IANB] len1=24 len2=24 [2005/11/08 15:16:37, 3] utils/ntlm_auth.c:winbind_pw_check(427) Login for user [EMAIL PROTECTED] failed due to [Wrong Password] If we however turn off the option in AD (i.e let it allow all authentication types), this doesn't happen, but I am assuming that is because it isn't using NTLMv2 then and only NTLM? Thanks, Ian -Original Message- From: Serassio Guido [mailto:[EMAIL PROTECTED] Sent: 07 November 2005 11:45 PM To: Ian Barnes; squid-users@squid-cache.org Subject: Re: [squid-users] Urgent Samba / Squid NTLM Auth Problems Hi, At 22.22 07/11/2005, Ian Barnes wrote: Our squid.conf looks like this: auth_param ntlm program /usr/local/libexec/squid/ntlm_auth --helper-protocol=squid-2.5-ntlmssp -d9 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes auth_param ntlm children 2 Wonder, even you have done a very detailed report, you don't have read squid.conf comments before :-) From 2.5 STABLE12 squid.conf: # use_ntlm_negotiate on|off # Enables support for NTLM NEGOTIATE packet exchanges with the helper. # The configured ntlm authenticator must be able to handle NTLM # NEGOTIATE packet. See the authenticator programs documentation if # unsure. ntlm_auth from Samba-3.0.2 or later supports the use of this # option. # The NEGOTIATE packet is required to support NTLMv2 and a # number of other negotiable NTLMSSP options, and also makes it # more likely the negotiation is successful. So in squid.conf you need: auth_param ntlm use_ntlm_negotiate on Please note: auth_param ntlm children 2 It is a very too low value, on a loaded proxy you must set this value to a more higher value as 20, 30 or more. You must monitor the helpers usage to find the correct value. Regards Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
RE: [squid-users] Urgent Samba / Squid NTLM Auth Problems
Hi Guido, Thanks for the help, I feel kinda daft for not looking in the file first. Anyway, this hasn't resolved the problem. We upgraded our squid (to 2.5Stable12), and samba to 3.0.20b. Once we upgraded squid, the ntlm_auth program was different so we used the samba ntlm_auth instead. What does the auth_param use_ntlm_negotiate on|off actually do? Is it reliant on a certain helper? Because that didn't make any difference to the outcome. We where told to put this option into our smb.conf to enable NTLMv2: client ntlmv2 auth = yes, would this have any effect on whats happening? Adding that option makes all the difference with out setup - with it wbinfo -a works perfectly, without it we see the same error squid is getting. Here is a copy of the error message again: [2005/11/08 15:16:36, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(606) Got user=[IANB] domain=[MASTERMIND] workstation=[IANB] len1=24 len2=24 [2005/11/08 15:16:37, 3] utils/ntlm_auth.c:winbind_pw_check(427) Login for user [EMAIL PROTECTED] failed due to [Wrong Password] If we however turn off the option in AD (i.e let it allow all authentication types), this doesn't happen, but I am assuming that is because it isn't using NTLMv2 then and only NTLM? Thanks, Ian -Original Message- From: Serassio Guido [mailto:[EMAIL PROTECTED] Sent: 07 November 2005 11:45 PM To: Ian Barnes; squid-users@squid-cache.org Subject: Re: [squid-users] Urgent Samba / Squid NTLM Auth Problems Hi, At 22.22 07/11/2005, Ian Barnes wrote: Our squid.conf looks like this: auth_param ntlm program /usr/local/libexec/squid/ntlm_auth --helper-protocol=squid-2.5-ntlmssp -d9 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes auth_param ntlm children 2 Wonder, even you have done a very detailed report, you don't have read squid.conf comments before :-) From 2.5 STABLE12 squid.conf: # use_ntlm_negotiate on|off # Enables support for NTLM NEGOTIATE packet exchanges with the helper. # The configured ntlm authenticator must be able to handle NTLM # NEGOTIATE packet. See the authenticator programs documentation if # unsure. ntlm_auth from Samba-3.0.2 or later supports the use of this # option. # The NEGOTIATE packet is required to support NTLMv2 and a # number of other negotiable NTLMSSP options, and also makes it # more likely the negotiation is successful. So in squid.conf you need: auth_param ntlm use_ntlm_negotiate on Please note: auth_param ntlm children 2 It is a very too low value, on a loaded proxy you must set this value to a more higher value as 20, 30 or more. You must monitor the helpers usage to find the correct value. Regards Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
RE: [squid-users] Urgent Samba / Squid NTLM Auth Problems
Hi Ian, At 14.34 08/11/2005, Ian Barnes wrote: Hi Guido, Thanks for the help, I feel kinda daft for not looking in the file first. Anyway, this hasn't resolved the problem. We upgraded our squid (to 2.5Stable12), and samba to 3.0.20b. Once we upgraded squid, the ntlm_auth program was different so we used the samba ntlm_auth instead. You must use the ntlm_auth program provided with your running Samba. What does the auth_param use_ntlm_negotiate on|off actually do? Look here, there is detailed description of how NTLM over HTTP works: http://davenport.sourceforge.net/ntlm.html Using the previous page as reference, use_ntlm_negotiate does the following: When enabled, the Type 1 message is passed to the helper for the challenge (Type 2 message) generation, when disabled, the helper uses a self created type 1 message for challenge generation. What means this ? NTLMv2 needs to be negotiated between client and server, so it cannot be used when use_ntlm_negotiate is off. Is it reliant on a certain helper? Because that didn't make any difference to the outcome. We where told to put this option into our smb.conf to enable NTLMv2: client ntlmv2 auth = yes, would this have any effect on whats happening? In the Samba configuration manual, about client ntlmv2 auth you can read: This parameter determines whether or not smbclient(8) will attempt to authenticate itself to servers using the NTLMv2 encrypted password response. So, it should be not related to ntlm_auth, but only Samba guys know exactly this. Adding that option makes all the difference with out setup - with it wbinfo -a works perfectly, without it we see the same error squid is getting. Here is a copy of the error message again: [2005/11/08 15:16:36, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(606) Got user=[IANB] domain=[MASTERMIND] workstation=[IANB] len1=24 len2=24 [2005/11/08 15:16:37, 3] utils/ntlm_auth.c:winbind_pw_check(427) Login for user [EMAIL PROTECTED] failed due to [Wrong Password] If we however turn off the option in AD (i.e let it allow all authentication types), this doesn't happen, but I am assuming that is because it isn't using NTLMv2 then and only NTLM? Really I don't know if Samba works correctly in a NTLMv2 only environment, but I'm sure that NTLMv2 works fine in the Squid Windows port using use_ntlm_negotiate on , your domain settings and a native Windows NTLM authentication helper. So, I think that your problems should be related to Samba. Regards Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
RE: [squid-users] Urgent Samba / Squid NTLM Auth Problems
Hi all, I'm currently working on this problem with Ian. It seems like ntlm_auth is handling the requests fine - [EMAIL PROTECTED] /usr/local/bin # ./ntlm_auth --username=ianb --configfile=/usr/local/etc/smb.conf password: NT_STATUS_OK: Success (0x0) It also works through squid when using wget [2005/11/08 17:15:09, 3] utils/ntlm_auth.c:check_plaintext_auth(292) NT_STATUS_OK: Success (0x0) Note that it says check_plaintext_auth though, when using a browser (e.g. IE) we see the following messages [2005/11/08 15:16:36, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(606) Got user=[IANB] domain=[MASTERMIND] workstation=[IANB] len1=24 len2=24 [2005/11/08 15:16:37, 3] utils/ntlm_auth.c:winbind_pw_check(427) Login for user [EMAIL PROTECTED] failed due to [Wrong Password] Why is it using a different method? It seems like the problem only occurs when it doesn't use check_plaintext_auth. Is there anything we can do to learn more? Thanks for all the help so far Dave
RE: [squid-users] Urgent Samba / Squid NTLM Auth Problems
Hi all, I'm currently working on this problem with Ian. It seems like ntlm_auth is handling the requests fine - [EMAIL PROTECTED] /usr/local/bin # ./ntlm_auth --username=ianb --configfile=/usr/local/etc/smb.conf password: NT_STATUS_OK: Success (0x0) It also works through squid when using wget [2005/11/08 17:15:09, 3] utils/ntlm_auth.c:check_plaintext_auth(292) NT_STATUS_OK: Success (0x0) Note that it says check_plaintext_auth though, when using a browser (e.g. IE) we see the following messages [2005/11/08 15:16:36, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(606) Got user=[IANB] domain=[MASTERMIND] workstation=[IANB] len1=24 len2=24 [2005/11/08 15:16:37, 3] utils/ntlm_auth.c:winbind_pw_check(427) Login for user [EMAIL PROTECTED] failed due to [Wrong Password] Why is it using a different method? It seems like the problem only occurs when it doesn't use check_plaintext_auth. Is there anything we can do to learn more? Thanks for all the help so far Dave
Re: [squid-users] Urgent Samba / Squid NTLM Auth Problems
Hi, At 22.22 07/11/2005, Ian Barnes wrote: Our squid.conf looks like this: auth_param ntlm program /usr/local/libexec/squid/ntlm_auth --helper-protocol=squid-2.5-ntlmssp -d9 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes auth_param ntlm children 2 Wonder, even you have done a very detailed report, you don't have read squid.conf comments before :-) From 2.5 STABLE12 squid.conf: # use_ntlm_negotiate on|off # Enables support for NTLM NEGOTIATE packet exchanges with the helper. # The configured ntlm authenticator must be able to handle NTLM # NEGOTIATE packet. See the authenticator programs documentation if # unsure. ntlm_auth from Samba-3.0.2 or later supports the use of this # option. # The NEGOTIATE packet is required to support NTLMv2 and a # number of other negotiable NTLMSSP options, and also makes it # more likely the negotiation is successful. So in squid.conf you need: auth_param ntlm use_ntlm_negotiate on Please note: auth_param ntlm children 2 It is a very too low value, on a loaded proxy you must set this value to a more higher value as 20, 30 or more. You must monitor the helpers usage to find the correct value. Regards Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/