Re: Winbind/ntlm_auth issues

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



Andrew,

I think you nailed it.  I was running 3.0 from RHEL5.  I'm seeing much more promising results so far with 3.6.  

Thanks,

Josh
________________________________________
From: Andrew Bartlett [abartlet@xxxxxxxxx]
Sent: Thursday, July 19, 2012 5:25 PM
To: Baird, Josh
Cc: samba@xxxxxxxxxxxxxxx
Subject: Re:  Winbind/ntlm_auth issues

On Thu, 2012-07-19 at 15:11 +0000, Baird, Josh wrote:
> Hi,
>
> I'm struggling to get squid+ntlm_auth working correctly.  I have successfully joined the domain, and I am able to successfully enumerate groups and users using wbinfo.  I can also successfully run "wbinfo -a."
>
> However, once I configure Squid to use ntlm_auth per:
>
> auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --debug-level=10 --nt-response
> auth_param ntlm children 5
> auth_param ntlm keep_alive on
>
> .. Squid does not authenticate and prompts me for credentials.  My domain credentials do not work, and this is displayed in Samba/WB's log:
>
> [2012/07/19 09:58:14, 0] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1767)
>   winbindd_pam_auth_crap: invalid password length 24/336
>
> Does anyone have any ideas on what is causing this?  I apologize that this message is Squid-related, but I can't seem to find any answers elsewhere.

This looks like a Samba issue to me.  Try a much more recent version of
Samba.  I see code in current master for a BIG_NTLMV2_BLOB that smells
exactly like what you have here.  Long domain names are padding out one
of the response values (the 336) and going over an internal arbitrary
limit that shouldn't have been there.

The fix is in:

commit 9264f4891484b0316e8e574e256ca0b0a5e9f007
Author: Günther Deschner <gd@xxxxxxxxx>
Date:   Tue Sep 1 11:58:05 2009 +0200

    wbclient: Fix Bug #6680: always activate handling of large (> 256
byte) ntlmv2
    blobs in wbcAuthenticateUserEx().

    Guenther


Andrew Bartlett

--
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba



[Linux]     [Info Cyrus]     [LARTC]     [Bugtraq]     [Netfilter]     [Internet Dating Forums]     [RAID]     [Yosemite News]     [Photography]

Add to Google Powered by Linux