[squid-users] NTLMv2 issue caused by Samba's Winbind helper
Hi, One of my customers has had issues with authentication Vista machines when using the Samba 2.0 winbind authenticator program in Squid. The NTLM authenticator returned: Login for user [EMAIL PROTECTED] failed due to [Invalid parameter] auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp The issue is that the KK string sent by the client can, if the DNS name of the AD domain is quite long, contain an NTLM response section 256 bytes, which can't be copied into the buffer space in the external program. This is only an issue if NTLMv2 authentication is the minimum negotiated with the client (i.e. Vista default). I ended up writing a hack in Squid's auth_ntlm.cc to trim the packet back as some of the fields in the packet sent by IE are optional and could be removed. (http://linux-blog.project76.co.uk/archives/2008_10_01_archive.html) This is caused by Samba - does anyone know if this will ever be fixed properly? Kind regards Jamie Stallwood -- Jamie Stallwood Security Specialist Imerja Ltd [EMAIL PROTECTED] Public Key: RSA/4096 31D0 4975 29BD CAB5 ABD5 5345 E8E2 7BBD 41FA DC77 Available from http://pgp.mit.edu:11371/ (0x41FADC77) PGP.sig Description: PGP signature
Re: [squid-users] NTLMv2 issue caused by Samba's Winbind helper
Jamie Stallwood wrote: Hi, One of my customers has had issues with authentication Vista machines when using the Samba 2.0 winbind authenticator program in Squid. The NTLM authenticator returned: Login for user [EMAIL PROTECTED] failed due to [Invalid parameter] auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp The issue is that the KK string sent by the client can, if the DNS name of the AD domain is quite long, contain an NTLM response section 256 bytes, which can't be copied into the buffer space in the external program. This is only an issue if NTLMv2 authentication is the minimum negotiated with the client (i.e. Vista default). I ended up writing a hack in Squid's auth_ntlm.cc to trim the packet back as some of the fields in the packet sent by IE are optional and could be removed. (http://linux-blog.project76.co.uk/archives/2008_10_01_archive.html) This is caused by Samba - does anyone know if this will ever be fixed properly? The Kerberos 'KK' buffers were expanded to 32KB in 3.0stable10 and 2.7stable5. The squid bundled Kerberos helper was updated to version 1.0.3 starting with the squid 3.1. Not sure about its current status in 2.x. Amos -- Please be using Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10 Current Beta Squid 3.1.0.1
Re: [squid-users] NTLMv2 issue caused by Samba's Winbind helper
On ons, 2008-10-29 at 17:23 +, Jamie Stallwood wrote: This is caused by Samba - does anyone know if this will ever be fixed properly? Have you verified that it isn't fixed already? Samba 2.0 is quite dated.. Current production Samba release is 3.2.4 and the legacy version is 3.0.32. Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] NTLMv2
Henrik Nordstrom [EMAIL PROTECTED] writes: On Fri, 13 Feb 2004 [EMAIL PROTECTED] wrote: is there any plan to support NTLMv2 authentication through winbind helpers in the next releases of Squid ? Yes. It should already work with Samba-3.0.2 and the current Squid nightly snapshots, but has not yet been verified. See the Squid release notes for the nightly snapshots. I'm about to run such a test, hopefully as soon as next Monday. -- kinkie (kinkie-squid [at] kinkie [dot] it) Random fortune, unrelated to the message: Three actors, Tom, Fred, and Cec, wanted to do the jousting scene from Don Quixote for a local TV show. I'll play the title role, proposed Tom. Fred can portray Sancho Panza, and Cecil B. De Mille.
[squid-users] NTLMv2
Hello, is there any plan to support NTLMv2 authentication through winbind helpers in the next releases of Squid ? Best regards, Antonio Manfreda Easynet srl c/o Reale Mutua Assicurazioni Ufficio Architettura Tecnica Area Security [EMAIL PROTECTED] Tel. 011-431-2791
Re: [squid-users] NTLMv2
Hi, At 15.58 13/02/2004, [EMAIL PROTECTED] wrote: Hello, is there any plan to support NTLMv2 authentication through winbind helpers in the next releases of Squid ? Best regards, Yes. Squid 2.5 STABLE 5 will support NTLMv2 using Samba 3.0.2 ntlm_auth helper. You can already try it using the latest nightly Squid snapshot. Regards Guido - Guido Serassio Acme Consulting S.r.l. Via Gorizia, 69 10136 - Torino - ITALY Tel. : +39.011.3249426 Fax. : +39.011.3293665 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
Rif: Re: [squid-users] NTLMv2
Hello, And what about wb_ntlmauth and wb_group external acl? Best regards, Antonio Manfreda Easynet srl c/o Reale Mutua Assicurazioni Ufficio Architettura Tecnica Area Security [EMAIL PROTECTED] Tel. 011-431-2791 Serassio Guido [EMAIL PROTECTED]Per:[EMAIL PROTECTED], sulting.it [EMAIL PROTECTED] Cc: 13/02/2004 17.31Oggetto: Re: [squid-users] NTLMv2 Hi, At 15.58 13/02/2004, [EMAIL PROTECTED] wrote: Hello, is there any plan to support NTLMv2 authentication through winbind helpers in the next releases of Squid ? Best regards, Yes. Squid 2.5 STABLE 5 will support NTLMv2 using Samba 3.0.2 ntlm_auth helper. You can already try it using the latest nightly Squid snapshot. Regards Guido - Guido Serassio Acme Consulting S.r.l. Via Gorizia, 69 10136 - Torino - ITALY Tel. : +39.011.3249426 Fax. : +39.011.3293665 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/ Ai sensi del Dlgs 196/2003 e successive modifiche/integrazioni si precisa che le informazioni contenute nel presente messaggio, e negli eventuali allegati, sono riservate e per uso esclusivo del destinatario. Pertanto è vietata la copia, la diffusione e la rivelazione anche parziale dei dati in esso contenuti alle persone non autorizzate dal medesimo. Chiunque lo ricevesse per errore è pregato di restituirlo al mittente e di distruggere il contenuto.
Re: Rif: Re: [squid-users] NTLMv2
Hi, Il 17.34 13/02/2004 [EMAIL PROTECTED] ha scritto: Hello, And what about wb_ntlmauth and wb_group external acl? Nothing to do: they are Samba 2 based and Samba 2 doesn't support NTLMv2. Regards Guido Serassio Guido [EMAIL PROTECTED]Per: [EMAIL PROTECTED], sulting.it [EMAIL PROTECTED] Cc: 13/02/2004 17.31Oggetto: Re: [squid-users] NTLMv2 Hi, At 15.58 13/02/2004, [EMAIL PROTECTED] wrote: Hello, is there any plan to support NTLMv2 authentication through winbind helpers in the next releases of Squid ? Best regards, Yes. Squid 2.5 STABLE 5 will support NTLMv2 using Samba 3.0.2 ntlm_auth helper. You can already try it using the latest nightly Squid snapshot. Regards Guido - Guido Serassio Acme Consulting S.r.l. Via Gorizia, 69 10136 - Torino - ITALY Tel. : +39.011.3249426 Fax. : +39.011.3293665 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
Re: [squid-users] NTLMv2
On Fri, 13 Feb 2004 [EMAIL PROTECTED] wrote: is there any plan to support NTLMv2 authentication through winbind helpers in the next releases of Squid ? Yes. It should already work with Samba-3.0.2 and the current Squid nightly snapshots, but has not yet been verified. See the Squid release notes for the nightly snapshots. Regards Henrik
[squid-users] NTLMv2
Dear all, I have a simple question about NTLM. Does Squid support NTLMv2 authentication or just standard NTLM? Regards, Antonio Manfreda
Re: [squid-users] NTLMv2
On Tue, 13 Jan 2004, Antonio Manfreda wrote: Dear all, I have a simple question about NTLM. Does Squid support NTLMv2 authentication or just standard NTLM? NTLM and LANMAN. The Samba helper should support NTLMv2 and NTLM2 as well but is currently limited by Squid. Regards Henrik
[squid-users] NTLMv2
Dear all, I have a question about NTLM. Does Squid support NTLMv2 authentication or just standard NTLM? Regards, Antonio Manfreda
Re: [squid-users] NTLMv2
I believe the built-in handlers support standard NTLM. For NTLMv2, you have to use Samba 3's authenticator, like this: /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp - Original Message - From: Antonio Manfreda [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, January 13, 2004 12:29 PM Subject: [squid-users] NTLMv2 Dear all, I have a question about NTLM. Does Squid support NTLMv2 authentication or just standard NTLM? Regards, Antonio Manfreda --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.557 / Virus Database: 349 - Release Date: 12/30/2003
Re: [squid-users] NTLMv2
On Tue, 13 Jan 2004, Antonio Manfreda wrote: Dear all, I have a question about NTLM. Does Squid support NTLMv2 authentication or just standard NTLM? Just standard NTLM and LANMAN at this time. The Samba ntlm_auth helper reportedly does support both NTLMv2 and NTLM2 but the interface to Squid is missing some small details to activate this. Regards Henrik
