Re: [squid-users] Urgent Samba / Squid NTLM Auth Problems
Dear sir I did all of your recommanded from document step by step I succeeded to joined to the domain and active directory , i can see the domain users and groups kinit command works properly, net ads testjoin Join is OK net ads join administrator Joined 'squid-server' to realm 'TEST.COM' But ntlm_auth does not work properly, I have following error when i run it : ntlm_auth --username=administrator password: ** NT_STATUS_CANT_ACCESS_DOMAIN_INFO: NT_STATUS_CANT_ACCESS_DOMAIN_INFO (0xc0da) when i run the squid and set the the machine as proxy,the squid authenticate but does not accept the user When i browes some web pages, bring the dialog box, contain user and password and domian, but does not accept, We have following error in my logs Winbind : [2005/10/30 14:02:11, 0] nsswitch/winbindd_util.c:get_trust_pw(1033) get_trust_pw: could not fetch trust account password for my domain TEST.COM Can anybody help me, How can i solve this problem, Regards Abbas Salehi - Original Message - From: Dave Raven [EMAIL PROTECTED] To: 'Serassio Guido' [EMAIL PROTECTED]; 'Ian Barnes' [EMAIL PROTECTED]; squid-users@squid-cache.org Sent: Tuesday, November 08, 2005 6:49 PM Subject: RE: [squid-users] Urgent Samba / Squid NTLM Auth Problems Hi all, I'm currently working on this problem with Ian. It seems like ntlm_auth is handling the requests fine - [EMAIL PROTECTED] /usr/local/bin # ./ntlm_auth --username=ianb --configfile=/usr/local/etc/smb.conf password: NT_STATUS_OK: Success (0x0) It also works through squid when using wget [2005/11/08 17:15:09, 3] utils/ntlm_auth.c:check_plaintext_auth(292) NT_STATUS_OK: Success (0x0) Note that it says check_plaintext_auth though, when using a browser (e.g. IE) we see the following messages [2005/11/08 15:16:36, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(606) Got user=[IANB] domain=[MASTERMIND] workstation=[IANB] len1=24 len2=24 [2005/11/08 15:16:37, 3] utils/ntlm_auth.c:winbind_pw_check(427) Login for user [EMAIL PROTECTED] failed due to [Wrong Password] Why is it using a different method? It seems like the problem only occurs when it doesn't use check_plaintext_auth. Is there anything we can do to learn more? Thanks for all the help so far Dave
RE: [squid-users] Urgent Samba / Squid NTLM Auth Problems
Hi Abbas, Unfortunately we're still experimenting with ntlm_auth ourselves - it would probably be best to ask the samba user group your question. I suspect your smb.conf may not be setup correctly... Does anyone have any idea's on our problem below? Sorry to nag - we're willing to try anything Thanks Dave -Original Message- From: Abbas Salehi [mailto:[EMAIL PROTECTED] Sent: 09 November 2005 12:22 PM To: Dave Raven Cc: squid-users@squid-cache.org Subject: Re: [squid-users] Urgent Samba / Squid NTLM Auth Problems Dear sir I did all of your recommanded from document step by step I succeeded to joined to the domain and active directory , i can see the domain users and groups kinit command works properly, net ads testjoin Join is OK net ads join administrator Joined 'squid-server' to realm 'TEST.COM' But ntlm_auth does not work properly, I have following error when i run it : ntlm_auth --username=administrator password: ** NT_STATUS_CANT_ACCESS_DOMAIN_INFO: NT_STATUS_CANT_ACCESS_DOMAIN_INFO (0xc0da) when i run the squid and set the the machine as proxy,the squid authenticate but does not accept the user When i browes some web pages, bring the dialog box, contain user and password and domian, but does not accept, We have following error in my logs Winbind : [2005/10/30 14:02:11, 0] nsswitch/winbindd_util.c:get_trust_pw(1033) get_trust_pw: could not fetch trust account password for my domain TEST.COM Can anybody help me, How can i solve this problem, Regards Abbas Salehi - Original Message - From: Dave Raven [EMAIL PROTECTED] To: 'Serassio Guido' [EMAIL PROTECTED]; 'Ian Barnes' [EMAIL PROTECTED]; squid-users@squid-cache.org Sent: Tuesday, November 08, 2005 6:49 PM Subject: RE: [squid-users] Urgent Samba / Squid NTLM Auth Problems Hi all, I'm currently working on this problem with Ian. It seems like ntlm_auth is handling the requests fine - [EMAIL PROTECTED] /usr/local/bin # ./ntlm_auth --username=ianb --configfile=/usr/local/etc/smb.conf password: NT_STATUS_OK: Success (0x0) It also works through squid when using wget [2005/11/08 17:15:09, 3] utils/ntlm_auth.c:check_plaintext_auth(292) NT_STATUS_OK: Success (0x0) Note that it says check_plaintext_auth though, when using a browser (e.g. IE) we see the following messages [2005/11/08 15:16:36, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(606) Got user=[IANB] domain=[MASTERMIND] workstation=[IANB] len1=24 len2=24 [2005/11/08 15:16:37, 3] utils/ntlm_auth.c:winbind_pw_check(427) Login for user [EMAIL PROTECTED] failed due to [Wrong Password] Why is it using a different method? It seems like the problem only occurs when it doesn't use check_plaintext_auth. Is there anything we can do to learn more? Thanks for all the help so far Dave
RE: [squid-users] Urgent Samba / Squid NTLM Auth Problems
Hi Abbas, Unfortunately we're still experimenting with ntlm_auth ourselves - it would probably be best to ask the samba user group your question. I suspect your smb.conf may not be setup correctly... Does anyone have any idea's on our problem below? Sorry to nag - we're willing to try anything Thanks Dave -Original Message- From: Abbas Salehi [mailto:[EMAIL PROTECTED] Sent: 09 November 2005 12:22 PM To: Dave Raven Cc: squid-users@squid-cache.org Subject: Re: [squid-users] Urgent Samba / Squid NTLM Auth Problems Dear sir I did all of your recommanded from document step by step I succeeded to joined to the domain and active directory , i can see the domain users and groups kinit command works properly, net ads testjoin Join is OK net ads join administrator Joined 'squid-server' to realm 'TEST.COM' But ntlm_auth does not work properly, I have following error when i run it : ntlm_auth --username=administrator password: ** NT_STATUS_CANT_ACCESS_DOMAIN_INFO: NT_STATUS_CANT_ACCESS_DOMAIN_INFO (0xc0da) when i run the squid and set the the machine as proxy,the squid authenticate but does not accept the user When i browes some web pages, bring the dialog box, contain user and password and domian, but does not accept, We have following error in my logs Winbind : [2005/10/30 14:02:11, 0] nsswitch/winbindd_util.c:get_trust_pw(1033) get_trust_pw: could not fetch trust account password for my domain TEST.COM Can anybody help me, How can i solve this problem, Regards Abbas Salehi - Original Message - From: Dave Raven [EMAIL PROTECTED] To: 'Serassio Guido' [EMAIL PROTECTED]; 'Ian Barnes' [EMAIL PROTECTED]; squid-users@squid-cache.org Sent: Tuesday, November 08, 2005 6:49 PM Subject: RE: [squid-users] Urgent Samba / Squid NTLM Auth Problems Hi all, I'm currently working on this problem with Ian. It seems like ntlm_auth is handling the requests fine - [EMAIL PROTECTED] /usr/local/bin # ./ntlm_auth --username=ianb --configfile=/usr/local/etc/smb.conf password: NT_STATUS_OK: Success (0x0) It also works through squid when using wget [2005/11/08 17:15:09, 3] utils/ntlm_auth.c:check_plaintext_auth(292) NT_STATUS_OK: Success (0x0) Note that it says check_plaintext_auth though, when using a browser (e.g. IE) we see the following messages [2005/11/08 15:16:36, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(606) Got user=[IANB] domain=[MASTERMIND] workstation=[IANB] len1=24 len2=24 [2005/11/08 15:16:37, 3] utils/ntlm_auth.c:winbind_pw_check(427) Login for user [EMAIL PROTECTED] failed due to [Wrong Password] Why is it using a different method? It seems like the problem only occurs when it doesn't use check_plaintext_auth. Is there anything we can do to learn more? Thanks for all the help so far Dave
RE: [squid-users] Urgent Samba / Squid NTLM Auth Problems
Okay I have an update with more progress - it seems the problem is only to do with ntlmssp. If I only have a basic authenticator - which looks like the following, it works perfectly: auth_param basic program /usr/optec/ntlm_auth.sh basic auth_param basic children 10 auth_param basic realm server.opteqint.net Cache NTLM Authentication auth_param basic credentialsttl 2 hours (ntlm_auth.sh runs the ntlm_auth squid-2.5-basic helper) I see the following debug messages: [2005/11/09 13:20:43, 3] utils/ntlm_auth.c:check_plaintext_auth(292) NT_STATUS_OK: Success (0x0) However, when I use ntlmssp in the squid config, shown below, it does not work: auth_param ntlm program /usr/optec/ntlm_auth.sh ntlmssp auth_param ntlm children 10 auth_param ntlm use_ntlm_negotiate yes I see the following debug messages: [2005/11/09 13:22:37, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(606) Got user=[ianb] domain=[MASTERMIND] workstation=[LUCY] len1=24 len2=24 [2005/11/09 13:22:37, 3] utils/ntlm_auth.c:winbind_pw_check(427) Login for user [EMAIL PROTECTED] failed due to [Wrong Password] If I type ian instead of ianb, I see an error saying the user does not exist. This must mean that somehow the wrong password is being passed in the wrong way - even though it is typed right. For anyone who hasn't read the rest of this thread please note: this only happens with the security option on the AD server set to ONLY allow NTLMv2/LMv2 and not anything else. If we turn that off it works perfectly... As I understand it the password doesn't come to squid in plaintext when its using ntlmssp, and I believe that there is some kind of handling problem with that now? If I type in the password on the command line with the ntlm_auth program, it is able to validate it just fine using NTLMv2 - enforcing my belief that something is wrong here... Any suggestions AT ALL would be appreciated... Thanks Dave
RE: [squid-users] Urgent Samba / Squid NTLM Auth Problems
Okay I have an update with more progress - it seems the problem is only to do with ntlmssp. If I only have a basic authenticator - which looks like the following, it works perfectly: auth_param basic program /usr/optec/ntlm_auth.sh basic auth_param basic children 10 auth_param basic realm server.opteqint.net Cache NTLM Authentication auth_param basic credentialsttl 2 hours (ntlm_auth.sh runs the ntlm_auth squid-2.5-basic helper) I see the following debug messages: [2005/11/09 13:20:43, 3] utils/ntlm_auth.c:check_plaintext_auth(292) NT_STATUS_OK: Success (0x0) However, when I use ntlmssp in the squid config, shown below, it does not work: auth_param ntlm program /usr/optec/ntlm_auth.sh ntlmssp auth_param ntlm children 10 auth_param ntlm use_ntlm_negotiate yes I see the following debug messages: [2005/11/09 13:22:37, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(606) Got user=[ianb] domain=[MASTERMIND] workstation=[LUCY] len1=24 len2=24 [2005/11/09 13:22:37, 3] utils/ntlm_auth.c:winbind_pw_check(427) Login for user [EMAIL PROTECTED] failed due to [Wrong Password] If I type ian instead of ianb, I see an error saying the user does not exist. This must mean that somehow the wrong password is being passed in the wrong way - even though it is typed right. For anyone who hasn't read the rest of this thread please note: this only happens with the security option on the AD server set to ONLY allow NTLMv2/LMv2 and not anything else. If we turn that off it works perfectly... As I understand it the password doesn't come to squid in plaintext when its using ntlmssp, and I believe that there is some kind of handling problem with that now? If I type in the password on the command line with the ntlm_auth program, it is able to validate it just fine using NTLMv2 - enforcing my belief that something is wrong here... Any suggestions AT ALL would be appreciated... Thanks Dave
RE: [squid-users] Urgent Samba / Squid NTLM Auth Problems
Hi Guido, Thanks for the help, I feel kinda daft for not looking in the file first. Anyway, this hasn't resolved the problem. We upgraded our squid (to 2.5Stable12), and samba to 3.0.20b. Once we upgraded squid, the ntlm_auth program was different so we used the samba ntlm_auth instead. What does the auth_param use_ntlm_negotiate on|off actually do? Is it reliant on a certain helper? Because that didn't make any difference to the outcome. We where told to put this option into our smb.conf to enable NTLMv2: client ntlmv2 auth = yes, would this have any effect on whats happening? Adding that option makes all the difference with out setup - with it wbinfo -a works perfectly, without it we see the same error squid is getting. Here is a copy of the error message again: [2005/11/08 15:16:36, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(606) Got user=[IANB] domain=[MASTERMIND] workstation=[IANB] len1=24 len2=24 [2005/11/08 15:16:37, 3] utils/ntlm_auth.c:winbind_pw_check(427) Login for user [EMAIL PROTECTED] failed due to [Wrong Password] If we however turn off the option in AD (i.e let it allow all authentication types), this doesn't happen, but I am assuming that is because it isn't using NTLMv2 then and only NTLM? Thanks, Ian -Original Message- From: Serassio Guido [mailto:[EMAIL PROTECTED] Sent: 07 November 2005 11:45 PM To: Ian Barnes; squid-users@squid-cache.org Subject: Re: [squid-users] Urgent Samba / Squid NTLM Auth Problems Hi, At 22.22 07/11/2005, Ian Barnes wrote: Our squid.conf looks like this: auth_param ntlm program /usr/local/libexec/squid/ntlm_auth --helper-protocol=squid-2.5-ntlmssp -d9 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes auth_param ntlm children 2 Wonder, even you have done a very detailed report, you don't have read squid.conf comments before :-) From 2.5 STABLE12 squid.conf: # use_ntlm_negotiate on|off # Enables support for NTLM NEGOTIATE packet exchanges with the helper. # The configured ntlm authenticator must be able to handle NTLM # NEGOTIATE packet. See the authenticator programs documentation if # unsure. ntlm_auth from Samba-3.0.2 or later supports the use of this # option. # The NEGOTIATE packet is required to support NTLMv2 and a # number of other negotiable NTLMSSP options, and also makes it # more likely the negotiation is successful. So in squid.conf you need: auth_param ntlm use_ntlm_negotiate on Please note: auth_param ntlm children 2 It is a very too low value, on a loaded proxy you must set this value to a more higher value as 20, 30 or more. You must monitor the helpers usage to find the correct value. Regards Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
RE: [squid-users] Urgent Samba / Squid NTLM Auth Problems
Hi Guido, Thanks for the help, I feel kinda daft for not looking in the file first. Anyway, this hasn't resolved the problem. We upgraded our squid (to 2.5Stable12), and samba to 3.0.20b. Once we upgraded squid, the ntlm_auth program was different so we used the samba ntlm_auth instead. What does the auth_param use_ntlm_negotiate on|off actually do? Is it reliant on a certain helper? Because that didn't make any difference to the outcome. We where told to put this option into our smb.conf to enable NTLMv2: client ntlmv2 auth = yes, would this have any effect on whats happening? Adding that option makes all the difference with out setup - with it wbinfo -a works perfectly, without it we see the same error squid is getting. Here is a copy of the error message again: [2005/11/08 15:16:36, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(606) Got user=[IANB] domain=[MASTERMIND] workstation=[IANB] len1=24 len2=24 [2005/11/08 15:16:37, 3] utils/ntlm_auth.c:winbind_pw_check(427) Login for user [EMAIL PROTECTED] failed due to [Wrong Password] If we however turn off the option in AD (i.e let it allow all authentication types), this doesn't happen, but I am assuming that is because it isn't using NTLMv2 then and only NTLM? Thanks, Ian -Original Message- From: Serassio Guido [mailto:[EMAIL PROTECTED] Sent: 07 November 2005 11:45 PM To: Ian Barnes; squid-users@squid-cache.org Subject: Re: [squid-users] Urgent Samba / Squid NTLM Auth Problems Hi, At 22.22 07/11/2005, Ian Barnes wrote: Our squid.conf looks like this: auth_param ntlm program /usr/local/libexec/squid/ntlm_auth --helper-protocol=squid-2.5-ntlmssp -d9 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes auth_param ntlm children 2 Wonder, even you have done a very detailed report, you don't have read squid.conf comments before :-) From 2.5 STABLE12 squid.conf: # use_ntlm_negotiate on|off # Enables support for NTLM NEGOTIATE packet exchanges with the helper. # The configured ntlm authenticator must be able to handle NTLM # NEGOTIATE packet. See the authenticator programs documentation if # unsure. ntlm_auth from Samba-3.0.2 or later supports the use of this # option. # The NEGOTIATE packet is required to support NTLMv2 and a # number of other negotiable NTLMSSP options, and also makes it # more likely the negotiation is successful. So in squid.conf you need: auth_param ntlm use_ntlm_negotiate on Please note: auth_param ntlm children 2 It is a very too low value, on a loaded proxy you must set this value to a more higher value as 20, 30 or more. You must monitor the helpers usage to find the correct value. Regards Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
RE: [squid-users] Urgent Samba / Squid NTLM Auth Problems
Hi Ian, At 14.34 08/11/2005, Ian Barnes wrote: Hi Guido, Thanks for the help, I feel kinda daft for not looking in the file first. Anyway, this hasn't resolved the problem. We upgraded our squid (to 2.5Stable12), and samba to 3.0.20b. Once we upgraded squid, the ntlm_auth program was different so we used the samba ntlm_auth instead. You must use the ntlm_auth program provided with your running Samba. What does the auth_param use_ntlm_negotiate on|off actually do? Look here, there is detailed description of how NTLM over HTTP works: http://davenport.sourceforge.net/ntlm.html Using the previous page as reference, use_ntlm_negotiate does the following: When enabled, the Type 1 message is passed to the helper for the challenge (Type 2 message) generation, when disabled, the helper uses a self created type 1 message for challenge generation. What means this ? NTLMv2 needs to be negotiated between client and server, so it cannot be used when use_ntlm_negotiate is off. Is it reliant on a certain helper? Because that didn't make any difference to the outcome. We where told to put this option into our smb.conf to enable NTLMv2: client ntlmv2 auth = yes, would this have any effect on whats happening? In the Samba configuration manual, about client ntlmv2 auth you can read: This parameter determines whether or not smbclient(8) will attempt to authenticate itself to servers using the NTLMv2 encrypted password response. So, it should be not related to ntlm_auth, but only Samba guys know exactly this. Adding that option makes all the difference with out setup - with it wbinfo -a works perfectly, without it we see the same error squid is getting. Here is a copy of the error message again: [2005/11/08 15:16:36, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(606) Got user=[IANB] domain=[MASTERMIND] workstation=[IANB] len1=24 len2=24 [2005/11/08 15:16:37, 3] utils/ntlm_auth.c:winbind_pw_check(427) Login for user [EMAIL PROTECTED] failed due to [Wrong Password] If we however turn off the option in AD (i.e let it allow all authentication types), this doesn't happen, but I am assuming that is because it isn't using NTLMv2 then and only NTLM? Really I don't know if Samba works correctly in a NTLMv2 only environment, but I'm sure that NTLMv2 works fine in the Squid Windows port using use_ntlm_negotiate on , your domain settings and a native Windows NTLM authentication helper. So, I think that your problems should be related to Samba. Regards Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
RE: [squid-users] Urgent Samba / Squid NTLM Auth Problems
Hi all, I'm currently working on this problem with Ian. It seems like ntlm_auth is handling the requests fine - [EMAIL PROTECTED] /usr/local/bin # ./ntlm_auth --username=ianb --configfile=/usr/local/etc/smb.conf password: NT_STATUS_OK: Success (0x0) It also works through squid when using wget [2005/11/08 17:15:09, 3] utils/ntlm_auth.c:check_plaintext_auth(292) NT_STATUS_OK: Success (0x0) Note that it says check_plaintext_auth though, when using a browser (e.g. IE) we see the following messages [2005/11/08 15:16:36, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(606) Got user=[IANB] domain=[MASTERMIND] workstation=[IANB] len1=24 len2=24 [2005/11/08 15:16:37, 3] utils/ntlm_auth.c:winbind_pw_check(427) Login for user [EMAIL PROTECTED] failed due to [Wrong Password] Why is it using a different method? It seems like the problem only occurs when it doesn't use check_plaintext_auth. Is there anything we can do to learn more? Thanks for all the help so far Dave
RE: [squid-users] Urgent Samba / Squid NTLM Auth Problems
Hi all, I'm currently working on this problem with Ian. It seems like ntlm_auth is handling the requests fine - [EMAIL PROTECTED] /usr/local/bin # ./ntlm_auth --username=ianb --configfile=/usr/local/etc/smb.conf password: NT_STATUS_OK: Success (0x0) It also works through squid when using wget [2005/11/08 17:15:09, 3] utils/ntlm_auth.c:check_plaintext_auth(292) NT_STATUS_OK: Success (0x0) Note that it says check_plaintext_auth though, when using a browser (e.g. IE) we see the following messages [2005/11/08 15:16:36, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(606) Got user=[IANB] domain=[MASTERMIND] workstation=[IANB] len1=24 len2=24 [2005/11/08 15:16:37, 3] utils/ntlm_auth.c:winbind_pw_check(427) Login for user [EMAIL PROTECTED] failed due to [Wrong Password] Why is it using a different method? It seems like the problem only occurs when it doesn't use check_plaintext_auth. Is there anything we can do to learn more? Thanks for all the help so far Dave
[squid-users] Urgent Samba / Squid NTLM Auth Problems
Hi, We are having problems setting up a squid cache server to use NTLMv2 authentication to authenticate users against AD. We have narrowed the problems down to being a problem between samba and squid when using NTLMv2. It constantly moans about the password being wrong when using squid, but doing a direct samba auth works fine. We have (believedly) narrowed it down to this: the domain requires client ntlmv2 = yes in samba to work - however it seems ntlm_auth does not support this! Our process was as follows: On the domain controller, we set the Network Security: LAN Manager authentication level properties option to be Send Send NTLM response only. We then set smb.conf to look something like this: [global] winbind separator = + winbind cache time = 10 workgroup = DOMAIN security = ads winbind uid = 1-2 winbind gid = 1-2 winbind use default domain = yes #realm = S058DS1001001.DOMAIN.COM #client ntlmv2 auth = yes log file = /var/log/log.%m That works, when joining the domain we can see the users, groups etc. Some of the commands we ran: [EMAIL PROTECTED] ~ # wbinfo -a Proxy2%Password_1 plaintext password authentication succeeded challenge/response password authentication succeeded [EMAIL PROTECTED] ~ # wbinfo -t checking the trust secret via RPC calls succeeded All worked fine, and squid could auth the user as could a wbinfo -a. We then switched the option in AD to Send NTLMv2 response only\refuse LM NTLM and the smb.conf to the following: [global] winbind separator = + winbind cache time = 10 workgroup = DOMAIN security = ads winbind uid = 1-2 winbind gid = 1-2 winbind use default domain = yes realm = S058DS1001001.DOMAIN.COM client ntlmv2 auth = yes log file = /var/log/log.%m When we join the domain, it joins fine, we run winbindd and nmbd and we can then lookup the users and groups. We can do a net ads testjoin which works fine aswell [EMAIL PROTECTED] ~ # net ads testjoin Join is OK Note that client ntlmv2 is on now. The problem comes in when trying to use squid to do the authentication. We get the following error in the squid log file if we set the authenticators debugging to level 9: [2005/11/07 13:36:35, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(606) Got user=[Proxy4] domain=[DOMAIN] workstation=[ianb] len1=24 len2=24 [2005/11/07 13:36:35, 3] utils/ntlm_auth.c:winbind_pw_check(427) Login for user [EMAIL PROTECTED] failed due to [Wrong Password] If we type in a username that doesn't exist, it complains that the username is invalid, so we know that it has todo with the password. We also know that the password is correct as we tried this numerous times and we also tried copy pasting the password into the required field. Our squid.conf looks like this: auth_param ntlm program /usr/local/libexec/squid/ntlm_auth --helper-protocol=squid-2.5-ntlmssp -d9 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes auth_param ntlm children 2 auth_param basic program /usr/local/libexec/squid/ntlm_auth --helper-protocol=squid-2.5-basic -d9 auth_param basic children 2 auth_param basic realm Cache NTLM Authentication auth_param basic credentialsttl 2 hours Anyone have any idea as to why that would happen when only using squid? Is there an option that we need to set to make the authenticator use ntlmv2 only or something like we had to do for samba? Does ntlm_auth not understand the v2 protocol properly? Onto another question, when I join the domain for the first time, I get this error when trying to do anything besides a wbinfo -u or wbinfo -g. Here are a few examples: [EMAIL PROTECTED] ~ # wbinfo -t checking the trust secret via RPC calls failed error code was NT_STATUS_ACCESS_DENIED (0xc022) Could not check secret And this from the squid log if we try and auth a user: [2005/10/31 11:43:36, 0] utils/ntlm_auth.c:winbind_pw_check(427) Login for user [EMAIL PROTECTED] failed due to [Access denied] [2005/10/31 11:43:36, 0] utils/ntlm_auth.c:manage_squid_ntlmssp_request(600) NTLMSSP BH: NT_STATUS_ACCESS_DENIED The strange thing is these errors stop happening from anywhere between 5 and 15 minutes after joining the domain. Any ideas as to why they are occurring in the first place? Basically: We are able to list users, and groups - but wbinfo -t doesn't work until we've been logged on for 5-15 minutes (randomly)? Thanks in advance, Ian
[squid-users] Urgent Samba / Squid NTLM Auth Problems
Hi, We are having problems setting up a squid cache server to use NTLMv2 authentication to authenticate users against AD. We have narrowed the problems down to being a problem between samba and squid when using NTLMv2. It constantly moans about the password being wrong when using squid, but doing a direct samba auth works fine. We have (believedly) narrowed it down to this: the domain requires client ntlmv2 = yes in samba to work - however it seems ntlm_auth does not support this! Our process was as follows: On the domain controller, we set the Network Security: LAN Manager authentication level properties option to be Send Send NTLM response only. We then set smb.conf to look something like this: [global] winbind separator = + winbind cache time = 10 workgroup = DOMAIN security = ads winbind uid = 1-2 winbind gid = 1-2 winbind use default domain = yes #realm = S058DS1001001.DOMAIN.COM #client ntlmv2 auth = yes log file = /var/log/log.%m That works, when joining the domain we can see the users, groups etc. Some of the commands we ran: [EMAIL PROTECTED] ~ # wbinfo -a Proxy2%Password_1 plaintext password authentication succeeded challenge/response password authentication succeeded [EMAIL PROTECTED] ~ # wbinfo -t checking the trust secret via RPC calls succeeded All worked fine, and squid could auth the user as could a wbinfo -a. We then switched the option in AD to Send NTLMv2 response only\refuse LM NTLM and the smb.conf to the following: [global] winbind separator = + winbind cache time = 10 workgroup = DOMAIN security = ads winbind uid = 1-2 winbind gid = 1-2 winbind use default domain = yes realm = S058DS1001001.DOMAIN.COM client ntlmv2 auth = yes log file = /var/log/log.%m When we join the domain, it joins fine, we run winbindd and nmbd and we can then lookup the users and groups. We can do a net ads testjoin which works fine aswell [EMAIL PROTECTED] ~ # net ads testjoin Join is OK Note that client ntlmv2 is on now. The problem comes in when trying to use squid to do the authentication. We get the following error in the squid log file if we set the authenticators debugging to level 9: [2005/11/07 13:36:35, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(606) Got user=[Proxy4] domain=[DOMAIN] workstation=[ianb] len1=24 len2=24 [2005/11/07 13:36:35, 3] utils/ntlm_auth.c:winbind_pw_check(427) Login for user [EMAIL PROTECTED] failed due to [Wrong Password] If we type in a username that doesn't exist, it complains that the username is invalid, so we know that it has todo with the password. We also know that the password is correct as we tried this numerous times and we also tried copy pasting the password into the required field. Our squid.conf looks like this: auth_param ntlm program /usr/local/libexec/squid/ntlm_auth --helper-protocol=squid-2.5-ntlmssp -d9 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes auth_param ntlm children 2 auth_param basic program /usr/local/libexec/squid/ntlm_auth --helper-protocol=squid-2.5-basic -d9 auth_param basic children 2 auth_param basic realm Cache NTLM Authentication auth_param basic credentialsttl 2 hours Anyone have any idea as to why that would happen when only using squid? Is there an option that we need to set to make the authenticator use ntlmv2 only or something like we had to do for samba? Does ntlm_auth not understand the v2 protocol properly? Onto another question, when I join the domain for the first time, I get this error when trying to do anything besides a wbinfo -u or wbinfo -g. Here are a few examples: [EMAIL PROTECTED] ~ # wbinfo -t checking the trust secret via RPC calls failed error code was NT_STATUS_ACCESS_DENIED (0xc022) Could not check secret And this from the squid log if we try and auth a user: [2005/10/31 11:43:36, 0] utils/ntlm_auth.c:winbind_pw_check(427) Login for user [EMAIL PROTECTED] failed due to [Access denied] [2005/10/31 11:43:36, 0] utils/ntlm_auth.c:manage_squid_ntlmssp_request(600) NTLMSSP BH: NT_STATUS_ACCESS_DENIED The strange thing is these errors stop happening from anywhere between 5 and 15 minutes after joining the domain. Any ideas as to why they are occurring in the first place? Basically: We are able to list users, and groups - but wbinfo -t doesn't work until we've been logged on for 5-15 minutes (randomly)? Thanks in advance, Ian
Re: [squid-users] Urgent Samba / Squid NTLM Auth Problems
Hi, At 22.22 07/11/2005, Ian Barnes wrote: Our squid.conf looks like this: auth_param ntlm program /usr/local/libexec/squid/ntlm_auth --helper-protocol=squid-2.5-ntlmssp -d9 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes auth_param ntlm children 2 Wonder, even you have done a very detailed report, you don't have read squid.conf comments before :-) From 2.5 STABLE12 squid.conf: # use_ntlm_negotiate on|off # Enables support for NTLM NEGOTIATE packet exchanges with the helper. # The configured ntlm authenticator must be able to handle NTLM # NEGOTIATE packet. See the authenticator programs documentation if # unsure. ntlm_auth from Samba-3.0.2 or later supports the use of this # option. # The NEGOTIATE packet is required to support NTLMv2 and a # number of other negotiable NTLMSSP options, and also makes it # more likely the negotiation is successful. So in squid.conf you need: auth_param ntlm use_ntlm_negotiate on Please note: auth_param ntlm children 2 It is a very too low value, on a loaded proxy you must set this value to a more higher value as 20, 30 or more. You must monitor the helpers usage to find the correct value. Regards Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/