[Samba] Error with samba update in debian.
Luis Felipe Dominguez Vega via samba
this is the output of ntlm_auth
root@proxy:~# ntlm_auth --diagnostic --helper-protocol=squid-2.5-ntlmssp
MTZ\luis.dominguez <my_pass>
BH SPNEGO request invalid prefix
and the output of squid
ERROR: NTLM Authentication validating user. Result: {result=BH, notes={message: NT_STATUS_UNSUCCESSFUL NT_STATUS_UNSUCCESSFUL; }}
Requesting the nt key used by freeradius (the nt key is not in the output)
root@proxy:~# /usr/bin/ntlm_auth --request-nt-key --username=luis.dominguez
Password:
NT_STATUS_OK: Success (0x0)
---------------------------------------
Al tanto
Ing. Luis Felipe Domínguez Vega
Administrador de la Red de Desoft Matanzas
GNU/Linux Kernel Developer - rtlwifi kernel module
"No es grande aquel que nunca falla, es grande el que nunca se da por vencido… "
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
L.P.H. van Belle via samba
Can you post your smb.conf that helps.
But you probly forgot to set:
ntlm auth = yes
and maybe more, a summup:
This is the full list:
https://wiki.samba.org/index.php/Samba_Features_added/changed_(by_release)
The complete history, have a look at the X.x.0 release notes.
https://www.samba.org/samba/history/
For the major differences (new features, etc.)
Upgrade samba from a : 4.4.x => 4.5.x
! remove all idmap config lines from your smb.conf of the DC's.
! run: net cache flush
! Restart samba or reboot the DC
4.4.1 => 4.5.0 : smb.conf changes
https://www.samba.org/samba/history/samba-4.5.0.html
================
Parameter Name Description Default
-------------- ----------- -------
kccsrv:samba_kcc Changed default yes
ntlm auth Changed default no
only user Removed
password hash gpg key ids New
shadow:snapprefix New
shadow:delimiter New _GMT
smb2 leases Changed default yes
username Removed
4.4.0 => 4.4.1 !! YOU MUST READ THIS ONE !! ( lots changed here )
https://www.samba.org/samba/history/samba-4.4.1.html
smb.conf new settings
----------------
Parameter Name + default setting.
-------------
allow dcerpc auth level connect = no
client ipc signing = default
client ipc max protocol = default
client ipc min protocol = default
ldap server require strong auth = yes
raw NTLMv2 auth = no
tls verify peer = as_strict_as_possible
tls priority = NORMAL:-VERS-SSL3.0
4.3.0 => 4.4.0 : smb.conf changes
https://www.samba.org/samba/history/samba-4.4.0.html
smb.conf changes
----------------
Parameter Name Description Default
-------------- ----------- ------
aio max threads New 100
ldap page size Changed default 1000
server multi channel support New No
interfaces Extended syntax
4.2.0 => 4.3.0 : smb.conf changes
https://www.samba.org/samba/history/samba-4.3.0.html
smb.conf changes
----------------
Parameter Name Description Default
-------------- ----------- -------
logging New (empty)
msdfs shuffle referrals New no
smbd profiling level New off
spotlight New no
tls priority New NORMAL:-VERS-SSL3.0
use ntdb Removed
change notify Changed to [global]
kernel change notify Changed to [global]
client max protocol Changed default SMB3_11
server max protocol Changed default SMB3_11
4.1.0 => 4.2.0 : smb.conf changes
https://www.samba.org/samba/history/samba-4.2.0.html
smb.conf changes
----------------
Parameter Name Description Default
-------------- ----------- -------
allow nt4 crypto New no
neutralize nt4 emulation New no
reject md5 client New no
reject md5 servers New no
require strong key New yes
smb2 max read Changed default 8388608
smb2 max write Changed default 8388608
smb2 max trans Changed default 8388608
winbind expand groups Changed default 0
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-...@lists.samba.org] Namens Luis Felipe
> Dominguez Vega via samba
> Verzonden: woensdag 28 december 2016 13:41
> Aan: sa...@lists.samba.org
> Onderwerp: [Samba] Error with samba update in debian.
>
> Hello, I am a network admin and I have Samba 4 (4.5.2+dfsg-2) running into
> Debian Testing, before i update to this version my proxy (squid)
> authenticate with NTLM with ntlm_auth correctly, same to my FreeRadius
> server authenticating with winbind. But now with this update i can get to
> work again the autentications, when i request the NT_KEY to ntlm_auth it
> not return that key.
>
> this is the output of ntlm_auth
>
> root@proxy:~# ntlm_auth --diagnostic --helper-protocol=squid-2.5-ntlmssp
> MTZ\luis.dominguez <my_pass>
> BH SPNEGO request invalid prefix
>
> and the output of squid
> ERROR: NTLM Authentication validating user. Result: {result=BH,
> notes={message: NT_STATUS_UNSUCCESSFUL NT_STATUS_UNSUCCESSFUL; }}
>
> Requesting the nt key used by freeradius (the nt key is not in the output)
>
> root@proxy:~# /usr/bin/ntlm_auth --request-nt-key --
> username=luis.dominguez
> Password:
> NT_STATUS_OK: Success (0x0)
>
> ---------------------------------------
> Al tanto
> Ing. Luis Felipe Domínguez Vega
> Administrador de la Red de Desoft Matanzas
> GNU/Linux Kernel Developer - rtlwifi kernel module
>
> "No es grande aquel que nunca falla, es grande el que nunca se da por
> vencido? "
L.P.H. van Belle via samba
This is what i have for my squid.
auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \
--kerberos /usr/lib/squid/negotiate_kerberos_auth -s HTTP/proxy.internal.domain.tld@REALM \
--ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOMAIN
See the ntlm line. => --helper-protocol=gss-spnego
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-...@lists.samba.org] Namens Luis Felipe
> Dominguez Vega via samba
> Verzonden: woensdag 28 december 2016 13:41
> Aan: sa...@lists.samba.org
> Onderwerp: [Samba] Error with samba update in debian.
>
> Debian Testing, before i update to this version my proxy (squid)
> authenticate with NTLM with ntlm_auth correctly, same to my FreeRadius
> server authenticating with winbind. But now with this update i can get to
> work again the autentications, when i request the NT_KEY to ntlm_auth it
> not return that key.
>
> this is the output of ntlm_auth
>
> root@proxy:~# ntlm_auth --diagnostic --helper-protocol=squid-2.5-ntlmssp
> MTZ\luis.dominguez <my_pass>
> BH SPNEGO request invalid prefix
>
> and the output of squid
> ERROR: NTLM Authentication validating user. Result: {result=BH,
> notes={message: NT_STATUS_UNSUCCESSFUL NT_STATUS_UNSUCCESSFUL; }}
>
> Requesting the nt key used by freeradius (the nt key is not in the output)
>
> root@proxy:~# /usr/bin/ntlm_auth --request-nt-key --
> username=luis.dominguez
> Password:
> NT_STATUS_OK: Success (0x0)
>
> ---------------------------------------
> Al tanto
> Ing. Luis Felipe Domínguez Vega
> Administrador de la Red de Desoft Matanzas
> GNU/Linux Kernel Developer - rtlwifi kernel module
>
> "No es grande aquel que nunca falla, es grande el que nunca se da por
Rowland Penny via samba
"L.P.H. van Belle via samba" <sa...@lists.samba.org> wrote:
> Hai,
> Can you post your smb.conf that helps.
>
> But you probly forgot to set:
> ntlm auth = yes
>
> and maybe more, a summup:
>
> This is the full list:
> https://wiki.samba.org/index.php/Samba_Features_added/changed_(by_release)
>
>
> The complete history, have a look at the X.x.0 release notes.
> https://www.samba.org/samba/history/
>
> For the major differences (new features, etc.)
>
> Upgrade samba from a : 4.4.x => 4.5.x
> ! remove all idmap config lines from your smb.conf of the DC's.
> ! run: net cache flush
> ! Restart samba or reboot the DC
>
Nearly correct ;-)
It should be:
If you have 'idmap config' lines in a smb.conf on a DC, remove them.
They had absolutely no affect and did nothing before Samba version
4.5.0, from Samba 4.5.0 they lead to errors.
Rowland
Luis Felipe Dominguez Vega via samba
################################################################################
# Global parameters
[global]
netbios name = DC
realm = MTZ.DESOFT.CU
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
workgroup = MTZ
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
client ldap sasl wrapping = sign
ldap server require strong auth = No
map to guest = bad user
# Audit settings
full_audit:prefix = %u|%I|%S
full_audit:failure = connect
full_audit:success = connect disconnect opendir mkdir rmdir closedir open close read pread write pwrite sendfile rename unlink chmod fchmod chown fchown chdir ftruncate lock symlink readlink link mknod realpath
full_audit:facility = local5
full_audit:priority = notice
tls enabled = yes
tls certfile = /var/lib/samba/private/tls/dc-cert.pem
tls keyfile = /var/lib/samba/private/tls/secure/dc-privkey.pem
tls cafile = /var/lib/samba/private/tls/cacert.pem
tls crlfile = /var/lib/samba/private/tls/mtz.desoft.cu.crl
tls dhparams file = /var/lib/samba/private/tls/dc-dhparams.pem
# ntlm auth = yes
# lanman auth = yes
# lanman auth = yes
[netlogon]
path = /var/lib/samba/sysvol/mtz.desoft.cu/scripts
read only = No
vfs objects = full_audit
[sysvol]
path = /var/lib/samba/sysvol
read only = No
vfs objects = full_audit
################################################################################
i tried with setting all the comments in yes, then systemctl restart samba-ad-dc, but the squid neither authenticated, same errors, Need to full reset the AD server?
When i use the negotiate in squid i see this in squid
ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: NT_STATUS_UNSUCCESSFUL * NT_STATUS_UNSUCCESSFUL; }}
---------------------------------------
Al tanto
Ing. Luis Felipe Domínguez Vega
Administrador de la Red de Desoft Matanzas
GNU/Linux Kernel Developer - rtlwifi kernel module
"No es grande aquel que nunca falla, es grande el que nunca se da por vencido… "
Luis Felipe Dominguez Vega via samba
---------------------------------------
Al tanto
Ing. Luis Felipe Domínguez Vega
Administrador de la Red de Desoft Matanzas
GNU/Linux Kernel Developer - rtlwifi kernel module
"No es grande aquel que nunca falla, es grande el que nunca se da por vencido… "
----- Original Message -----
From: "Rowland Penny via samba" <sa...@lists.samba.org>
To: sa...@lists.samba.org
Rowland Penny via samba
If you mean:
idmap_ldb:use rfc2307 = yes
Then uncomment it, you need this line on a Samba AD DC.
I referred to the 'idmap config' lines you find on a Samba domain
member, i.e. 'idmap config SAMDOM : range = 10000-999999'
These lines do not have and never have had a place on a Samba AD DC.
L.P.H. van Belle via samba
> ERROR: Negotiate Authentication validating user. Result: {result=BH,
> notes={message: NT_STATUS_UNSUCCESSFUL * NT_STATUS_UNSUCCESSFUL; }}
Or you using user@REALM
Can you add ?-d? to the auth line of squid and try again and post that log.
( -d = enable debugging )
Now what i dont know.
A samba DC reported with wbinfo ?u : DOMAIN\user
I have in my samba member ( and this is a member only setting ) winbind enum users = yes
So when i wbinfo ?u i see only the usernames.
In the second link, a snap from some text.
/snap
You may need to use a Basic auth helper that allows stripping the
@DOMAIN part off the credentials received. I think some systems send the
user at DOMAIN in Basic with the machine name as DOMAIN. That wont work
against any real DC server.
/snap-off
This can be a problem, but im not sure about that, thats more a squid list question.
And remove : map to guest = bad user in smb.conf
If needed you can add it later on, first detect whats going wrong.
Now, i had the same problem. My question to the squid list. Starts here :
http://lists.squid-cache.org/pipermail/squid-users/2015-August/005025.html
And my last question.
http://lists.squid-cache.org/pipermail/squid-users/2015-August/005033.html
Read throug it, i can help you... Amos explains better then me.
Beware, debian testing can break easy, especialy before the freeze so know what your doing.
And do remember debian testing does NOT get security updates quick.
Debian Testing is last to get them.
I hope this helps you bit more.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Verzonden: woensdag 28 december 2016 15:17
> Aan: sa...@lists.samba.org
> Onderwerp: Re: [Samba] Error with samba update in debian.
>
> On Wed, 28 Dec 2016 08:45:17 -0500 (CST)
> Luis Felipe Dominguez Vega <luis.do...@mtz.desoft.cu> wrote:
>
> > I comment the idmap line and "systemctl restart samba-ad-dc" but the
> > squid not authenticate, same error...
> >
> > ---------------------------------------
> > Al tanto
> > Ing. Luis Felipe Domínguez Vega
> > Administrador de la Red de Desoft Matanzas
> > GNU/Linux Kernel Developer - rtlwifi kernel module
> >
> > "No es grande aquel que nunca falla, es grande el que nunca se da por
Luis Felipe Dominguez Vega via samba
ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: NT_STATUS_UNSUCCESSFUL * NT_STATUS_UNSUCCESSFUL; }}
are in recent versions some changes about the NTLM or NT KEY or something??? that squid now can interpret the handshakes???
---------------------------------------
Al tanto
Ing. Luis Felipe Domínguez Vega
Administrador de la Red de Desoft Matanzas
GNU/Linux Kernel Developer - rtlwifi kernel module
"No es grande aquel que nunca falla, es grande el que nunca se da por vencido… "
Rowland Penny via samba
"L.P.H. van Belle via samba" <sa...@lists.samba.org> wrote:
> About the :
>
> > ERROR: Negotiate Authentication validating user. Result: {result=BH,
>
> > notes={message: NT_STATUS_UNSUCCESSFUL * NT_STATUS_UNSUCCESSFUL; }}
>
>
>
> I suspect the pc you trying with is not domain joined?
>
> Or you using user@REALM
>
> Can you add ?-d? to the auth line of squid and try again and post
> that log.
>
> ( -d = enable debugging )
>
>
>
> Now what i dont know.
>
> A samba DC reported with wbinfo ?u : DOMAIN\user
Yes, the DC uses the DOMAIN as part of the username and you cannot turn
it off.
>
> I have in my samba member ( and this is a member only setting )
> winbind enum users = yes
You can also use this line on a DC.
>
> So when i wbinfo ?u i see only the usernames.
You will also have this line in your domain members smb.conf:
winbind use default domain = yes
The default is no (i.e. same as a DC)
So, if squid insists on just the username without the DOMAIN, it is (in
my opinion) badly broken and they need to fix it.
Luis Felipe Dominguez Vega via samba
root@proxy:~# ntlm_auth --diagnostics --username=luis.dominguez
Password: <correct_password>
Wrong Password (0xc000006a)
Wrong Password (0xc000006a)
Wrong Password (0xc000006a)
Wrong Password (0xc000006a)
root@proxy:~# ntlm_auth --username=luis.dominguez
Password: <correct_password>
NT_STATUS_OK: Success (0x0)
root@proxy:~# ntlm_auth --diagnostics --username=luis.dominguez
Password: <bad_password>
Wrong Password (0xc000006a)
Wrong Password (0xc000006a)
Wrong Password (0xc000006a)
Wrong Password (0xc000006a)
Wrong Password (0xc000006a)
Wrong Password (0xc000006a)
Wrong Password (0xc000006a)
Wrong Password (0xc000006a)
Wrong Password (0xc000006a)
Wrong Password (0xc000006a)
Wrong Password (0xc000006a)
Wrong Password (0xc000006a)
Wrong Password (0xc000006a)
Wrong Password (0xc000006a)
Wrong Password (0xc000006a)
Wrong Password (0xc000006a)
Wrong Password (0xc000006a)
Why with the --diagnostics dont work the authentication and i dont get the same output with correct password and incorrect password????
Rowland Penny via samba
Luis Felipe Dominguez Vega via samba <sa...@lists.samba.org> wrote:
> The proxy already is into domain "wbinfo -u" returns all users from
> the AD, the kinit command with -t /etc/squid/PROXY.keytab is working
> great, but the NTLM phase into the squid log is the same
When is it going to be fully understood that just because 'wbinfo -u'
shows all the users, it doesn't mean that the underlying OS knows them ?
What does 'getent passwd a_username' show ?
>
> ERROR: Negotiate Authentication validating user. Result: {result=BH,
> notes={message: NT_STATUS_UNSUCCESSFUL * NT_STATUS_UNSUCCESSFUL; }}
>
> are in recent versions some changes about the NTLM or NT KEY or
> something??? that squid now can interpret the handshakes???
>
The default value of ' ntlm auth' in smb.conf was changed from yes to
no from version 4.5.0
L.P.H. van Belle via samba
Squid works fine i have it all running.
Took me some time to understand things but it works fine now.
See the list links..
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-...@lists.samba.org] Namens Rowland Penny via
> samba
> Verzonden: woensdag 28 december 2016 16:12
> Aan: sa...@lists.samba.org
> Onderwerp: Re: [Samba] Error with samba update in debian.
>
Rowland Penny via samba
"L.P.H. van Belle via samba" <sa...@lists.samba.org> wrote:
> No its a misconfiguration somewhere.
> Squid works fine i have it all running.
> Took me some time to understand things but it works fine now.
>
> See the list links..
>
> Greetz,
>
> Louis
OK, I have been looking into this and it seems that squid wants a UPN
like 'HTTP/proxy02.example.com'. The only problem is, (in my
opinion), that is an SPN, so, I repeat, squid is broken.
Luis Felipe Dominguez Vega via samba
---------------------------------------
Al tanto
Ing. Luis Felipe Domínguez Vega
Administrador de la Red de Desoft Matanzas
GNU/Linux Kernel Developer - rtlwifi kernel module
"No es grande aquel que nunca falla, es grande el que nunca se da por vencido… "
----- Original Message -----
From: "Rowland Penny via samba" <sa...@lists.samba.org>
To: sa...@lists.samba.org
L.P.H. van Belle via samba
samba-tool does not set upn but msktutil does set the upn.
So an option for samba-tool to set upn would be nice...
Greetz
Louis
Rowland Penny via samba
"L.P.H. van Belle via samba" <sa...@lists.samba.org> wrote:
> no thats not it
>
> samba-tool does not set upn but msktutil does set the upn.
>
> So an option for samba-tool to set upn would be nice...
>
>
> Greetz
>
> Louis
Yes it is !!
From my point of view, squid is expecting an SPN, but seems to accept
a UPN. Have you tried using the machine account and adding an SPN to
that ?
L.P.H. van Belle via samba
Simply put,
- UPN: An entity performing client requests to some service.
Entity may be human or machine.
Source :
https://msdn.microsoft.com/en-us/library/windows/desktop/ms721629(v=vs.85).aspx#_security_user_principal_name_gly
- SPN: An entity processing requests for a specific service, e.g., HTTP, LDAP, SSH, etc.
Entity is Machine only.
Source:
https://msdn.microsoft.com/en-us/library/windows/desktop/ms721625(v=vs.85).aspx#_security_service_principal_name_gly
And normaly a UPN retrieves a service ticket for an SPN to use that actual service.
Now how is this a squid problem if samba-tool does not give the options to set an UPN to the machine also.
But this is mainly a Windows KDC and Unix KDC difference but still.
Resulting that in windows terms we need to set the SPN to a machine UPN. Which is always: namehostname$@REALM
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-...@lists.samba.org] Namens Rowland Penny via
> samba
> Verzonden: donderdag 29 december 2016 11:27
> Aan: sa...@lists.samba.org
> Onderwerp: Re: [Samba] Error with samba update in debian.
Rowland Penny via samba
"L.P.H. van Belle via samba" <sa...@lists.samba.org> wrote:
> Hai Rowland,
>
> Simply put,
>
> - UPN: An entity performing client requests to some service.
> Entity may be human or machine.
> Source :
> https://msdn.microsoft.com/en-us/library/windows/desktop/ms721629(v=vs.85).aspx#_security_user_principal_name_gly
>
>
> - SPN: An entity processing requests for a specific service, e.g.,
> HTTP, LDAP, SSH, etc. Entity is Machine only.
> Source:
> https://msdn.microsoft.com/en-us/library/windows/desktop/ms721625(v=vs.85).aspx#_security_service_principal_name_gly
>
> And normaly a UPN retrieves a service ticket for an SPN to use that
> actual service.
>
> Now how is this a squid problem if samba-tool does not give the
> options to set an UPN to the machine also. But this is mainly a
> Windows KDC and Unix KDC difference but still.
>
> Resulting that in windows terms we need to set the SPN to a machine
> UPN. Which is always: namehostname$@REALM
>
Quite right, it isn't really a squid problem. Since then, I have taken
a look at the squid code and I cannot find a mention of UPN, but there
are lots of SPN references.
If you look here:
https://msdn.microsoft.com/en-us/library/ms680857%28v=vs.85%29.aspx
You will find this:
By convention, this should map to the user email name.
So by using a UPN instead of an SPN, you are potentially breaking
something.