Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] Samba 4, ntlm_auth testing ...
1,007 views
Skip to first unread message
Dirk Brenken
Jun 9, 2014, 1:30:01 AM6/9/14
to
Hi,
currently I've setup Samba 4 (sernet 4.1.8 on debian jessie)
successfully as an AD-Server ... domain logins from WIN-Clients etc. are
working quite fine.
Now I'm trying to test ntlm_auth on cli for later Squid-integration ...
*wbinfo output:*
wbinfo -a PRAXISAD\\Administrator%xxxxxx
plaintext password authentication succeeded
challenge/response password authentication succeeded
*ntlm_auth with basic helper output:*
root@praxis-server:/etc/squid3# ntlm_auth
--helper-protocol=squid-2.5-basic --domain=PRAXISAD
PRAXISAD\Administrator xxxxxx
*OK*
*ntlm_auth with ntlmssp helper output:*
root@praxis-server:/etc/squid3# ntlm_auth
--helper-protocol=squid-2.5-ntlmssp --domain=PRAXISAD
PRAXISAD\Administrator xxxxxx
*BH SPNEGO request invalid prefix*
*ntlm_auth with gss-spnego helper output:**
*root@praxis-server:/etc/squid3# ntlm_auth --helper-protocol=gss-spnego
--domain=PRAXISAD
PRAXISAD\Administrator xxxxxx
*BH SPNEGO request invalid prefix*
Any ideas what's going wrong here?
Thanks & best regards
Dirk
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
currently I've setup Samba 4 (sernet 4.1.8 on debian jessie)
successfully as an AD-Server ... domain logins from WIN-Clients etc. are
working quite fine.
Now I'm trying to test ntlm_auth on cli for later Squid-integration ...
*wbinfo output:*
wbinfo -a PRAXISAD\\Administrator%xxxxxx
plaintext password authentication succeeded
challenge/response password authentication succeeded
*ntlm_auth with basic helper output:*
root@praxis-server:/etc/squid3# ntlm_auth
--helper-protocol=squid-2.5-basic --domain=PRAXISAD
PRAXISAD\Administrator xxxxxx
*OK*
*ntlm_auth with ntlmssp helper output:*
root@praxis-server:/etc/squid3# ntlm_auth
--helper-protocol=squid-2.5-ntlmssp --domain=PRAXISAD
PRAXISAD\Administrator xxxxxx
*BH SPNEGO request invalid prefix*
*ntlm_auth with gss-spnego helper output:**
*root@praxis-server:/etc/squid3# ntlm_auth --helper-protocol=gss-spnego
--domain=PRAXISAD
PRAXISAD\Administrator xxxxxx
*BH SPNEGO request invalid prefix*
Any ideas what's going wrong here?
Thanks & best regards
Dirk
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Dirk Brenken
Jun 9, 2014, 6:50:02 AM6/9/14
to
expected - thanks!
br
Dirk Brenken
Jun 9, 2014, 1:50:02 PM6/9/14
to
It's not failing, even if the user is *not* member of the group!
Example:
SID of Test-User "dirk":
root@praxis-server:/etc/squid3# wbinfo -n dirk
S-1-5-21-3041413330-2355144718-3205532893-1104 SID_USER (1)
SID of Test-Group "Test":
wbinfo -n PRAXISAD\\Test
S-1-5-21-3041413330-2355144718-3205532893-1105 SID_DOM_GROUP (2)
Test-User is only in Group "Domain Users":
root@praxis-server:/etc/squid3# wbinfo --user-domgroups
S-1-5-21-3041413330-2355144718-3205532893-1104
S-1-5-21-3041413330-2355144718-3205532893-513
Result for check against (non-member) Test-Group:
root@praxis-server:/etc/squid3# ntlm_auth
--require-membership-of=S-1-5-21-3041413330-2355144718-3205532893-1105
--helper-protocol=squid-2.5-basic
dirk xxxxxx
OK
Is this a known bug of ntlm_auth (sernet samba 4.1.8)!?
best regards
dirk
Andrew Bartlett
Jun 10, 2014, 5:20:02 AM6/10/14
to
~/samba/config.abartlet && make -j && SELFTEST_TESTENV=s3member make
testenv
[abartlet@jesse samba]$ bin/wbinfo -n administrator
S-1-5-21-2617796569-3988300915-1045095420-500 SID_USER (1)
[abartlet@jesse samba]$ bin/ntlm_auth
--require-membership-of=S-1-5-21-2617796569-3988300915-1045095420-500
--helper-protocol=squid-2.5-basic
SAMBADOMAIN/Administrator locDCpass1
OK
[abartlet@jesse samba]$ bin/ntlm_auth
--require-membership-of=S-1-5-21-2617796569-3988300915-1045095420-5
--helper-protocol=squid-2.5-basic
SAMBADOMAIN/Administrator locDCpass1
ERR
[abartlet@jesse samba]$ bin/ntlm_auth
--require-membership-of=S-1-5-21-2617796569-3988300915-1045095420-512
--helper-protocol=squid-2.5-basic
SAMBADOMAIN/Administrator locDCpass1
OK
[abartlet@jesse samba]$ bin/ntlm_auth
--require-membership-of=S-1-5-21-2617796569-3988300915-1045095420-513
--helper-protocol=squid-2.5-basic
SAMBADOMAIN/Administrator locDCpass1
OK
[abartlet@jesse samba]$ bin/ntlm_auth
--require-membership-of=S-1-5-21-2617796569-3988300915-1045095420-5130
--helper-protocol=squid-2.5-basic
SAMBADOMAIN/Administrator locDCpass1
ERR
Are you sure your user really, really isn't a member of that group,
perhaps as an alias?
Thanks,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
L.P.H. van Belle
Jun 10, 2014, 5:50:02 AM6/10/14
to
which squid version is used ?
There are some known bugs with squid3 and kerberos.
Im installing the same here atm, i'll check if this also happens with me.
My setup. Debian wheezy, samba from backports 4.1.7, squid 3.3.8-1 recompiled from jessie.
I need 3.3.8-1 minimal for ssl-bump in squid on one proxy.
but i'll test the other proxy with 3.1.20 which is default wheezy.
Louis
>-----Oorspronkelijk bericht-----
>Van: abar...@samba.org [mailto:samba-...@lists.samba.org]
>Namens Andrew Bartlett
>Verzonden: dinsdag 10 juni 2014 11:19
>Aan: Dirk Brenken
>CC: sa...@lists.samba.org
>Onderwerp: Re: [Samba] Samba 4, ntlm_auth testing ...
There are some known bugs with squid3 and kerberos.
Im installing the same here atm, i'll check if this also happens with me.
My setup. Debian wheezy, samba from backports 4.1.7, squid 3.3.8-1 recompiled from jessie.
I need 3.3.8-1 minimal for ssl-bump in squid on one proxy.
but i'll test the other proxy with 3.1.20 which is default wheezy.
Louis
>-----Oorspronkelijk bericht-----
>Van: abar...@samba.org [mailto:samba-...@lists.samba.org]
>Namens Andrew Bartlett
>Verzonden: dinsdag 10 juni 2014 11:19
>Aan: Dirk Brenken
>CC: sa...@lists.samba.org
>Onderwerp: Re: [Samba] Samba 4, ntlm_auth testing ...
Dirk Brenken
Jun 10, 2014, 10:20:02 AM6/10/14
to
thanks for looking into this ... it's still reproducible in my environment:
Setup an new/empty group in Windows AD (with Windows Remote Admin Tools) :
wbinfo -n Empty
S-1-5-21-3041413330-2355144718-3205532893-1107 SID_DOM_GROUP (2)
Test-User:
root@praxis-server:/var/log/samba# wbinfo -n dirk
S-1-5-21-3041413330-2355144718-3205532893-1104 SID_USER (1)
Group listing for Test-User:
root@praxis-server:/var/log/samba# wbinfo --user-domgroups
S-1-5-21-3041413330-2355144718-3205532893-1104
S-1-5-21-3041413330-2355144718-3205532893-513
Test-User is only member of "Domain Users":
root@praxis-server:/var/log/samba# wbinfo -n "Domain Users"
S-1-5-21-3041413330-2355144718-3205532893-513 SID_DOM_GROUP (2)
Finally let ntlm_auth check against empty group "Empty" ;-):
root@praxis-server:/var/log/samba# ntlm_auth
--require-membership-of=S-1-5-21-3041413330-2355144718-3205532893-1107
--helper-protocol=squid-2.5-basic
PRAXISAD\dirk xxxxxx
Got 'PRAXISAD\dirk xxxxxx' from squid (length: 22).
NT_STATUS_OK: Success (0x0)
OK
As you can see, user "dirk" got still an "OK" for an empty group. Maybe
you have an idea for further testing or additional checks ...
Thanks & best regards
Dirk
P.P.S. Some version information ...
root@praxis-server:/etc/samba# uname -a
Linux praxis-server 3.14-1-amd64 #1 SMP Debian 3.14.4-1 (2014-05-13)
x86_64 GNU/Linux
root@praxis-server:/etc/samba# ntlm_auth --version
Version 4.1.8-SerNet-Debian-8.wheezy
root@praxis-server:/etc/samba# squid3 -version
Squid Cache: Version 3.3.8
configure options: '--build=x86_64-linux-gnu' '--prefix=/usr'
'--includedir=${prefix}/include' '--mandir=${prefix}/share/man'
'--infodir=${prefix}/share/info' '--sysconfdir=/etc'
'--localstatedir=/var' '--libexecdir=${prefix}/lib/squid3' '--srcdir=.'
'--disable-maintainer-mode' '--disable-dependency-tracking'
'--disable-silent-rules' '--datadir=/usr/share/squid3'
'--sysconfdir=/etc/squid3' '--mandir=/usr/share/man' '--enable-inline'
'--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd,rock'
'--enable-removal-policies=lru,heap' '--enable-delay-pools'
'--enable-cache-digests' '--enable-underscores' '--enable-icap-client'
'--enable-follow-x-forwarded-for'
'--enable-auth-basic=DB,fake,getpwnam,LDAP,MSNT,MSNT-multi-domain,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB'
'--enable-auth-digest=file,LDAP'
'--enable-auth-negotiate=kerberos,wrapper'
'--enable-auth-ntlm=fake,smb_lm'
'--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,unix_group,wbinfo_group'
'--enable-url-rewrite-helpers=fake' '--enable-eui' '--enable-esi'
'--enable-icmp' '--enable-zph-qos' '--enable-ecap'
'--disable-translation' '--with-swapdir=/var/spool/squid3'
'--with-logdir=/var/log/squid3' '--with-pidfile=/var/run/squid3.pid'
'--with-filedescriptors=65536' '--with-large-files'
'--with-default-user=proxy' '--enable-linux-netfilter'
'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fPIE -fstack-protector
--param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wall'
'LDFLAGS=-fPIE -pie -Wl,-z,relro -Wl,-z,now'
'CPPFLAGS=-D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fPIE -fstack-protector
--param=ssp-buffer-size=4 -Wformat -Werror=format-security'
Garming Sam
Jun 10, 2014, 10:50:02 PM6/10/14
to
Hi there,
I'm helping out Andrew, seeing if I can replicate this issue.
Using the same command as Andrew did previously, with samba 4.1.8 I get
the same results as him.
SELFTEST_TESTENV=s3member make testenv
Would it be possible to generate level 10 logs for ntlm_auth and
winbindd? They should be able to give a much
better idea of what's actually going on? If you'd prefer, you can send
the logs directly to me or Andrew instead
of posting them to the list.
Cheers,
Garming Sam
I'm helping out Andrew, seeing if I can replicate this issue.
Using the same command as Andrew did previously, with samba 4.1.8 I get
the same results as him.
SELFTEST_TESTENV=s3member make testenv
Would it be possible to generate level 10 logs for ntlm_auth and
winbindd? They should be able to give a much
better idea of what's actually going on? If you'd prefer, you can send
the logs directly to me or Andrew instead
of posting them to the list.
Cheers,
Garming Sam
Dirk Brenken
Jun 12, 2014, 6:10:04 PM6/12/14
to
Hi,
currently I've setup Samba 4 (sernet 4.1.8 on debian jessie)
successfully as an AD-Server ... domain logins from WIN-Clients etc. are
working quite fine.
No I'm testing ntlm_auth on cli for further SQUID integration ...
currently I've setup Samba 4 (sernet 4.1.8 on debian jessie)
successfully as an AD-Server ... domain logins from WIN-Clients etc. are
working quite fine.
*wbinfo output:*
wbinfo -a PRAXISAD\\Administrator%xxxxxx
plaintext password authentication succeeded
challenge/response password authentication succeeded
*ntlm_auth with basic helper output:*
root@praxis-server:/etc/squid3# ntlm_auth
--helper-protocol=squid-2.5-basic --domain=PRAXISAD
PRAXISAD\Administrator xxxxxx
*OK*
*ntlm_auth with ntlmssp helper output:*
root@praxis-server:/etc/squid3# ntlm_auth
--helper-protocol=squid-2.5-ntlmssp --domain=PRAXISAD
PRAXISAD\Administrator xxxxxx
*BH SPNEGO request invalid prefix*
*ntlm_auth with gss-spnego helper output:**
*root@praxis-server:/etc/squid3# ntlm_auth --helper-protocol=gss-spnego
--domain=PRAXISAD
PRAXISAD\Administrator xxxxxx
*BH SPNEGO request invalid prefix*
Any ideas what's going wrong here?
Thanks & best regards
Dirk
Garming Sam
Jun 29, 2014, 6:40:02 PM6/29/14
to
Hi there,
Apparently, the issue is actually a known failure. The current winbind
code which is being used in the AD-DC only, doesn't handle the
require-membership-of flag.
We're attempting to try and get this changed but there's still a good
deal of work to be done.
In the meantime, you should use ntlm_auth on a member server.
Thanks,
Garming Sam
Apparently, the issue is actually a known failure. The current winbind
code which is being used in the AD-DC only, doesn't handle the
require-membership-of flag.
We're attempting to try and get this changed but there's still a good
deal of work to be done.
In the meantime, you should use ntlm_auth on a member server.
Thanks,
Garming Sam
0 new messages