Bug 10016 - NTLM authentication fails.
Summary: NTLM authentication fails.
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.0
Classification: Unclassified
Component: Winbind (show other bugs)
Version: 4.0.6
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-07-13 20:44 UTC by David Woodhouse
Modified: 2016-05-09 15:58 UTC (History)
7 users (show)

See Also:


Attachments
Test patch for master (also applies to 4.0.x, 4.1.x, 4.2.x). (1.16 KB, patch)
2015-03-04 22:53 UTC, Jeremy Allison
no flags Details
truncated NTLM capture (1.36 KB, application/octet-stream)
2015-03-05 00:55 UTC, David Woodhouse
no flags Details
git-am fix for master. (5.92 KB, patch)
2015-03-09 21:30 UTC, Jeremy Allison
jra: review? (abartlet)
jra: review? (idra)
jra: review? (ddiss)
obnox: review+
Details
git-am cherry-pick from master for 4.2.next, 4.1.next, 4.0.next. (6.26 KB, patch)
2015-03-19 16:46 UTC, Jeremy Allison
obnox: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description David Woodhouse 2013-07-13 20:44:20 UTC
If I *disable* ntlm_auth and let firefox present a password dialog, I can connect to this site. But if I let firefox use ntlm_auth, it fails thus:

YR TlRMTVNTUAABAAAABYIIYAMAAwAgAAAADgAOACMAAABHRVJEV09PREhPVS1NT0JMNQ==
NTLMSSP challenge
TT TlRMTVNTUAACAAAAAAAAAAAAAAABAgAAVu8jMC5Zq7g=
Got 'TT TlRMTVNTUAACAAAAAAAAAAAAAAABAgAAVu8jMC5Zq7g=' from squid (length: 47).
got NTLMSSP packet:
BH NT_STATUS_UNSUCCESSFUL
NTLMSSP BH: NT_STATUS_UNSUCCESSFUL

[2013/07/13 21:46:06.639433, 10, pid=2630, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:677(process_request)
  process_request: request fn NTLMAUTH
[2013/07/13 21:46:06.639502,  3, pid=2630, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_ccache_access.c:195(winbindd_ccache_ntlm_auth)
  [ 3011]: perform NTLM auth on behalf of user GER\dwoodhou
[2013/07/13 21:46:06.639536, 10, pid=2630, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_ccache_access.c:255(winbindd_ccache_ntlm_auth)
  winbindd_dual_ccache_ntlm_auth: found ccache [GER\dwoodhou]
[2013/07/13 21:46:06.639559, 10, pid=2630, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_ccache_access.c:37(client_can_access_ccache_entry)
  Access granted to uid 1000
[2013/07/13 21:46:06.639786,  1, pid=2630, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_ccache_access.c:126(do_ntlm_auth_with_stored_pw)
  We didn't get a response to the challenge! [NT_STATUS_INVALID_PARAMETER]
[2013/07/13 21:46:06.639841, 10, pid=2630, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:773(winbind_client_response_written)
Comment 1 David Woodhouse 2013-07-13 20:54:25 UTC
When firefox does it manually it looks like this:

Authorization: NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=

WWW-Authenticate: NTLM TlRMTVNTUAACAAAAAAAAAAAAAAABAgAA1neUhV5iLeo=

Authorization: NTLM TlRMTVNTUAADAAAAGAAYAGgAAAAYABgAgAAAAAYABgBAAAAAEAAQAEYAAAASABIAVgAAAAAAAAAAAAAAAQIAAEcARQBSAGQAdwBvAG8AZABoAG8AdQBzAGgAaQBuAHkAYgBvAG8AawDMeQWe+bbvUabrRFEGq9HaRHwUKrISeqLMeQWe+bbvUabrRFEGq9HaRHwUKrISeqI=
Comment 2 David Woodhouse 2014-08-11 13:03:55 UTC
The issue here is that the challenge message is only 32 bytes. The 'reserved' and 'target_info' fields are missing entirely. We fixed this in gss-ntlmssp thus:

https://git.fedorahosted.org/cgit/gss-ntlmssp.git/commit/?id=fd4464077
Comment 3 Jeremy Allison 2014-08-11 16:22:13 UTC
Thanks for continuing to work on this... If I don't get to it in a reasonable timeframe please ping me :-).
Comment 4 David Woodhouse 2015-03-04 10:48:12 UTC
Ping. Still seeing this. With Simo's GSS-NTLMSSP and some MIT krb5 fixes to handle Kerberos->NTLM fallback better, we finally have single-sign-on working quite nicely from Linux clients to most services. Except the ones that do this...
Comment 5 Jeremy Allison 2015-03-04 22:53:31 UTC
Created attachment 10817 [details]
Test patch for master (also applies to 4.0.x, 4.1.x, 4.2.x).

If I'm not mistaken this should fix it - yes ? Can you test this and let me know ?

Jeremy.
Comment 6 David Woodhouse 2015-03-05 00:39:10 UTC
That works; thanks. I also needed to set 'client NTLMv2 auth = no' to cope with this particular server. Yes, they do the equivalent on all our Windows boxes!

We also want the same change in source3/libsmb/ntlmssp.c as well, yes? (I actually tested with both changed, FWIW).
Comment 7 Jeremy Allison 2015-03-05 00:41:36 UTC
Can you upload a wireshark trace showing the truncated challenge message ? Might help if I get pushback for removing the unused fields.
Comment 8 Jeremy Allison 2015-03-05 00:41:58 UTC
I forgot about source3/libsmb/ntlmssp.c, I'll create a patch the does both :-).
Comment 9 David Woodhouse 2015-03-05 00:55:54 UTC
Created attachment 10818 [details]
truncated NTLM capture

You already have the base64 challenge; this is just a trick to get me to admit that this crappy server is doing it in HTTP not HTTPS and thus a packet capture is even viable. But sure, I have no shame...

(This one is actually different and has 40 bytes in the challenge, not only 32. I think the original server I saw this with has now been decommissioned.)
Comment 10 Jeremy Allison 2015-03-09 21:30:02 UTC
Created attachment 10834 [details]
git-am fix for master.

OK, here is the proposed patch I'd like to add to master - if you (David) can confirm it works for you.

Does the full parse first, then only falls back to short parse if full parse fails. That way we get log data on which servers are failing this.

Cheers,

Jeremy.
Comment 11 Jeremy Allison 2015-03-12 14:22:36 UTC
David - ping - can you confirm the modified patch still works for you ?
Comment 12 David Woodhouse 2015-03-12 15:38:30 UTC
Apologies for the delay. Yes, that appears to work. You still want to patch the s3 version too though, right?
Comment 13 Jeremy Allison 2015-03-18 18:07:14 UTC
(In reply to David Woodhouse from comment #12)

That's a 2 entry git-am patch that does fix both source4 and source3.
Comment 14 Jeremy Allison 2015-03-18 18:07:39 UTC
Comment on attachment 10834 [details]
git-am fix for master.

Widening the review requests as it's being ignored :-).
Comment 15 Michael Adam 2015-03-19 08:13:49 UTC
Comment on attachment 10834 [details]
git-am fix for master.

LGTM
Comment 16 Michael Adam 2015-03-19 08:14:28 UTC
pushing to master.
Comment 17 Jeremy Allison 2015-03-19 16:28:24 UTC
Comment on attachment 10834 [details]
git-am fix for master.

Thanks Michael. I'll cherry-pick for 4.2.x and below now.
Comment 18 Jeremy Allison 2015-03-19 16:46:31 UTC
Created attachment 10891 [details]
git-am cherry-pick from master for 4.2.next, 4.1.next, 4.0.next.

Michael, here's the cherry-pick that applies cleanly to 4.2.next, 4.1.next, 4.0.next.
Comment 19 Michael Adam 2015-03-19 17:15:58 UTC
Comment on attachment 10891 [details]
git-am cherry-pick from master for 4.2.next, 4.1.next, 4.0.next.

ACK.

We should push. to 4.2 and 4.1

4.0 is security-only
Comment 20 Michael Adam 2015-03-19 17:16:34 UTC
Karolin, please push to 4.2 and 4.1.

Thanks - Michael
Comment 21 Jeremy Allison 2015-03-19 17:35:18 UTC
Ah I'd forgotten 4.0.x was security-only. How fast things change. 4.2.x, 4.1.x is fine. Thanks !
Comment 22 Ira Cooper 2015-03-19 17:45:47 UTC
(In reply to Jeremy Allison from comment #21)
Pardon,

Isn't authentication failure, usually a security issue?
Comment 23 Jeremy Allison 2015-03-19 17:47:09 UTC
Not when it's authentication fail closed, not authentication fail open, for a server that's returning invalid data :-).

i.e. we're not getting a CVE for this, nor should we :-).
Comment 24 Karolin Seeger 2015-03-23 20:16:24 UTC
Pushed to autobuild-v4-[1|2]-test.
Comment 25 Karolin Seeger 2015-03-27 20:04:14 UTC
(In reply to Karolin Seeger from comment #24)
Pushed to both branches.
Closing out bug report.

Thanks!
Comment 26 David Woodhouse 2016-04-06 14:42:33 UTC
Hm, did this regress? Fedora just shipped 4.3.6 and I'm now seeing...

 $ /usr/bin/ntlm_auth --helper-protocol ntlmssp-client-1 --use-cached-creds --username dwoodhou 
YR
Got 'YR' from squid (length: 2).
got NTLMSSP packet:
YR TlRMTVNTUAABAAAABYIIYAMAAwAgAAAADgAOACMAAABHRVJEV09PREhPVS1MSU5VWA==
NTLMSSP challenge
TT TlRMTVNTUAACAAAAAAAAACgAAAABggAAVEkZgItbp3sAAAAAAAAAAA==
Got 'TT TlRMTVNTUAACAAAAAAAAACgAAAABggAAVEkZgItbp3sAAAAAAAAAAA==' from squid (length: 59).
got NTLMSSP packet:
BH NT_STATUS_UNSUCCESSFUL
NTLMSSP BH: NT_STATUS_UNSUCCESSFUL
Comment 27 David Woodhouse 2016-04-06 14:50:25 UTC
Apologies, it didn't regress. I just ended up with 'client NTLMv2 auth = true' in my configuration due to other testing and had only just restarted. The target info missing from this host's challenge is *required* for NTLMv2, of course.

Sorry for the noise.
Comment 28 David Woodhouse 2016-05-09 13:33:21 UTC
And in 4.3.8 it did indeed regress...


YR
Got 'YR' from squid (length: 2).
YR TlRMTVNTUAABAAAABYIIYgAAAAAoAAAAAAAAACgAAAAGAQAAAAAADw==
TT TlRMTVNTUAACAAAAAAAAACgAAAABggAA5lNkQwhRf+wAAAAAAAAAAA==
Got 'TT TlRMTVNTUAACAAAAAAAAACgAAAABggAA5lNkQwhRf+wAAAAAAAAAAA==' from squid (length: 59).

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff511e38f in _IO_vfprintf_internal (s=s@entry=0x7fffffffca60, 
    format=<optimized out>, 
    format@entry=0x7ffff56b0988 "talloc: access after free error - first free may be at %s\n", ap=ap@entry=0x7fffffffcbf8) at vfprintf.c:1631
1631		  process_string_arg (((struct printf_spec *) NULL));

More details at https://bugzilla.redhat.com/show_bug.cgi?id=1334356
Comment 29 Stefan Metzmacher 2016-05-09 15:58:26 UTC
(In reply to David Woodhouse from comment #28)

https://bugzilla.samba.org/show_bug.cgi?id=11912 tracks the new bug