Bug 10223 - ntlm_auth does not admit that authentication is done.
ntlm_auth does not admit that authentication is done.
Status: RESOLVED FIXED
Product: Samba 4.0
Classification: Unclassified
Component: Tools
4.0.9
All All
: P5 normal
: ---
Assigned To: Andrew Bartlett
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-10-23 16:14 UTC by David Woodhouse
Modified: 2016-05-05 09:55 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description David Woodhouse 2013-10-23 16:14:45 UTC
$ /usr/bin/ntlm_auth --helper-protocol ntlmssp-client-1 --use-cached-creds --username dwoodhou
TT
Got 'TT' from squid (length: 2).
got NTLMSSP packet:
YR TlRMTVNTUAABAAAABYIIYAMAAwAgAAAADgAOACMAAABHRVJEV09PREhPVS1NT0JMNQ==
NTLMSSP challenge
TT TlRMTVNTUAACAAAABgAGADgAAAAFgoliDM4EybrHiSMAAAAAAAAAALQAtAA+AAAABQLODgAAAA9BAE0AUgACAAYAQQBNAFIAAQAYAEYATQBTAEUAUwBQAFIAQQBVAFAAMAAxAAQAJABhAG0AcgAuAGMAbwByAHAALgBpAG4AdABlAGwALgBjAG8AbQADAD4AZgBtAHMAZQBzAHAAcgBhAHUAcAAwADEALgBhAG0AcgAuAGMAbwByAHAALgBpAG4AdABlAGwALgBjAG8AbQAFABwAYwBvAHIAcAAuAGkAbgB0AGUAbAAuAGMAbwBtAAAAAAA=
Got 'TT TlRMTVNTUAACAAAABgAGADgAAAAFgoliDM4EybrHiSMAAAAAAAAAALQAtAA+AAAABQLODgAAAA9BAE0AUgACAAYAQQBNAFIAAQAYAEYATQBTAEUAUwBQAFIAQQBVAFAAMAAxAAQAJABhAG0AcgAuAGMAbwByAHAALgBpAG4AdABlAGwALgBjAG8AbQADAD4AZgBtAHMAZQBzAHAAcgBhAHUAcAAwADEALgBhAG0AcgAuAGMAbwByAHAALgBpAG4AdABlAGwALgBjAG8AbQAFABwAYwBvAHIAcAAuAGkAbgB0AGUAbAAuAGMAbwBtAAAAAAA=' from squid (length: 327).
got NTLMSSP packet:
KK TlRMTVNTUAADAAAAGAAYAEAAAADgAOAAWAAAAAYABgA4AQAAEAAQAD4BAAAcABwATgEAABAAEABqAQAABYIIYJMrcP29otqNLh93bugxB1E7LhgJI/qHkL6GJgz5MZLHxm3aqekoYDgBAQAAAAAAAACl39QK0M4BJl88dIzDmasAAAAAAgAGAEEATQBSAAEAGABGAE0AUwBFAFMAUABSAEEAVQBQADAAMQAEACQAYQBtAHIALgBjAG8AcgBwAC4AaQBuAHQAZQBsAC4AYwBvAG0AAwA+AGYAbQBzAGUAcwBwAHIAYQB1AHAAMAAxAC4AYQBtAHIALgBjAG8AcgBwAC4AaQBuAHQAZQBsAC4AYwBvAG0ABQAcAGMAbwByAHAALgBpAG4AdABlAGwALgBjAG8AbQAAAAAARwBFAFIAZAB3AG8AbwBkAGgAbwB1AEQAVwBPAE8ARABIAE8AVQAtAE0ATwBCAEwANQBP+ndpb7r4eN4Nf7DIjXXG
NTLMSSP challenge
GK
Got 'GK' from squid (length: 2).
Requested session key
BH
Comment 1 David Woodhouse 2013-10-23 16:16:04 UTC
But if I continue after that, and try again, it works...

NTLMSSP challenge
TT
Got 'TT' from squid (length: 2).
got NTLMSSP packet:
BH NT_STATUS_UNSUCCESSFUL
NTLMSSP BH: NT_STATUS_UNSUCCESSFUL
TT
Got 'TT' from squid (length: 2).
got NTLMSSP packet:
KK TlRMTVNTUAABAAAABYIIYAMAAwAgAAAADgAOACMAAABHRVJEV09PREhPVS1NT0JMNQ==
NTLMSSP challenge
TT TlRMTVNTUAACAAAABgAGADgAAAAFgoliDM4EybrHiSMAAAAAAAAAALQAtAA+AAAABQLODgAAAA9BAE0AUgACAAYAQQBNAFIAAQAYAEYATQBTAEUAUwBQAFIAQQBVAFAAMAAxAAQAJABhAG0AcgAuAGMAbwByAHAALgBpAG4AdABlAGwALgBjAG8AbQADAD4AZgBtAHMAZQBzAHAAcgBhAHUAcAAwADEALgBhAG0AcgAuAGMAbwByAHAALgBpAG4AdABlAGwALgBjAG8AbQAFABwAYwBvAHIAcAAuAGkAbgB0AGUAbAAuAGMAbwBtAAAAAAA=
Got 'TT TlRMTVNTUAACAAAABgAGADgAAAAFgoliDM4EybrHiSMAAAAAAAAAALQAtAA+AAAABQLODgAAAA9BAE0AUgACAAYAQQBNAFIAAQAYAEYATQBTAEUAUwBQAFIAQQBVAFAAMAAxAAQAJABhAG0AcgAuAGMAbwByAHAALgBpAG4AdABlAGwALgBjAG8AbQADAD4AZgBtAHMAZQBzAHAAcgBhAHUAcAAwADEALgBhAG0AcgAuAGMAbwByAHAALgBpAG4AdABlAGwALgBjAG8AbQAFABwAYwBvAHIAcAAuAGkAbgB0AGUAbAAuAGMAbwBtAAAAAAA=' from squid (length: 327).
got NTLMSSP packet:
AF TlRMTVNTUAADAAAAAAAAAEAAAAAAAAAAQAAAAAYABgBAAAAAEAAQAEYAAAAcABwAVgAAABAAEAByAAAABYIAYEcARQBSAGQAdwBvAG8AZABoAG8AdQBEAFcATwBPAEQASABPAFUALQBNAE8AQgBMADUAJ+0nfBsXNMHVbD7DtLCy0w==
NTLMSSP OK!
GK
Got 'GK' from squid (length: 2).
Requested session key
GK G+XN+0TY2C8vusRAc2KCAg==
Comment 2 David Woodhouse 2016-05-05 09:55:48 UTC
This got fixed in Samba 4.3.8 (and thus things like Pidgin-SIPE and GSS-NTLMSSP now work nicely). However, it broke Firefox because it didn't expect to see 'AF'. It was *only* accepting the incorrect 'KK' response.

It's trivial to fix in Firefox, and I haven't seen anything else that gets it wrong yet. Most things will accept either KK or AF.

https://bugzilla.mozilla.org/show_bug.cgi?id=1270046 and
https://bugzilla.redhat.com/show_bug.cgi?id=1332875