Bug 10959 - ntlm_auth doesn't work with accounts with spaces
ntlm_auth doesn't work with accounts with spaces
Status: NEW
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind
4.1.13
All All
: P5 critical
: ---
Assigned To: Samba QA Contact
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-11-24 13:51 UTC by skeletor
Modified: 2018-02-06 10:33 UTC (History)
3 users (show)

See Also:


Attachments
Patch adds new squid helper format syntax and username encoding. (2.36 KB, patch)
2018-02-06 10:33 UTC, Pavel
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description skeletor 2014-11-24 13:51:17 UTC
Hello.
I have DC on Windows 2008 and FreeBSD 8.4 + samba34 + squid 3.1. User's account has a spaces. For example: John Tester, Ivan Porkin. NTLM auth (i use it only for squid) works fine with this user with spaces. But on the new server with FreeBSD 10.1 + squid 3.4 + samba 4.1 it doesn't work. I think, that windind cutting first part of name and leave only last. For example: for user DOMAIN-NAME\John Tester it leaves only Tester. So, user Tester doesn't exist and squid block access at web-browser. Here debug (level 10) on winbind:

[2014/11/24 15:04:56.940948,  3, pid=12732, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_pam_auth_crap.c:73(winbindd_pam_auth_crap_send)

  [12540]: pam auth crap domain: [DOMAIN-NAME] user: John Tester
...

but some above we have only Tester:

[2014/11/24 15:04:57.138011,  3, pid=12732, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_getgroups.c:61(winbindd_getgroups_send)
  getgroups Tester
[2014/11/24 15:04:57.138023,  5, pid=12732, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_getgroups.c:74(winbindd_getgroups_send)
  Could not parse domain user: Tester
Comment 1 skeletor 2014-12-04 19:55:45 UTC
Here some comment from squid bugtracker

==>
The Samba helper is not RFC1738-encoding usernames when it delivers them back
to Squid. When the username contains whitespace the --squid-2.5-ntlmssp
response looks identical to a --gss-spnego reponse and Squid's new protocol
backward-compatibility logics cannot distinguish the two.

The best solution would be for the Samba helper to be updated to emit the new
Squid-3.4 protocol syntax for both --gss-spnego and --squid-2.5-ntlmssp modes.
That way the kv-pair make it explicit what each value is.
<==

Does it true?
Comment 2 Pavel 2018-02-06 10:28:38 UTC
Hello.

I'm testing squid 3.5.x with AD using NTLM auth method. I faced same problem. Squid uses ntlm_auth helper provided by samba. When it comes to use accounts with spaces squid helper's handlers truncate such names. For example, let's say we have username "user space". It authenticates correctly but we get corrupted username in squid's logs. Squid cut off part of the name using space as a delimiter, so we get "space" instead of "user space" in logs.

This is an old problem and it was solved by adding url encoding and new helper protocol format in Squid-3.4. Thus, since squid 3.4 there is no problem with usernames containing spaces on the squid's side. Samba's ntlm_auth helper doesn't support that new format.
 
According to the squid documentation: "The interface for all helpers has been extended to support arbitrary lists of key=value pairs, with the syntax  key=value. ... All messages from squid are URL-escaped (the  rfc1738_unescape  from rfc1738.h can be used to decode them. For responses, the safe way is to either URL-escape, or to enclose the value in double_quotes (");...". Samba's ntlm_auth helper has neither url escaping nor quoting when sends response. And that's the problem.

So, adding key-value format support and username escaping to the response code to ntlm_auth helper fixes the problem.
Comment 3 Pavel 2018-02-06 10:33:31 UTC
Created attachment 13942 [details]
Patch adds new squid helper format syntax and username encoding.