The Samba-Bugzilla – Bug 10959
ntlm_auth doesn't work with accounts with spaces
Last modified: 2018-02-06 10:33:31 UTC
I have DC on Windows 2008 and FreeBSD 8.4 + samba34 + squid 3.1. User's account has a spaces. For example: John Tester, Ivan Porkin. NTLM auth (i use it only for squid) works fine with this user with spaces. But on the new server with FreeBSD 10.1 + squid 3.4 + samba 4.1 it doesn't work. I think, that windind cutting first part of name and leave only last. For example: for user DOMAIN-NAME\John Tester it leaves only Tester. So, user Tester doesn't exist and squid block access at web-browser. Here debug (level 10) on winbind:
[2014/11/24 15:04:56.940948, 3, pid=12732, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_pam_auth_crap.c:73(winbindd_pam_auth_crap_send)
: pam auth crap domain: [DOMAIN-NAME] user: John Tester
but some above we have only Tester:
[2014/11/24 15:04:57.138011, 3, pid=12732, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_getgroups.c:61(winbindd_getgroups_send)
[2014/11/24 15:04:57.138023, 5, pid=12732, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_getgroups.c:74(winbindd_getgroups_send)
Could not parse domain user: Tester
Here some comment from squid bugtracker
The Samba helper is not RFC1738-encoding usernames when it delivers them back
to Squid. When the username contains whitespace the --squid-2.5-ntlmssp
response looks identical to a --gss-spnego reponse and Squid's new protocol
backward-compatibility logics cannot distinguish the two.
The best solution would be for the Samba helper to be updated to emit the new
Squid-3.4 protocol syntax for both --gss-spnego and --squid-2.5-ntlmssp modes.
That way the kv-pair make it explicit what each value is.
Does it true?
I'm testing squid 3.5.x with AD using NTLM auth method. I faced same problem. Squid uses ntlm_auth helper provided by samba. When it comes to use accounts with spaces squid helper's handlers truncate such names. For example, let's say we have username "user space". It authenticates correctly but we get corrupted username in squid's logs. Squid cut off part of the name using space as a delimiter, so we get "space" instead of "user space" in logs.
This is an old problem and it was solved by adding url encoding and new helper protocol format in Squid-3.4. Thus, since squid 3.4 there is no problem with usernames containing spaces on the squid's side. Samba's ntlm_auth helper doesn't support that new format.
According to the squid documentation: "The interface for all helpers has been extended to support arbitrary lists of key=value pairs, with the syntax key=value. ... All messages from squid are URL-escaped (the rfc1738_unescape from rfc1738.h can be used to decode them. For responses, the safe way is to either URL-escape, or to enclose the value in double_quotes (");...". Samba's ntlm_auth helper has neither url escaping nor quoting when sends response. And that's the problem.
So, adding key-value format support and username escaping to the response code to ntlm_auth helper fixes the problem.
Created attachment 13942 [details]
Patch adds new squid helper format syntax and username encoding.