Bug 10959 - ntlm_auth doesn't work with accounts with spaces
ntlm_auth doesn't work with accounts with spaces
Status: NEW
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind
4.1.13
All All
: P5 critical
: ---
Assigned To: Samba QA Contact
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-11-24 13:51 UTC by skeletor
Modified: 2016-03-10 17:55 UTC (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description skeletor 2014-11-24 13:51:17 UTC
Hello.
I have DC on Windows 2008 and FreeBSD 8.4 + samba34 + squid 3.1. User's account has a spaces. For example: John Tester, Ivan Porkin. NTLM auth (i use it only for squid) works fine with this user with spaces. But on the new server with FreeBSD 10.1 + squid 3.4 + samba 4.1 it doesn't work. I think, that windind cutting first part of name and leave only last. For example: for user DOMAIN-NAME\John Tester it leaves only Tester. So, user Tester doesn't exist and squid block access at web-browser. Here debug (level 10) on winbind:

[2014/11/24 15:04:56.940948,  3, pid=12732, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_pam_auth_crap.c:73(winbindd_pam_auth_crap_send)

  [12540]: pam auth crap domain: [DOMAIN-NAME] user: John Tester
...

but some above we have only Tester:

[2014/11/24 15:04:57.138011,  3, pid=12732, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_getgroups.c:61(winbindd_getgroups_send)
  getgroups Tester
[2014/11/24 15:04:57.138023,  5, pid=12732, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_getgroups.c:74(winbindd_getgroups_send)
  Could not parse domain user: Tester
Comment 1 skeletor 2014-12-04 19:55:45 UTC
Here some comment from squid bugtracker

==>
The Samba helper is not RFC1738-encoding usernames when it delivers them back
to Squid. When the username contains whitespace the --squid-2.5-ntlmssp
response looks identical to a --gss-spnego reponse and Squid's new protocol
backward-compatibility logics cannot distinguish the two.

The best solution would be for the Samba helper to be updated to emit the new
Squid-3.4 protocol syntax for both --gss-spnego and --squid-2.5-ntlmssp modes.
That way the kv-pair make it explicit what each value is.
<==

Does it true?