Bug 11912 - NTLM Authentication issue
NTLM Authentication issue
Status: RESOLVED FIXED
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind
4.3.9
All Linux
: P5 normal
: ---
Assigned To: Karolin Seeger
Samba QA Contact
:
Depends on:
Blocks: 11914
  Show dependency treegraph
 
Reported: 2016-05-09 14:01 UTC by Paul Strinati
Modified: 2016-05-20 15:09 UTC (History)
5 users (show)

See Also:


Attachments
Possible patch for master (2.19 KB, text/plain)
2016-05-09 15:59 UTC, Stefan Metzmacher
gd: review+
Details
Patch for v4-4-test (2.39 KB, text/plain)
2016-05-10 07:02 UTC, Stefan Metzmacher
gd: review+
asn: review+
Details
Patch for v4-3-test (2.39 KB, text/plain)
2016-05-10 07:02 UTC, Stefan Metzmacher
asn: review+
Details
Patch for v4-2-test (2.39 KB, text/plain)
2016-05-10 07:03 UTC, Stefan Metzmacher
asn: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Paul Strinati 2016-05-09 14:01:04 UTC
Following a recent upgrade, I'm getting NTLM Authentication issues on my Squid proxy server (has been running fine for the last 18 months):

Am running:

Ubuntu Server 14.04.1 LTS
 Winbind: 2:4.3.9+dfsg-0ubuntu0.14.04.1
 Samba: 2:4.3.9+dfsg-0ubuntu0.14.04.1
 Squid3: 3.3.8-1ubuntu6.6

Authenticating against Active Directory - has been working really well for the last 18 months, then stopped working about a week ago.

Errors in cache.log:
 2016/05/09 06:20:07| Too few ntlmauthenticator processes are running (need 1/10)
 2016/05/09 06:20:07| Starting new helpers
 2016/05/09 06:20:07| helperOpenServers: Starting 1/10 'ntlm_auth' processes
 2016/05/09 06:20:07| ERROR: NTLM Authentication Helper '0x7f313ea68318' crashed!.
 2016/05/09 06:20:07| ERROR: NTLM Authentication validating user. Error returned 'BH Internal error'
 2016/05/09 06:20:08| WARNING: ntlmauthenticator #1 exited

Errors in syslog:
 May 9 06:20:09 optsquidproxy kernel: [228590.127125] ntlm_auth[8850]: segfault at 8 ip 00007f201ec729b0 sp 00007ffda249aae8 error 4 in libsamba-security.so.0[7f201ec67000+1b000]

Squid is using pure NTLM authentication (taken from squid.conf):
 ### pure ntlm authentication
 auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=MYDOMAIN
 auth_param ntlm children 10
 auth_param ntlm keep_alive off
Comment 1 Paul Strinati 2016-05-09 14:02:22 UTC
It seems to be affecting multiple users/sites:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1578576
Comment 3 Stefan Metzmacher 2016-05-09 15:59:15 UTC
Created attachment 12089 [details]
Possible patch for master
Comment 4 Guenther Deschner 2016-05-09 16:29:30 UTC
Comment on attachment 12089 [details]
Possible patch for master

LGTM and tested!
Comment 5 Stefan Metzmacher 2016-05-10 07:02:03 UTC
Created attachment 12091 [details]
Patch for v4-4-test
Comment 6 Stefan Metzmacher 2016-05-10 07:02:54 UTC
Created attachment 12092 [details]
Patch for v4-3-test
Comment 7 Stefan Metzmacher 2016-05-10 07:03:32 UTC
Created attachment 12093 [details]
Patch for v4-2-test
Comment 8 Andreas Schneider 2016-05-10 08:59:27 UTC
Karolin, please apply the patches to the relevant branches. Thanks!
Comment 9 David Woodhouse 2016-05-10 10:03:44 UTC
Works for me but appears to be lacking a test case. Should it be rolled into the other tests added as part of bug #11849?
Comment 10 Paul Strinati 2016-05-10 14:31:31 UTC
Just tried pulling the update from Marc Deslaurs' PPA (ppa:mdeslaur/testing) but still getting the same problem. 

After adding the PPA:

sudo apt-get update
sudo apt-get upgrade samba (which brought in all dependencies)

Then rebooted the server for good measure :)

The following error messages were from after the reboot, and I'm still getting issues when trying to authenticate via the squid proxy.


samba:
   Installed: 2:4.3.9+dfsg-0ubuntu0.14.04.2~ppa1
   Candidate: 2:4.3.9+dfsg-0ubuntu0.14.04.2~ppa1
   Version table:
  *** 2:4.3.9+dfsg-0ubuntu0.14.04.2~ppa1 0
         500 http://ppa.launchpad.net/mdeslaur/testing/ubuntu/ trusty/main amd64 Packages
         100 /var/lib/dpkg/status
      2:4.3.9+dfsg-0ubuntu0.14.04.1 0
         500 http://optubunturepository.MYDOMAIN.net/ubuntu/ trusty-updates/main amd64 Packages
         500 http://optubunturepository.MYDOMAIN.net/ubuntu/ trusty-security/main amd64 Packages
      2:4.1.6+dfsg-1ubuntu2 0
         500 http://optubunturepository.MYDOMAIN.net/ubuntu/ trusty/main amd64 Packages

syslog:
 May 10 14:31:11 optsquidproxy kernel: [ 206.928248] ntlm_auth[2264]: segfault at 8 ip 00007f68e2aba9b0 sp 00007fff384ec2c8 error 4 in libsamba-security.so.0[7f68e2aaf000+1b000]

cache.log:
 2016/05/10 14:32:42| WARNING: ntlmauthenticator #1 exited
 2016/05/10 14:32:42| Too few ntlmauthenticator processes are running (need 1/10)
 2016/05/10 14:32:42| Starting new helpers
 2016/05/10 14:32:42| helperOpenServers: Starting 1/10 'ntlm_auth' processes
 2016/05/10 14:32:42| ERROR: NTLM Authentication Helper '0x7f8368efb268' crashed!.
 2016/05/10 14:32:42| ERROR: NTLM Authentication validating user. Error returned 'BH Internal error'
Comment 11 Paul Strinati 2016-05-12 11:56:07 UTC
Yes - I am using

  map to guest = bad user

in my smb.conf

Once I comment this out squid restarts without issues, and no segfaults :)

I'm still using the patched version of Samba provided by Marc D via his testing PPA
Comment 12 Karolin Seeger 2016-05-17 07:53:28 UTC
(In reply to Andreas Schneider from comment #8)
Pushed to autobuild-v4-[4|3|2]-test.
Comment 13 Karolin Seeger 2016-05-18 08:29:04 UTC
(In reply to Karolin Seeger from comment #12)
Pushed to all branches.
Closing out bug report.

Thanks!
Comment 14 Guenther Deschner 2016-05-20 15:09:03 UTC
Comment on attachment 12091 [details]
Patch for v4-4-test

Patch looked good of course :)