Bug 3123 - ntlm_auth blank user name kills winbindd 3.0.20
Summary: ntlm_auth blank user name kills winbindd 3.0.20
Status: ASSIGNED
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: winbind (show other bugs)
Version: 3.0.20
Hardware: x86 Linux
: P3 major
Target Milestone: none
Assignee: Samba Bugzilla Account
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2005-09-29 03:22 UTC by Andrew
Modified: 2007-06-28 15:40 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andrew 2005-09-29 03:22:01 UTC 
Winbindd 3.0.20 does not enjoy getting zero length user names from ntlm_auth 
3.0.20 -- after a blank user name winbind no longer responds to ntlm_auth (even 
after restarting ntlm_auth). This makes ntlm_auth rather unstable, because 
people love to enter blank user names. Here's a scriptlet to reproduce the 
error: 
 
# winbind in fg debugging mode, single process, no caching: 
winbindd -i -F -S -d 10 -Y -n 
 
# Try a good password, a blank user, then the same good password 
 { 
  echo angelo password 
  echo ' peep'    # note the blank user name 
  echo angelo password 
 } | ntlm_auth --helper-protocol=squid-2.5-basic 
 
Winbind log for the above at 
ftp://pepper.on.dyn.ledge.co.za/ntlm-auth-kills-winbindd (not for long though) 
 
I've made an *incorrect* workaround patch for ntlm_auth, because I don't know 
how to fix this in winbind: 
 
# this is like a patch, just not as clear ... 
source/utils/ntlm_auth.c ... 
 
        ZERO_STRUCT(request); 
        ZERO_STRUCT(response); 
 
-       fstrcpy(request.data.auth.user, user); 
+       fstrcpy(request.data.auth.user, *user ? user : "BOGUS"); 
        fstrcpy(request.data.auth.pass, pass); 
        if (require_membership_of_sid) 
 
 
That prevents the problem for basic authentication, but does not solve the 
underlying problem with winbind crashing.
Comment 1 Volker Lendecke 2005-09-29 09:09:19 UTC 
Are you using Samba 3.0.14 or less as a Domain Controller? If yes, we have fixed
a bug in winbind after 3.0.20 that would prevent logons after any invalid logon
attempt. Even a wrong password kills the connection to the DC. Your logfile
strongly indicates that this is the case.

If your DC really is 3.0.14, please try the current SAMBA_3_0_RELEASE branch in
subversion, this will be 3.0.20a with the fixes.

Volker
Comment 2 Andrew 2005-09-29 22:55:20 UTC 
The domain controller was upgraded from 3.0.14 to 3.0.20, and following this 
upgrade, it was not possible to run ntlm_auth against it (from the proxy 
server).  While an invalid user name (except '') does not hurt winbindd, a 
valid user name with an invalid password does also cause winbindd to stop 
working.  Is this the same bug?
Comment 3 Volker Lendecke 2005-09-29 23:09:45 UTC 
Hmmm. A 3.0.20 winbind/ntlm_auth is not able to authenticate against a 3.0.20
PDC? I have not seen that yet, the only combination that failed for me is
3.0.20/3.0.earlier. You might try to upgrade both to 3.0.20a that will be
released today.

Volker
Comment 4 Andrew 2005-10-03 06:41:35 UTC 
3.0.20a changes the behaviour to the following: 
 
proxy:~# winbindd -i -F -S -d 10 -Y -n >& x & ntlm_auth 
--helper-protocol=squid-2.5-basic 
[1] 14999 
gooduser goodpassword 
OK 
a b 
ERR 
gooduser goodpassword 
ERR 
 
PDC is Samba 3.0.20 on Debian/amd64 (em64t).   
winbind 3.0.20a log (temporarily) at 
ftp://pepper.on.dyn.ledge.co.za/winbind-crash-3.0.20a
Comment 5 Andrew 2005-10-04 22:30:32 UTC 
I see that in the winbindd log, just before "NT_STATUS_ACCESS_DENIED" the 
following is logged --  
 
 cred_assert 
 	challenge : 0000000000000000  
	calculated: DFE841411FA50F47  
 credentials check wrong 
 DC  sent wrong credentials 
 
Winbind is blaming the DC for the problem, but I reckon that having a zero 
challenge record is a little fishy.  (Thought I'd say, just in case.)