Bug 405 - ntlm_auth --helper-protocol=squid-2.5-ntlmssp fails with NTLMSSP NT_STATUS_ACCESS_DENIED
Summary: ntlm_auth --helper-protocol=squid-2.5-ntlmssp fails with NTLMSSP NT_STATUS_AC...
Status: CLOSED FIXED
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: winbind (show other bugs)
Version: 3.0.0preX
Hardware: All other
: P3 normal
Target Milestone: none
Assignee: Andrew Bartlett
QA Contact:
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2003-09-04 13:38 UTC by Daniel Jarboe
Modified: 2005-08-24 10:18 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Daniel Jarboe 2003-09-04 13:38:35 UTC 
/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp fails with NTLMSSP 
NT_STATUS_ACCESS_DENIED... but /usr/bin/ntlm_auth --helper-protocol=squid-2.5-
basic helper works great.

This is with samba-3.0.0-3rc1.3E and squid-2.5.STABLE3-2.3E as packaged by 
RedHat EL AS 3 beta (taroon) for s390.  If necessary, I can try to get this 
installed on an intel box sometime to see if it happens on that platform too.

Here's a snip of squid's cache.log with squid's NTLM debugging turned up to 10 
and with the helper at 10.

2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user
request '(nil)'.
2003/09/03 08:15:40| authenticateValidateUser: Auth_user_request was
NULL!
2003/09/03 08:15:40| authenticateFixHeader: headertype:34 authuser:(nil)
2003/09/03 08:15:40| authenticateNTLMFixErrorHeader: Sending type:34
header: 'NTLM'
2003/09/03 08:15:40| authenticateFixErrorHeader: Sending type:34 header:
'Basic realm="Proxy"'
2003/09/03 08:15:40| authenticateAuthUserRequestLock auth_user request
'0x559ba5a8'.
2003/09/03 08:15:40| authenticateAuthUserRequestLock auth_user request
'0x559ba5a8' now at '1'.
2003/09/03 08:15:40| authenticateDecodeAuth: header = 'NTLM
TlRMTVNTUAABAAAAB7IAoAwADAAoAAAACAAIACAAAABCQzAwNjc4NFRDU19NQUlOX0RPTX==
'
2003/09/03 08:15:40| authenticateAuthUserLock auth_user '0x559ba5c0'.
2003/09/03 08:15:40| authenticateAuthUserLock auth_user '0x559ba5c0' now
at '1'.
2003/09/03 08:15:40| authenticateDecodeNTLMAuth: NTLM authentication
2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| User not fully authenticated.
2003/09/03 08:15:40| authenticateNTLMAuthenticateUser: auth state ntlm
none. NTLM
TlRMTVNTUAABAAAAB7IAoAwADAAoAAAACAAIACAAAABCQzAwNjc4NFRDU19NQUlOX0RPTX==
2003/09/03 08:15:40| authenticateNTLMAuthenticateUser: Locking auth_user
from the connection.
2003/09/03 08:15:40| authenticateAuthUserRequestLock auth_user request
'0x559ba5a8'.
2003/09/03 08:15:40| authenticateAuthUserRequestLock auth_user request
'0x559ba5a8' now at '2'.
2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| User not fully authenticated.
2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateStart: auth_user_request '0x559ba5a8'
2003/09/03 08:15:40| authenticateNTLMStart: auth state '1'
2003/09/03 08:15:40| authenticateNTLMStart: state '1'
2003/09/03 08:15:40| authenticateNTLMStart:
'TlRMTVNTUAABAAAAB7IAoAwADAAoAAAACAAIACAAAABCQzAwNjc4NFRDU19NQUlOX0RPTX=
='
2003/09/03 08:15:40| authenticateNTLMHelperServerAvailable: not starving
- returning 1
2003/09/03 08:15:40| authenticateNTLMChangeChallenge_p: first use
2003/09/03 08:15:40| authenticateNTLMStart: helper '0x557d9470' assigned
2003/09/03 08:15:40| authenticateNTLMValidChallenge: Challenge is
Invalid
[2003/09/03 08:15:40, 10] utils/ntlm_auth.c:manage_squid_request(1061)
  Got 'YR' from squid (length: 2).
[2003/09/03 08:15:40, 10]
utils/ntlm_auth.c:manage_squid_ntlmssp_request(312)
  got NTLMSSP packet:
[2003/09/03 08:15:40, 10]
utils/ntlm_auth.c:manage_squid_ntlmssp_request(322)
  NTLMSSP challenge
2003/09/03 08:15:40| authenticateNTLMHandleReply: Helper: '0x557d9470'
{TT TlRMTVNTUAACAAAAAAAAADAAAAACAgAgJt9X786e84sAAAAAAAAAAAAAAAAwAAAA}
2003/09/03 08:15:40| authenticateNTLMHandleReply: helper '0x557d9470'
2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| User not fully authenticated.
2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| User not fully authenticated.
2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| User not fully authenticated.
2003/09/03 08:15:40| authenticateAuthUserRequestLock auth_user request
'0x559ba5a8'.
2003/09/03 08:15:40| authenticateAuthUserRequestLock auth_user request
'0x559ba5a8' now at '3'.
2003/09/03 08:15:40| authenticateAuthUserRequestUnlock auth_user request
'0x559ba5a8'.
2003/09/03 08:15:40| authenticateAuthUserRequestUnlock auth_user_request
'0x559ba5a8' now at '2'.
2003/09/03 08:15:40| authenticateAuthUserRequestLock auth_user request
'0x559ba5a8'.
2003/09/03 08:15:40| authenticateAuthUserRequestLock auth_user request
'0x559ba5a8' now at '3'.
2003/09/03 08:15:40| authenticateFixHeader: headertype:34
authuser:0x559ba5a8
2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| User not fully authenticated.
2003/09/03 08:15:40| authenticateNTLMFixErrorHeader: Sending type:34
header: 'NTLM
TlRMTVNTUAACAAAAAAAAADAAAAACAgAgJt9X786e84sAAAAAAAAAAAAAAAAwAAAA'
2003/09/03 08:15:40| authenticateFixHeader: headertype:34
authuser:0x559ba5a8
2003/09/03 08:15:40| authenticateAuthUserRequestUnlock auth_user request
'0x559ba5a8'.
2003/09/03 08:15:40| authenticateAuthUserRequestUnlock auth_user_request
'0x559ba5a8' now at '2'.
2003/09/03 08:15:40| NTLM HandleReply, telling stateful helper : 3
2003/09/03 08:15:40| authenticateNTLMHelperServerAvailable: not starving
- returning 1
2003/09/03 08:15:40| authenticateAuthUserRequestUnlock auth_user request
'0x559ba5a8'.
2003/09/03 08:15:40| authenticateAuthUserRequestUnlock auth_user_request
'0x559ba5a8' now at '1'.
2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| User not fully authenticated.
2003/09/03 08:15:40| authenticateAuthUserRequestLock auth_user request
'0x559ba5a8'.
2003/09/03 08:15:40| authenticateAuthUserRequestLock auth_user request
'0x559ba5a8' now at '2'.
2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| User not fully authenticated.
2003/09/03 08:15:40| authenticateNTLMAuthenticateUser: auth state
challenge with header NTLM
TlRMTVNTUAADAAAAGAAYAFsAAAAYABgAcwAAAAwADABAAAAABwAHAEwAAAAIAAgAUwAAAAAA
AACLAAAABgIAIFRDU19NQUlOX0RPTUpBUkJPRURCQzAwNjc4NON8EoE7fMsT6jvmLE4o/21h
ZkcIaibynLCXFLHy8rti9ODY4m9avPWULzf7R5yBzw==.
2003/09/03 08:15:40| aclMatchProxyAuth: cache lookup with key 'NTLM
TlRMTVNTUAADAAAAGAAYAFsAAAAYABgAcwAAAAwADABAAAAABwAHAEwAAAAIAAgAUwAAAAAA
AACLAAAABgIAIFRDU19NQUlOX0RPTUpBUkJPRURCQzAwNjc4NON8EoE7fMsT6jvmLE4o/21h
ZkcIaibynLCXFLHy8rti9ODY4m9avPWULzf7R5yBzw==TlRMTVNTUAACAAAAAAAAADAAAAAC
AgAgJt9X786e84sAAAAAAAAAAAAAAAAwAAAA'
2003/09/03 08:15:40| authenticateNTLMAuthenticateUser: proxy-auth cache
miss.
2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| User not fully authenticated.
2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateStart: auth_user_request '0x559ba5a8'
2003/09/03 08:15:40| authenticateNTLMStart: auth state '3'
2003/09/03 08:15:40| authenticateNTLMStart: Asking NTLMauthenticator
'0x557d9470'.
2003/09/03 08:15:40| authenticateNTLMStart: state '3'
2003/09/03 08:15:40| authenticateNTLMStart:
'TlRMTVNTUAADAAAAGAAYAFsAAAAYABgAcwAAAAwADABAAAAABwAHAEwAAAAIAAgAUwAAAAA
AAACLAAAABgIAIFRDU19NQUlOX0RPTUpBUkJPRURCQzAwNjc4NON8EoE7fMsT6jvmLE4o/21
hZkcIaibynLCXFLHy8rti9ODY4m9avPWULzf7R5yBzw=='
2003/09/03 08:15:40| authenticateNTLMstart: finished
[2003/09/03 08:15:40, 10] utils/ntlm_auth.c:manage_squid_request(1061)
  Got 'KK
TlRMTVNTUAADAAAAGAAYAFsAAAAYABgAcwAAAAwADABAAAAABwAHAEwAAAAIAAgAUwAAAAAA
AACLAAAABgIAIFRDU19NQUlOX0RPTUpBUkJPRURCQzAwNjc4NON8EoE7fMsT6jvmLE4o/21h
ZkcIaibynLCXFLHy8rti9ODY4m9avPWULzf7R5yBzw==' from squid (length: 191).
[2003/09/03 08:15:40, 10]
utils/ntlm_auth.c:manage_squid_ntlmssp_request(312)
  got NTLMSSP packet:
[2003/09/03 08:15:40, 10] lib/util.c:dump_data(1887)
  [000] 4E 54 4C 4D 53 53 50 00  03 00 00 00 18 00 18 00  NTLMSSP.
........
  [010] 5B 00 00 00 18 00 18 00  73 00 00 00 0C 00 0C 00  [.......
s.......
  [020] 40 00 00 00 07 00 07 00  4C 00 00 00 08 00 08 00  @.......
L.......
  [030] 53 00 00 00 00 00 00 00  8B 00 00 00 06 02 00 20  S.......
.......
  [040] 54 43 53 5F 4D 41 49 4E  5F 44 4F 4D 4A 41 52 42  TCS_MAIN
_DOMJARB
  [050] 4F 45 44 42 43 30 30 36  37 38 34 E3 7C 12 81 3B  OEDBC006
784.|..;
  [060] 7C CB 13 EA 3B E6 2C 4E  28 FF 6D 61 66 47 08 6A  |...;.,N
(.mafG.j
  [070] 26 F2 9C B0 97 14 B1 F2  F2 BB 62 F4 E0 D8 E2 6F  &.......
..b....o
  [080] 5A BC F5 94 2F 37 FB 47  9C 81 CF 00              Z.../7.G ....
[2003/09/03 08:15:40, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(292)
  Got user=[JARBOED] domain=[TCS_MAIN_DOM] workstation=[BC006784]
len1=24 len2=24
[2003/09/03 08:15:40, 10]
utils/ntlm_auth.c:manage_squid_ntlmssp_request(325)
  NTLMSSP NT_STATUS_ACCESS_DENIED
2003/09/03 08:15:40| authenticateNTLMHandleReply: Helper: '0x557d9470'
{NA NT_STATUS_ACCESS_DENIED}
2003/09/03 08:15:40| authenticateNTLMHandleReply: Error validating user
via NTLM. Error returned 'NA NT_STATUS_ACCESS_DENIED'
2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| User not fully authenticated.
2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| User not fully authenticated.
2003/09/03 08:15:40| authenticateNTLMAuthenticateUser: auth state ntlm
failed. NTLM
TlRMTVNTUAADAAAAGAAYAFsAAAAYABgAcwAAAAwADABAAAAABwAHAEwAAAAIAAgAUwAAAAAA
AACLAAAABgIAIFRDU19NQUlOX0RPTUpBUkJPRURCQzAwNjc4NON8EoE7fMsT6jvmLE4o/21h
ZkcIaibynLCXFLHy8rti9ODY4m9avPWULzf7R5yBzw==
2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| User not fully authenticated.
2003/09/03 08:15:40| authenticateAuthUserRequestUnlock auth_user request
'0x559ba5a8'.
2003/09/03 08:15:40| authenticateAuthUserRequestUnlock auth_user_request
'0x559ba5a8' now at '1'.
2003/09/03 08:15:40| authenticateAuthUserRequestLock auth_user request
'0x559ba5a8'.
2003/09/03 08:15:40| authenticateAuthUserRequestLock auth_user request
'0x559ba5a8' now at '2'.
2003/09/03 08:15:40| authenticateFixHeader: headertype:34
authuser:0x559ba5a8
2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| User not fully authenticated.
2003/09/03 08:15:40| authenticateNTLMFixErrorHeader: Sending type:34
header: 'NTLM'
2003/09/03 08:15:40| authenticateAuthUserRequestUnlock auth_user request
'0x559ba5a8'.
2003/09/03 08:15:40| authenticateAuthUserRequestUnlock auth_user_request
'0x559ba5a8' now at '1'.
2003/09/03 08:15:40| NTLM HandleReply, telling stateful helper : 2
2003/09/03 08:15:40| authenticateNTLMHelperServerAvailable: not starving
- returning 1
2003/09/03 08:15:40| authenticateAuthUserRequestUnlock auth_user request
'0x559ba5a8'.
2003/09/03 08:15:40| authenticateAuthUserRequestUnlock auth_user_request
'0x559ba5a8' now at '0'.
2003/09/03 08:15:40| authenticateAuthUserRequestFree: freeing request
0x559ba5a8
2003/09/03 08:15:40| authenticateAuthUserUnlock auth_user '0x559ba5c0'.
2003/09/03 08:15:40| authenticateAuthUserUnlock auth_user '0x559ba5c0'
now at '0'.
2003/09/03 08:15:40| authenticateFreeProxyAuthUser: Freeing auth_user
'0x559ba5c0' with refcount '0'.
2003/09/03 08:15:40| authenticateNTLMFreeUser: Clearing NTLM scheme data

Like I said, basic authentication works fine, and ntlm did work using 
wb_ntlmauth as provided by squid but we were running samba 2.2.8a on that box.

Here's my smb.conf:
[global]
        workgroup = TCS_MAIN_DOM
        netbios name = LINBETA
        server string = Samba Server on LINBETA
        interfaces = eth0 127.0.0.1/24
        bind interfaces only = yes
        security = DOMAIN
        encrypt passwords = Yes
        password server = tcs_main_pdc
        username map = /etc/samba/smbusers
        log level = 1
        log file = /var/log/samba/%m.log
        mangling method = hash2
        preferred master = No
        domain master = No
        dns proxy = No
        wins server = tcs_main_pdc
        kernel oplocks = No
        winbind uid = 10000-20000
        winbind gid = 10000-20000
        winbind use default domain = yes
        winbind enum users = yes
        winbind enum groups = yes
        blocking locks = No
        locking = No
        oplocks = No
        level2 oplocks = No
        guest account = nobody
        load printers = no

The samba configuration is pretty much identical (except netbios name, etc) to 
a previous 2.2.8a config which is working on a different s390 server.  The 
squid config is the same too, except now we're trying to use the ntlm_auth 
helper instead of wb_ntlmauth.  wbinfo -t, --sequence, and -a all work as 
expected.  The PDC is an NT4 box, in a different subnet.  Does it need to be 
configured any differently for samba3?

Would any other information be helpful?

Thanks,
Daniel
Comment 1 Andrew Bartlett 2003-09-04 14:48:08 UTC 
This needs to be documented better - but you must put squid into a group that
can access the 'winbind privilaged pipe'.  This is in LOCKDIR/winbindd_priv_pipe
- simply set the permissions on the directory.  But please don't just make it
world-access...
Comment 2 Daniel Jarboe 2003-09-05 04:30:35 UTC 
Excellent, I chgrp'ed the directory to squid (r-x).  That fixed it.  I'll let 
squid-users list know, and also add a comment to a bug-report I opened for 
Taroon (RH EL AS 3 beta).  Once everything is working, this stuff seems so much 
faster in samba 3 than 2.2.8a!  Congrats, can't wait for more doc and the 
release.

~ Daniel
Comment 3 Andrew Bartlett 2003-09-05 05:00:24 UTC 
It's faster becouse we now cache the connection to the DC.  This means a new
authentication only requires 2 packets.
Comment 4 Andrew Bartlett 2003-09-30 21:17:08 UTC 
The last remaining issue here (lack of documentation) has been addressed. 
(ntlm_auth manpage updated - winbindd manpage already had this info).
Comment 5 Gerald (Jerry) Carter (dead mail address) 2005-02-07 09:05:22 UTC 
originally reported against one of the 3.0.0rc[1-4] releases.
Cleaning up non-production versions.
Comment 6 Gerald (Jerry) Carter (dead mail address) 2005-08-24 10:18:08 UTC 
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.