/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp fails with NTLMSSP NT_STATUS_ACCESS_DENIED... but /usr/bin/ntlm_auth --helper-protocol=squid-2.5- basic helper works great. This is with samba-3.0.0-3rc1.3E and squid-2.5.STABLE3-2.3E as packaged by RedHat EL AS 3 beta (taroon) for s390. If necessary, I can try to get this installed on an intel box sometime to see if it happens on that platform too. Here's a snip of squid's cache.log with squid's NTLM debugging turned up to 10 and with the helper at 10. 2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user request '(nil)'. 2003/09/03 08:15:40| authenticateValidateUser: Auth_user_request was NULL! 2003/09/03 08:15:40| authenticateFixHeader: headertype:34 authuser:(nil) 2003/09/03 08:15:40| authenticateNTLMFixErrorHeader: Sending type:34 header: 'NTLM' 2003/09/03 08:15:40| authenticateFixErrorHeader: Sending type:34 header: 'Basic realm="Proxy"' 2003/09/03 08:15:40| authenticateAuthUserRequestLock auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| authenticateAuthUserRequestLock auth_user request '0x559ba5a8' now at '1'. 2003/09/03 08:15:40| authenticateDecodeAuth: header = 'NTLM TlRMTVNTUAABAAAAB7IAoAwADAAoAAAACAAIACAAAABCQzAwNjc4NFRDU19NQUlOX0RPTX== ' 2003/09/03 08:15:40| authenticateAuthUserLock auth_user '0x559ba5c0'. 2003/09/03 08:15:40| authenticateAuthUserLock auth_user '0x559ba5c0' now at '1'. 2003/09/03 08:15:40| authenticateDecodeNTLMAuth: NTLM authentication 2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| User not fully authenticated. 2003/09/03 08:15:40| authenticateNTLMAuthenticateUser: auth state ntlm none. NTLM TlRMTVNTUAABAAAAB7IAoAwADAAoAAAACAAIACAAAABCQzAwNjc4NFRDU19NQUlOX0RPTX== 2003/09/03 08:15:40| authenticateNTLMAuthenticateUser: Locking auth_user from the connection. 2003/09/03 08:15:40| authenticateAuthUserRequestLock auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| authenticateAuthUserRequestLock auth_user request '0x559ba5a8' now at '2'. 2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| User not fully authenticated. 2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| authenticateStart: auth_user_request '0x559ba5a8' 2003/09/03 08:15:40| authenticateNTLMStart: auth state '1' 2003/09/03 08:15:40| authenticateNTLMStart: state '1' 2003/09/03 08:15:40| authenticateNTLMStart: 'TlRMTVNTUAABAAAAB7IAoAwADAAoAAAACAAIACAAAABCQzAwNjc4NFRDU19NQUlOX0RPTX= =' 2003/09/03 08:15:40| authenticateNTLMHelperServerAvailable: not starving - returning 1 2003/09/03 08:15:40| authenticateNTLMChangeChallenge_p: first use 2003/09/03 08:15:40| authenticateNTLMStart: helper '0x557d9470' assigned 2003/09/03 08:15:40| authenticateNTLMValidChallenge: Challenge is Invalid [2003/09/03 08:15:40, 10] utils/ntlm_auth.c:manage_squid_request(1061) Got 'YR' from squid (length: 2). [2003/09/03 08:15:40, 10] utils/ntlm_auth.c:manage_squid_ntlmssp_request(312) got NTLMSSP packet: [2003/09/03 08:15:40, 10] utils/ntlm_auth.c:manage_squid_ntlmssp_request(322) NTLMSSP challenge 2003/09/03 08:15:40| authenticateNTLMHandleReply: Helper: '0x557d9470' {TT TlRMTVNTUAACAAAAAAAAADAAAAACAgAgJt9X786e84sAAAAAAAAAAAAAAAAwAAAA} 2003/09/03 08:15:40| authenticateNTLMHandleReply: helper '0x557d9470' 2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| User not fully authenticated. 2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| User not fully authenticated. 2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| User not fully authenticated. 2003/09/03 08:15:40| authenticateAuthUserRequestLock auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| authenticateAuthUserRequestLock auth_user request '0x559ba5a8' now at '3'. 2003/09/03 08:15:40| authenticateAuthUserRequestUnlock auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| authenticateAuthUserRequestUnlock auth_user_request '0x559ba5a8' now at '2'. 2003/09/03 08:15:40| authenticateAuthUserRequestLock auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| authenticateAuthUserRequestLock auth_user request '0x559ba5a8' now at '3'. 2003/09/03 08:15:40| authenticateFixHeader: headertype:34 authuser:0x559ba5a8 2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| User not fully authenticated. 2003/09/03 08:15:40| authenticateNTLMFixErrorHeader: Sending type:34 header: 'NTLM TlRMTVNTUAACAAAAAAAAADAAAAACAgAgJt9X786e84sAAAAAAAAAAAAAAAAwAAAA' 2003/09/03 08:15:40| authenticateFixHeader: headertype:34 authuser:0x559ba5a8 2003/09/03 08:15:40| authenticateAuthUserRequestUnlock auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| authenticateAuthUserRequestUnlock auth_user_request '0x559ba5a8' now at '2'. 2003/09/03 08:15:40| NTLM HandleReply, telling stateful helper : 3 2003/09/03 08:15:40| authenticateNTLMHelperServerAvailable: not starving - returning 1 2003/09/03 08:15:40| authenticateAuthUserRequestUnlock auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| authenticateAuthUserRequestUnlock auth_user_request '0x559ba5a8' now at '1'. 2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| User not fully authenticated. 2003/09/03 08:15:40| authenticateAuthUserRequestLock auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| authenticateAuthUserRequestLock auth_user request '0x559ba5a8' now at '2'. 2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| User not fully authenticated. 2003/09/03 08:15:40| authenticateNTLMAuthenticateUser: auth state challenge with header NTLM TlRMTVNTUAADAAAAGAAYAFsAAAAYABgAcwAAAAwADABAAAAABwAHAEwAAAAIAAgAUwAAAAAA AACLAAAABgIAIFRDU19NQUlOX0RPTUpBUkJPRURCQzAwNjc4NON8EoE7fMsT6jvmLE4o/21h ZkcIaibynLCXFLHy8rti9ODY4m9avPWULzf7R5yBzw==. 2003/09/03 08:15:40| aclMatchProxyAuth: cache lookup with key 'NTLM TlRMTVNTUAADAAAAGAAYAFsAAAAYABgAcwAAAAwADABAAAAABwAHAEwAAAAIAAgAUwAAAAAA AACLAAAABgIAIFRDU19NQUlOX0RPTUpBUkJPRURCQzAwNjc4NON8EoE7fMsT6jvmLE4o/21h ZkcIaibynLCXFLHy8rti9ODY4m9avPWULzf7R5yBzw==TlRMTVNTUAACAAAAAAAAADAAAAAC AgAgJt9X786e84sAAAAAAAAAAAAAAAAwAAAA' 2003/09/03 08:15:40| authenticateNTLMAuthenticateUser: proxy-auth cache miss. 2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| User not fully authenticated. 2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| authenticateStart: auth_user_request '0x559ba5a8' 2003/09/03 08:15:40| authenticateNTLMStart: auth state '3' 2003/09/03 08:15:40| authenticateNTLMStart: Asking NTLMauthenticator '0x557d9470'. 2003/09/03 08:15:40| authenticateNTLMStart: state '3' 2003/09/03 08:15:40| authenticateNTLMStart: 'TlRMTVNTUAADAAAAGAAYAFsAAAAYABgAcwAAAAwADABAAAAABwAHAEwAAAAIAAgAUwAAAAA AAACLAAAABgIAIFRDU19NQUlOX0RPTUpBUkJPRURCQzAwNjc4NON8EoE7fMsT6jvmLE4o/21 hZkcIaibynLCXFLHy8rti9ODY4m9avPWULzf7R5yBzw==' 2003/09/03 08:15:40| authenticateNTLMstart: finished [2003/09/03 08:15:40, 10] utils/ntlm_auth.c:manage_squid_request(1061) Got 'KK TlRMTVNTUAADAAAAGAAYAFsAAAAYABgAcwAAAAwADABAAAAABwAHAEwAAAAIAAgAUwAAAAAA AACLAAAABgIAIFRDU19NQUlOX0RPTUpBUkJPRURCQzAwNjc4NON8EoE7fMsT6jvmLE4o/21h ZkcIaibynLCXFLHy8rti9ODY4m9avPWULzf7R5yBzw==' from squid (length: 191). [2003/09/03 08:15:40, 10] utils/ntlm_auth.c:manage_squid_ntlmssp_request(312) got NTLMSSP packet: [2003/09/03 08:15:40, 10] lib/util.c:dump_data(1887) [000] 4E 54 4C 4D 53 53 50 00 03 00 00 00 18 00 18 00 NTLMSSP. ........ [010] 5B 00 00 00 18 00 18 00 73 00 00 00 0C 00 0C 00 [....... s....... [020] 40 00 00 00 07 00 07 00 4C 00 00 00 08 00 08 00 @....... L....... [030] 53 00 00 00 00 00 00 00 8B 00 00 00 06 02 00 20 S....... ....... [040] 54 43 53 5F 4D 41 49 4E 5F 44 4F 4D 4A 41 52 42 TCS_MAIN _DOMJARB [050] 4F 45 44 42 43 30 30 36 37 38 34 E3 7C 12 81 3B OEDBC006 784.|..; [060] 7C CB 13 EA 3B E6 2C 4E 28 FF 6D 61 66 47 08 6A |...;.,N (.mafG.j [070] 26 F2 9C B0 97 14 B1 F2 F2 BB 62 F4 E0 D8 E2 6F &....... ..b....o [080] 5A BC F5 94 2F 37 FB 47 9C 81 CF 00 Z.../7.G .... [2003/09/03 08:15:40, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(292) Got user=[JARBOED] domain=[TCS_MAIN_DOM] workstation=[BC006784] len1=24 len2=24 [2003/09/03 08:15:40, 10] utils/ntlm_auth.c:manage_squid_ntlmssp_request(325) NTLMSSP NT_STATUS_ACCESS_DENIED 2003/09/03 08:15:40| authenticateNTLMHandleReply: Helper: '0x557d9470' {NA NT_STATUS_ACCESS_DENIED} 2003/09/03 08:15:40| authenticateNTLMHandleReply: Error validating user via NTLM. Error returned 'NA NT_STATUS_ACCESS_DENIED' 2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| User not fully authenticated. 2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| User not fully authenticated. 2003/09/03 08:15:40| authenticateNTLMAuthenticateUser: auth state ntlm failed. NTLM TlRMTVNTUAADAAAAGAAYAFsAAAAYABgAcwAAAAwADABAAAAABwAHAEwAAAAIAAgAUwAAAAAA AACLAAAABgIAIFRDU19NQUlOX0RPTUpBUkJPRURCQzAwNjc4NON8EoE7fMsT6jvmLE4o/21h ZkcIaibynLCXFLHy8rti9ODY4m9avPWULzf7R5yBzw== 2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| User not fully authenticated. 2003/09/03 08:15:40| authenticateAuthUserRequestUnlock auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| authenticateAuthUserRequestUnlock auth_user_request '0x559ba5a8' now at '1'. 2003/09/03 08:15:40| authenticateAuthUserRequestLock auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| authenticateAuthUserRequestLock auth_user request '0x559ba5a8' now at '2'. 2003/09/03 08:15:40| authenticateFixHeader: headertype:34 authuser:0x559ba5a8 2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| User not fully authenticated. 2003/09/03 08:15:40| authenticateNTLMFixErrorHeader: Sending type:34 header: 'NTLM' 2003/09/03 08:15:40| authenticateAuthUserRequestUnlock auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| authenticateAuthUserRequestUnlock auth_user_request '0x559ba5a8' now at '1'. 2003/09/03 08:15:40| NTLM HandleReply, telling stateful helper : 2 2003/09/03 08:15:40| authenticateNTLMHelperServerAvailable: not starving - returning 1 2003/09/03 08:15:40| authenticateAuthUserRequestUnlock auth_user request '0x559ba5a8'. 2003/09/03 08:15:40| authenticateAuthUserRequestUnlock auth_user_request '0x559ba5a8' now at '0'. 2003/09/03 08:15:40| authenticateAuthUserRequestFree: freeing request 0x559ba5a8 2003/09/03 08:15:40| authenticateAuthUserUnlock auth_user '0x559ba5c0'. 2003/09/03 08:15:40| authenticateAuthUserUnlock auth_user '0x559ba5c0' now at '0'. 2003/09/03 08:15:40| authenticateFreeProxyAuthUser: Freeing auth_user '0x559ba5c0' with refcount '0'. 2003/09/03 08:15:40| authenticateNTLMFreeUser: Clearing NTLM scheme data Like I said, basic authentication works fine, and ntlm did work using wb_ntlmauth as provided by squid but we were running samba 2.2.8a on that box. Here's my smb.conf: [global] workgroup = TCS_MAIN_DOM netbios name = LINBETA server string = Samba Server on LINBETA interfaces = eth0 127.0.0.1/24 bind interfaces only = yes security = DOMAIN encrypt passwords = Yes password server = tcs_main_pdc username map = /etc/samba/smbusers log level = 1 log file = /var/log/samba/%m.log mangling method = hash2 preferred master = No domain master = No dns proxy = No wins server = tcs_main_pdc kernel oplocks = No winbind uid = 10000-20000 winbind gid = 10000-20000 winbind use default domain = yes winbind enum users = yes winbind enum groups = yes blocking locks = No locking = No oplocks = No level2 oplocks = No guest account = nobody load printers = no The samba configuration is pretty much identical (except netbios name, etc) to a previous 2.2.8a config which is working on a different s390 server. The squid config is the same too, except now we're trying to use the ntlm_auth helper instead of wb_ntlmauth. wbinfo -t, --sequence, and -a all work as expected. The PDC is an NT4 box, in a different subnet. Does it need to be configured any differently for samba3? Would any other information be helpful? Thanks, Daniel
This needs to be documented better - but you must put squid into a group that can access the 'winbind privilaged pipe'. This is in LOCKDIR/winbindd_priv_pipe - simply set the permissions on the directory. But please don't just make it world-access...
Excellent, I chgrp'ed the directory to squid (r-x). That fixed it. I'll let squid-users list know, and also add a comment to a bug-report I opened for Taroon (RH EL AS 3 beta). Once everything is working, this stuff seems so much faster in samba 3 than 2.2.8a! Congrats, can't wait for more doc and the release. ~ Daniel
It's faster becouse we now cache the connection to the DC. This means a new authentication only requires 2 packets.
The last remaining issue here (lack of documentation) has been addressed. (ntlm_auth manpage updated - winbindd manpage already had this info).
originally reported against one of the 3.0.0rc[1-4] releases. Cleaning up non-production versions.
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.