Bug 571 - ntlm_auth doesn't work with win98 clients in squid helper NTLMSSP mode
ntlm_auth doesn't work with win98 clients in squid helper NTLMSSP mode
Status: CLOSED FIXED
Product: Samba 3.0
Classification: Unclassified
Component: ntlm_auth tool
3.0.0
All Solaris
: P3 normal
: none
Assigned To: Andrew Bartlett
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2003-10-06 02:16 UTC by Sergei V. Rozinov
Modified: 2005-11-14 09:31 UTC (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sergei V. Rozinov 2003-10-06 02:16:06 UTC
The ntlm_auth fails to authenticate users of Internet Explorer under
Windows 98, if is in squid helper mode with option
--helper-protocol=squid-2.5-ntlmssp.
Authentication of Windows 2000 clients are OK.
Older versions of auth prg shipped with squid-2.5 for Samba-2.2.x still work
for Windows 98.

The helper under SQUID reports this:

[2003/10/06 00:32:45, 1] libsmb/ntlmssp.c:ntlmssp_server_auth(278)
  ntlmssp_server_auth: failed to parse NTLMSSP:
[2003/10/06 00:32:45, 2] lib/util.c:dump_data(1825)
  [000] 4E 54 4C 4D 53 53 50 00  03 00 00 00 18 00 18 00  NTLMSSP. ........
  [010] 48 00 00 00 00 00 00 00  60 00 00 00 06 00 06 00  H....... `.......
  [020] 34 00 00 00 07 00 07 00  3A 00 00 00 07 00 07 00  4....... :.......
  [030] 41 00 00 00 53 49 42 52  4F 4E 4B 41 53 48 54 41  A...SIBR ONKASHTA
  [040] 4E 4B 41 53 48 54 41 4E  EA 73 AA F0 99 ED FD 46  NKASHTAN .s.....F
  [050] 5C 66 C2 E3 CE 7F 62 3B  09 74 57 86 F4 1F 64 88  \f....b; .tW...d.

Sincerely,
Sergei V. Rozinov
Senior RISC systems engineer
Sibron Ltd, RUSSIA
Comment 1 Tim Potter 2003-10-06 04:05:45 UTC
Reassigning this to abartlet.
Comment 2 Tim Potter 2003-10-06 04:06:16 UTC
Reassigning this to abartlet.
Comment 3 Carlos Alberto Barcenilla 2003-10-21 18:47:09 UTC
I'm having tha same problem. Windows 2000/XP/NT/Me, no Windows 98.
Messages from W98 are different than those from NT/XP/2000. I solved the problem
upgrading NTLM software in W98.

These are some dumps.

Windows 98:
[000] 4E 54 4C 4D 53 53 50 00  03 00 00 00 18 00 18 00  NTLMSSP. ........
[010] 51 00 00 00 00 00 00 00  69 00 00 00 08 00 08 00  Q....... i.......
[020] 34 00 00 00 09 00 09 00  3C 00 00 00 0C 00 0C 00  4....... <.......
[030] 45 00 00 00 53 49 53 54  45 4D 41 53 61 69 67 6C  E...SIST EMASaigl
[040] 65 73 69 61 73 41 52 51  2E 49 47 4C 45 53 49 41  esiasARQ .IGLESIA
[050] 53 57 DA 59 07 B0 F4 68  5B CA 48 FD 0A D7 5B 0F  SWÚY.°ôh [ÊHý.×[.
[060] 83 3B B8 D7 D6 FC F2 57  FB                       .;¸×ÖüòW û

Windows XP:
[000] 4E 54 4C 4D 53 53 50 00  03 00 00 00 18 00 18 00  NTLMSSP. ........
[010] 54 00 00 00 18 00 18 00  6C 00 00 00 08 00 08 00  T....... l.......
[020] 40 00 00 00 05 00 05 00  48 00 00 00 07 00 07 00  @....... H.......
[030] 4D 00 00 00 00 00 00 00  84 00 00 00 06 02 00 20  M....... .......
[040] 53 49 53 54 45 4D 41 53  42 41 52 43 45 41 4D 45  SISTEMAS BARCEAME
[050] 52 49 43 41 1D 73 3A C4  CB D4 0B 8D 6A A0 02 AC  RICA.s:Ä ËÔ..j .¬
[060] 01 88 CB C9 00 0E 1D 49  B1 8A 6B 32 11 6B 58 7F  ..ËÉ...I ±.k2.kX.
[070] 10 D9 A8 69 28 08 BA E0  45 5A C1 C7 1B 46 0E 48  .Ù¨i(.ºà EZÁÇ.F.H
[080] C2 8C AA 51                                       Â.ªQ


My manual decode of W98:

protocol: [000] NTLMSSP\0
type: [008] 0x03 // type-3 message
zero: [00A] 0x000000
lm_resp_len: [00C] 0x0018 (little endian) decimal: 24
lm_resp_len: [00E] 0x0018 (little endian) decimal: 24
lm_resp_off: [010] 0x0051 (little endian)
zero: [012] 0x0000
nt_resp_len: [014] 0x0000  (ohh!! this should be nonzero, it seems W98 does not
use it)
nt_resp_len: [016] 0x0000  (ohh!! this should be nonzero, it seems W98 does not
use it)
nt_resp_off: [018] 0x0069 (little endian)
zero: [01A] 0x0000
dom_len: [01C] 0x0008 (little endian) {SISTEMAS}
dom_len: [01E] 0x0008 (little endian)
dom_off: [020] 0x0034 (little endian)
zero: [022] 0x0000
user_len: [024] 0x0009 (little endian) {aiglesias}
user_len: [026] 0x0009 (little endian)
user_off: [028] 0x003C (little endian)
zero: [02A] 0x0000
host_len: [02C] 0x000C (little endian) decimal: 12 {ARQ.IGLESIAS}
host_len: [02E] 0x000C (little endian) decimal: 12
host_off: [030] 0x0045 (little endian)
zero: [032] 0x5453494300 (little endian) 6 bytes ... this should be 6-byte
zeroes!!!!
msg_len: [038] 0x4D45 ......... ohh this went to the hell!! Continue parsing
it's useless!


Comment 4 Carlos Alberto Barcenilla 2003-10-21 18:51:14 UTC
While I still think this is a ntlm_auth bug problem can be solved upgrading NTLM
support in Windows 98.

There's a Knowledge base Article at Microsoft Support:
http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/Q239/8/69.ASP&NoWebContent=1

It worked for me. But I had to use 1 (not 3!!) at
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\LMCompatibility
Comment 5 Sergei V. Rozinov 2003-10-22 09:44:27 UTC
Thanks Carlos Alberto,
Installation of the Directory Services Client (DSCLIENT.EXE) onto
Windows 98 solves this problem completely.

And I didn't use
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\LMCompatibility

By the way, this reg value doesn't exist at all on my test workstation,
and the authentication now works fine.
Comment 6 Alexander Bokovoy 2003-10-23 02:55:34 UTC
I've added information about KB article to the ntlm_auth man page in section
TROUBLESHOOTING.
Comment 7 Eric 2003-11-06 18:33:16 UTC
Currently, it does:


if (!msrpc_parse(&request, parse_string,
                 "NTLMSSP", 
                 &ntlmssp_command, 
                 &ntlmssp_state->lm_resp,
                 &ntlmssp_state->nt_resp,
                 &ntlmssp_state->domain, 
                 &ntlmssp_state->user, 
                 &ntlmssp_state->workstation,
                 &sess_key,
                 &neg_flags)) {
        DEBUG(1, ("ntlmssp_server_auth: failed to parse NTLMSSP:\n"));
        dump_data(2, (const char *)request.data, request.length);
        return NT_STATUS_INVALID_PARAMETER;
}


but Win9x clients don't send the session key or flag fields in the type 3
(as seen in the packet dump above):

http://davenport.sourceforge.net/ntlm.html#theType3Message

They also only do LM; the Directory Services client adds support for NTLMv2,
and updates the type 3 format to the version used by newer clients.

Don't know if this helps, but I was cruising by and saw this so I figured
I'd put in my $.02 ;)


Eric

Comment 8 Andrew Bartlett 2003-12-25 02:50:46 UTC
I think this is fixed in current CVS, and in Samba 3.0.1 (however 3.0.1 may have
other issues).

I have allowed for a short parse, ignoring the trailing elements.  Reopen this
bug if you still have an issue.
Comment 9 Gerald (Jerry) Carter 2005-08-24 10:20:21 UTC
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.
Comment 10 Gerald (Jerry) Carter 2005-11-14 09:31:33 UTC
database cleanup