Squid 3.0-STABLE9 and Samba 3.0.28 from CentOS 5 binary RPMs. squid authenticating XP and Vista machines using NTLM: auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp [2008/10/15 09:26:07, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63) Got NTLMSSP neg_flags=0xa208b207 [2008/10/15 09:26:07, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(739) Got user=[YXXXXXXX] domain=[YXXXXXXX] workstation=[YXXXXXXX] len1=24 len2=264 [2008/10/15 09:26:07, 3] utils/ntlm_auth.c:winbind_pw_check(515) Login for user [YXXXXXXX]\[YXXXXXXX]@[YXXXXXXX] failed due to [Invalid parameter] Tracing back through the Samba code, I found this was the failure point: /usr/src/samba-3.0.28/source/nsswitch/winbindd_pam.c 1713 enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain, 1714 struct winbindd_cli_state *state) 1715 { .... .... 1757 if (state->request.data.auth_crap.lm_resp_len > sizeof(state->request.data.auth_crap.lm_resp) 1758 || state->request.data.auth_crap.nt_resp_len > sizeof(state->request.data.auth_crap.nt_resp)) { 1759 DEBUG(0, ("winbindd_pam_auth_crap: invalid password length %u/%u\n", 1760 state->request.data.auth_crap.lm_resp_len, 1761 state->request.data.auth_crap.nt_resp_len)); 1762 result = NT_STATUS_INVALID_PARAMETER; 1763 goto done; 1764 } 1765 The helper was copying the Base64-Decoded NTLM section into a structure nt_resp which was of type FSTRING, which relies on the following header: /usr/src/samba-3.0.28/source/include/pstring.h, line 29 #define FSTRING_LEN 256 The NTLM(v2) part of the NTLMSSP Auth packet was 264 bytes, and didn't fit into the 256-byte buffer, got truncated and rejected as invalid!! On my customer site, I got round this by hacking squid to remove AV_PAIR's 3&4 (FQDN of workstation and domain) to truncate the NT_RESP part to <256.
Created attachment 3706 [details] NTLMSSP packet data
Looking into this. I'm not sure what the best fix for this would be, yet.
Hm, tricky. I was hoping to stash the blob in the "extra_data" field if it's too big to fit into an fstring, but that's already in use when called via ntlm_auth. I'm not sure if there's any fix that's more elegant than your truncating in squid. :(
Created attachment 3718 [details] Proposed patch Hi. This patch is the most elegant solution I came up with. Could you please check if this works for you?
Before checking in, can you split off the reformatting? Thanks, Volker
Works for me.
Great, I pushed the patch to the test branches for 3.0, 3.2 and 3.3 as well as to the development tree. Thanks for catching this.