Bug 7219 - ntlm_auth --require-membership-of bug
Summary: ntlm_auth --require-membership-of bug
Status: RESOLVED FIXED
Alias: None
Product: Samba 3.4
Classification: Unclassified
Component: Ntlm_auth Tool (show other bugs)
Version: 3.4.6
Hardware: Other Linux
: P3 normal
Target Milestone: ---
Assignee: Kai Blin
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2010-03-06 15:55 UTC by Alexey Marushchenko
Modified: 2017-01-03 00:42 UTC (History)
3 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexey Marushchenko 2010-03-06 15:55:54 UTC
When using ntlm_auth

ntlm_auth-helper "/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 --require-membership-of='AD\\GROUP'"
or
ntlm_auth-helper "/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 --require-membership-of='AD+GROUP'" (Depends on winbind separator param)
User authentication fails.

If --require-membership-of is provided by SID:
ntlm_auth-helper "/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 --require-membership-of='SID'"
then authentication pass.

If test ntlm_auth from command line
ntlm_auth --require-membership-of='SID' --username=USER --password=PASS
ntlm_auth --require-membership-of='AD\\GROUP' --username=USER --password=PASS
both variants pass authentication.

Is there some problem with GROUP NAME to SID translation?
Comment 1 Kai Blin 2010-04-08 05:19:53 UTC
In principle this should work. What program are you calling ntlm_auth from when it's failing?
Comment 2 Alexey Marushchenko 2010-04-08 06:57:24 UTC
(In reply to comment #1)
> In principle this should work. What program are you calling ntlm_auth from when
> it's failing?
> 

ppp-2.4.3-14.3.v5 in ClearOS 5.1 (/etc/redhat-release contains string CentOS release 5.4 (Final))

Calling done in /etc/ppp/options files for pptpd and xl2tpd daemons in authentication phase of conection establishing
Comment 3 Karl Reinhard 2013-10-08 11:09:32 UTC
I can confirm that bug stumbled around setting up an radius + ntlm_auth.

The require-membership-of parameter seems to have no effect. It's not failing, even if the user is not member of the group, ntlm_auth reports a success
Comment 4 Roel van Meer 2014-06-19 13:42:26 UTC
The problem also exists in samba 4.1.8.
Comment 5 Sander Plas 2014-12-15 15:31:11 UTC
Same problem in Samba 4.1.14 .
Comment 6 Sander Plas 2014-12-16 09:37:57 UTC
This post on the mailing list suggests that this is a 'known' issue that only occurs when Samba is running in AD-DC mode: 

https://lists.samba.org/archive/samba/2014-June/182632.html

So a workaround could be to use a non-DC samba "member server". 

In my specific situation, this would mean i would have to set up a separate member server just for this purpose :(
Comment 7 Andrew Bartlett 2017-01-03 00:42:24 UTC
I believe this is fixed in Samba 4.3 with c31c30043bdb0b3736f81c4b391ec96f236bc227 as we removed the AD DC specific winbindd implementation and replaced it with the long-standing implemenation used in the member server.