7219 – ntlm_auth --require-membership-of bug

Bug 7219 - ntlm_auth --require-membership-of bug

Summary: ntlm_auth --require-membership-of bug

Status:	RESOLVED FIXED

Alias:	None

Product:	Samba 3.4
Classification:	Unclassified
Component:	Ntlm_auth Tool (show other bugs)
Version:	3.4.6
Hardware:	Other Linux

Importance:	P3 normal
Target Milestone:	---
Assignee:	Kai Blin
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2010-03-06 15:55 UTC by Alexey Marushchenko
Modified:	2017-01-03 00:42 UTC (History)
CC List:	3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexey Marushchenko 2010-03-06 15:55:54 UTC

When using ntlm_auth

ntlm_auth-helper "/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 --require-membership-of='AD\\GROUP'"
or
ntlm_auth-helper "/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 --require-membership-of='AD+GROUP'" (Depends on winbind separator param)
User authentication fails.

If --require-membership-of is provided by SID:
ntlm_auth-helper "/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 --require-membership-of='SID'"
then authentication pass.

If test ntlm_auth from command line
ntlm_auth --require-membership-of='SID' --username=USER --password=PASS
ntlm_auth --require-membership-of='AD\\GROUP' --username=USER --password=PASS
both variants pass authentication.

Is there some problem with GROUP NAME to SID translation?

Comment 1 Kai Blin 2010-04-08 05:19:53 UTC

In principle this should work. What program are you calling ntlm_auth from when it's failing?

Comment 2 Alexey Marushchenko 2010-04-08 06:57:24 UTC

(In reply to comment #1)
> In principle this should work. What program are you calling ntlm_auth from when
> it's failing?
> 

ppp-2.4.3-14.3.v5 in ClearOS 5.1 (/etc/redhat-release contains string CentOS release 5.4 (Final))

Calling done in /etc/ppp/options files for pptpd and xl2tpd daemons in authentication phase of conection establishing

Comment 3 Karl Reinhard 2013-10-08 11:09:32 UTC

I can confirm that bug stumbled around setting up an radius + ntlm_auth.

The require-membership-of parameter seems to have no effect. It's not failing, even if the user is not member of the group, ntlm_auth reports a success

Comment 4 Roel van Meer 2014-06-19 13:42:26 UTC

The problem also exists in samba 4.1.8.

Comment 5 Sander Plas 2014-12-15 15:31:11 UTC

Same problem in Samba 4.1.14 .

Comment 6 Sander Plas 2014-12-16 09:37:57 UTC

This post on the mailing list suggests that this is a 'known' issue that only occurs when Samba is running in AD-DC mode: 

https://lists.samba.org/archive/samba/2014-June/182632.html

So a workaround could be to use a non-DC samba "member server". 

In my specific situation, this would mean i would have to set up a separate member server just for this purpose :(

Comment 7 Andrew Bartlett 2017-01-03 00:42:24 UTC

I believe this is fixed in Samba 4.3 with c31c30043bdb0b3736f81c4b391ec96f236bc227 as we removed the AD DC specific winbindd implementation and replaced it with the long-standing implemenation used in the member server.