Bug 103726 - ntlm_auth --helper-protocol=squid-2.5-ntlmssp fails with NTLMSSP NT_STATUS_ACCESS_DENIED
ntlm_auth --helper-protocol=squid-2.5-ntlmssp fails with NTLMSSP NT_STATUS_AC...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: samba (Show other bugs)
3.0
s390 Linux
medium Severity medium
: ---
: ---
Assigned To: Jay Fenlason
David Lawrence
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2003-09-04 09:06 EDT by Daniel Jarboe
Modified: 2014-08-31 19:25 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-05-23 12:12:22 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Daniel Jarboe 2003-09-04 09:06:36 EDT
Description of problem:
With Samba 3, Squid is supposed to use Samba's ntlm_auth 
tool.  /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic helper works great 
but /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp fails (NTLMSSP 
NT_STATUS_ACCESS_DENIED).

Version-Release number of selected component (if applicable):
samba-3.0.0-3rc1.3E

How reproducible:
Always

Steps to Reproduce:
1. Configure squid to use ntlm authentication... specifically with an 
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
2. Try to use the proxy... windows clients using NTLM-enabled browsers (IE) get 
prompted with the three box authentication (User Name, Password, Domain) when 
NTLM auth fails.
    
Actual results:
User is prompted for windows user/password/domain credentials when 
authentication fails.  Entering the credentials into the prompt manually does 
not solve the problem.

Expected results:
Authentication should be successful.

Additional info:
Attachments to follow: clip from squid's cache.log with debug_options 29,10 and 
ntlm_auth run with -d 10, squid.conf, and smb.conf (only winbindd is running, 
not smbd/nmbd).
Comment 1 Daniel Jarboe 2003-09-04 10:00:08 EDT
Oh yeah, and squid provided wb_group and wb_auth and wb_ntlmauth all fail... 
perhaps they were built without using the newer samba 3 headers?  But that's a 
different bug.  It wouldn't bother me except that tlm_auth --helper-
protocol=squid-2.5-ntlmssp fails.
Comment 2 Daniel Jarboe 2003-09-04 10:09:30 EDT
Okay, couldn't get attachments working correctly.  Here's a snip of cache.log, 
specifically the ntlm_auth portion with debugging turned up.

2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user
request '(nil)'.
2003/09/03 08:15:40| authenticateValidateUser: Auth_user_request was
NULL!
2003/09/03 08:15:40| authenticateFixHeader: headertype:34 authuser:(nil)
2003/09/03 08:15:40| authenticateNTLMFixErrorHeader: Sending type:34
header: 'NTLM'
2003/09/03 08:15:40| authenticateFixErrorHeader: Sending type:34 header:
'Basic realm="Proxy"'
2003/09/03 08:15:40| authenticateAuthUserRequestLock auth_user request
'0x559ba5a8'.
2003/09/03 08:15:40| authenticateAuthUserRequestLock auth_user request
'0x559ba5a8' now at '1'.
2003/09/03 08:15:40| authenticateDecodeAuth: header = 'NTLM
TlRMTVNTUAABAAAAB7IAoAwADAAoAAAACAAIACAAAABCQzAwNjc4NFRDU19NQUlOX0RPTX==
'
2003/09/03 08:15:40| authenticateAuthUserLock auth_user '0x559ba5c0'.
2003/09/03 08:15:40| authenticateAuthUserLock auth_user '0x559ba5c0' now
at '1'.
2003/09/03 08:15:40| authenticateDecodeNTLMAuth: NTLM authentication
2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| User not fully authenticated.
2003/09/03 08:15:40| authenticateNTLMAuthenticateUser: auth state ntlm
none. NTLM
TlRMTVNTUAABAAAAB7IAoAwADAAoAAAACAAIACAAAABCQzAwNjc4NFRDU19NQUlOX0RPTX==
2003/09/03 08:15:40| authenticateNTLMAuthenticateUser: Locking auth_user
from the connection.
2003/09/03 08:15:40| authenticateAuthUserRequestLock auth_user request
'0x559ba5a8'.
2003/09/03 08:15:40| authenticateAuthUserRequestLock auth_user request
'0x559ba5a8' now at '2'.
2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| User not fully authenticated.
2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateStart: auth_user_request '0x559ba5a8'
2003/09/03 08:15:40| authenticateNTLMStart: auth state '1'
2003/09/03 08:15:40| authenticateNTLMStart: state '1'
2003/09/03 08:15:40| authenticateNTLMStart:
'TlRMTVNTUAABAAAAB7IAoAwADAAoAAAACAAIACAAAABCQzAwNjc4NFRDU19NQUlOX0RPTX=
='
2003/09/03 08:15:40| authenticateNTLMHelperServerAvailable: not starving
- returning 1
2003/09/03 08:15:40| authenticateNTLMChangeChallenge_p: first use
2003/09/03 08:15:40| authenticateNTLMStart: helper '0x557d9470' assigned
2003/09/03 08:15:40| authenticateNTLMValidChallenge: Challenge is
Invalid
[2003/09/03 08:15:40, 10] utils/ntlm_auth.c:manage_squid_request(1061)
  Got 'YR' from squid (length: 2).
[2003/09/03 08:15:40, 10]
utils/ntlm_auth.c:manage_squid_ntlmssp_request(312)
  got NTLMSSP packet:
[2003/09/03 08:15:40, 10]
utils/ntlm_auth.c:manage_squid_ntlmssp_request(322)
  NTLMSSP challenge
2003/09/03 08:15:40| authenticateNTLMHandleReply: Helper: '0x557d9470'
{TT TlRMTVNTUAACAAAAAAAAADAAAAACAgAgJt9X786e84sAAAAAAAAAAAAAAAAwAAAA}
2003/09/03 08:15:40| authenticateNTLMHandleReply: helper '0x557d9470'
2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| User not fully authenticated.
2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| User not fully authenticated.
2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| User not fully authenticated.
2003/09/03 08:15:40| authenticateAuthUserRequestLock auth_user request
'0x559ba5a8'.
2003/09/03 08:15:40| authenticateAuthUserRequestLock auth_user request
'0x559ba5a8' now at '3'.
2003/09/03 08:15:40| authenticateAuthUserRequestUnlock auth_user request
'0x559ba5a8'.
2003/09/03 08:15:40| authenticateAuthUserRequestUnlock auth_user_request
'0x559ba5a8' now at '2'.
2003/09/03 08:15:40| authenticateAuthUserRequestLock auth_user request
'0x559ba5a8'.
2003/09/03 08:15:40| authenticateAuthUserRequestLock auth_user request
'0x559ba5a8' now at '3'.
2003/09/03 08:15:40| authenticateFixHeader: headertype:34
authuser:0x559ba5a8
2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| User not fully authenticated.
2003/09/03 08:15:40| authenticateNTLMFixErrorHeader: Sending type:34
header: 'NTLM
TlRMTVNTUAACAAAAAAAAADAAAAACAgAgJt9X786e84sAAAAAAAAAAAAAAAAwAAAA'
2003/09/03 08:15:40| authenticateFixHeader: headertype:34
authuser:0x559ba5a8
2003/09/03 08:15:40| authenticateAuthUserRequestUnlock auth_user request
'0x559ba5a8'.
2003/09/03 08:15:40| authenticateAuthUserRequestUnlock auth_user_request
'0x559ba5a8' now at '2'.
2003/09/03 08:15:40| NTLM HandleReply, telling stateful helper : 3
2003/09/03 08:15:40| authenticateNTLMHelperServerAvailable: not starving
- returning 1
2003/09/03 08:15:40| authenticateAuthUserRequestUnlock auth_user request
'0x559ba5a8'.
2003/09/03 08:15:40| authenticateAuthUserRequestUnlock auth_user_request
'0x559ba5a8' now at '1'.
2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| User not fully authenticated.
2003/09/03 08:15:40| authenticateAuthUserRequestLock auth_user request
'0x559ba5a8'.
2003/09/03 08:15:40| authenticateAuthUserRequestLock auth_user request
'0x559ba5a8' now at '2'.
2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| User not fully authenticated.
2003/09/03 08:15:40| authenticateNTLMAuthenticateUser: auth state
challenge with header NTLM
TlRMTVNTUAADAAAAGAAYAFsAAAAYABgAcwAAAAwADABAAAAABwAHAEwAAAAIAAgAUwAAAAAA
AACLAAAABgIAIFRDU19NQUlOX0RPTUpBUkJPRURCQzAwNjc4NON8EoE7fMsT6jvmLE4o/21h
ZkcIaibynLCXFLHy8rti9ODY4m9avPWULzf7R5yBzw==.
2003/09/03 08:15:40| aclMatchProxyAuth: cache lookup with key 'NTLM
TlRMTVNTUAADAAAAGAAYAFsAAAAYABgAcwAAAAwADABAAAAABwAHAEwAAAAIAAgAUwAAAAAA
AACLAAAABgIAIFRDU19NQUlOX0RPTUpBUkJPRURCQzAwNjc4NON8EoE7fMsT6jvmLE4o/21h
ZkcIaibynLCXFLHy8rti9ODY4m9avPWULzf7R5yBzw==TlRMTVNTUAACAAAAAAAAADAAAAAC
AgAgJt9X786e84sAAAAAAAAAAAAAAAAwAAAA'
2003/09/03 08:15:40| authenticateNTLMAuthenticateUser: proxy-auth cache
miss.
2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| User not fully authenticated.
2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateStart: auth_user_request '0x559ba5a8'
2003/09/03 08:15:40| authenticateNTLMStart: auth state '3'
2003/09/03 08:15:40| authenticateNTLMStart: Asking NTLMauthenticator
'0x557d9470'.
2003/09/03 08:15:40| authenticateNTLMStart: state '3'
2003/09/03 08:15:40| authenticateNTLMStart:
'TlRMTVNTUAADAAAAGAAYAFsAAAAYABgAcwAAAAwADABAAAAABwAHAEwAAAAIAAgAUwAAAAA
AAACLAAAABgIAIFRDU19NQUlOX0RPTUpBUkJPRURCQzAwNjc4NON8EoE7fMsT6jvmLE4o/21
hZkcIaibynLCXFLHy8rti9ODY4m9avPWULzf7R5yBzw=='
2003/09/03 08:15:40| authenticateNTLMstart: finished
[2003/09/03 08:15:40, 10] utils/ntlm_auth.c:manage_squid_request(1061)
  Got 'KK
TlRMTVNTUAADAAAAGAAYAFsAAAAYABgAcwAAAAwADABAAAAABwAHAEwAAAAIAAgAUwAAAAAA
AACLAAAABgIAIFRDU19NQUlOX0RPTUpBUkJPRURCQzAwNjc4NON8EoE7fMsT6jvmLE4o/21h
ZkcIaibynLCXFLHy8rti9ODY4m9avPWULzf7R5yBzw==' from squid (length: 191).
[2003/09/03 08:15:40, 10]
utils/ntlm_auth.c:manage_squid_ntlmssp_request(312)
  got NTLMSSP packet:
[2003/09/03 08:15:40, 10] lib/util.c:dump_data(1887)
  [000] 4E 54 4C 4D 53 53 50 00  03 00 00 00 18 00 18 00  NTLMSSP.
........
  [010] 5B 00 00 00 18 00 18 00  73 00 00 00 0C 00 0C 00  [.......
s.......
  [020] 40 00 00 00 07 00 07 00  4C 00 00 00 08 00 08 00  @.......
L.......
  [030] 53 00 00 00 00 00 00 00  8B 00 00 00 06 02 00 20  S.......
.......
  [040] 54 43 53 5F 4D 41 49 4E  5F 44 4F 4D 4A 41 52 42  TCS_MAIN
_DOMJARB
  [050] 4F 45 44 42 43 30 30 36  37 38 34 E3 7C 12 81 3B  OEDBC006
784.|..;
  [060] 7C CB 13 EA 3B E6 2C 4E  28 FF 6D 61 66 47 08 6A  |...;.,N
(.mafG.j
  [070] 26 F2 9C B0 97 14 B1 F2  F2 BB 62 F4 E0 D8 E2 6F  &.......
..b....o
  [080] 5A BC F5 94 2F 37 FB 47  9C 81 CF 00              Z.../7.G ....
[2003/09/03 08:15:40, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(292)
  Got user=[JARBOED] domain=[TCS_MAIN_DOM] workstation=[BC006784]
len1=24 len2=24
[2003/09/03 08:15:40, 10]
utils/ntlm_auth.c:manage_squid_ntlmssp_request(325)
  NTLMSSP NT_STATUS_ACCESS_DENIED
2003/09/03 08:15:40| authenticateNTLMHandleReply: Helper: '0x557d9470'
{NA NT_STATUS_ACCESS_DENIED}
2003/09/03 08:15:40| authenticateNTLMHandleReply: Error validating user
via NTLM. Error returned 'NA NT_STATUS_ACCESS_DENIED'
2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| User not fully authenticated.
2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| User not fully authenticated.
2003/09/03 08:15:40| authenticateNTLMAuthenticateUser: auth state ntlm
failed. NTLM
TlRMTVNTUAADAAAAGAAYAFsAAAAYABgAcwAAAAwADABAAAAABwAHAEwAAAAIAAgAUwAAAAAA
AACLAAAABgIAIFRDU19NQUlOX0RPTUpBUkJPRURCQzAwNjc4NON8EoE7fMsT6jvmLE4o/21h
ZkcIaibynLCXFLHy8rti9ODY4m9avPWULzf7R5yBzw==
2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| User not fully authenticated.
2003/09/03 08:15:40| authenticateAuthUserRequestUnlock auth_user request
'0x559ba5a8'.
2003/09/03 08:15:40| authenticateAuthUserRequestUnlock auth_user_request
'0x559ba5a8' now at '1'.
2003/09/03 08:15:40| authenticateAuthUserRequestLock auth_user request
'0x559ba5a8'.
2003/09/03 08:15:40| authenticateAuthUserRequestLock auth_user request
'0x559ba5a8' now at '2'.
2003/09/03 08:15:40| authenticateFixHeader: headertype:34
authuser:0x559ba5a8
2003/09/03 08:15:40| authenticateValidateUser: Validating Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| authenticateValidateUser: Validated Auth_user
request '0x559ba5a8'.
2003/09/03 08:15:40| User not fully authenticated.
2003/09/03 08:15:40| authenticateNTLMFixErrorHeader: Sending type:34
header: 'NTLM'
2003/09/03 08:15:40| authenticateAuthUserRequestUnlock auth_user request
'0x559ba5a8'.
2003/09/03 08:15:40| authenticateAuthUserRequestUnlock auth_user_request
'0x559ba5a8' now at '1'.
2003/09/03 08:15:40| NTLM HandleReply, telling stateful helper : 2
2003/09/03 08:15:40| authenticateNTLMHelperServerAvailable: not starving
- returning 1
2003/09/03 08:15:40| authenticateAuthUserRequestUnlock auth_user request
'0x559ba5a8'.
2003/09/03 08:15:40| authenticateAuthUserRequestUnlock auth_user_request
'0x559ba5a8' now at '0'.
2003/09/03 08:15:40| authenticateAuthUserRequestFree: freeing request
0x559ba5a8
2003/09/03 08:15:40| authenticateAuthUserUnlock auth_user '0x559ba5c0'.
2003/09/03 08:15:40| authenticateAuthUserUnlock auth_user '0x559ba5c0'
now at '0'.
2003/09/03 08:15:40| authenticateFreeProxyAuthUser: Freeing auth_user
'0x559ba5c0' with refcount '0'.
2003/09/03 08:15:40| authenticateNTLMFreeUser: Clearing NTLM scheme data
Comment 3 Daniel Jarboe 2003-09-04 10:10:14 EDT
smb.conf

[global]
        workgroup = TCS_MAIN_DOM
        netbios name = LINBETA
        server string = Samba Server on LINBETA
        interfaces = eth0 127.0.0.1/24
        bind interfaces only = yes
        security = DOMAIN
        encrypt passwords = Yes
        password server = tcs_main_pdc
        username map = /etc/samba/smbusers
        log level = 1
        log file = /var/log/samba/%m.log
        mangling method = hash2
        preferred master = No
        domain master = No
        dns proxy = No
        wins server = tcs_main_pdc
        kernel oplocks = No
        winbind uid = 10000-20000
        winbind gid = 10000-20000
        winbind use default domain = yes
        winbind enum users = yes
        winbind enum groups = yes
        blocking locks = No
        locking = No
        oplocks = No
        level2 oplocks = No
        guest account = nobody
        load printers = no
Comment 4 Daniel Jarboe 2003-09-04 10:11:13 EDT
squid.conf

# The NT_global_group external ACL is temporarily set to
# /var/log/squid/wbinfo_group.py because wbinfo_group.pl tickles
# perl bug, #102665 in your bugzilla)
http_port 3128
debug_options ALL,1 29,10
cache_dir null /tmp
cache_store_log none
pid_filename /var/run/squid/squid.pid
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp -
d 10
auth_param ntlm children 2
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic -
d 3 -l /tmp/basic
auth_param basic children 1
auth_param basic realm Proxy
auth_param basic credentialsttl 40 hours
external_acl_type NT_global_group ttl=3600 negative_ttl=600 concurrency=1 %
LOGIN /var/log/squid/wbinfo_group.py
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern .               0       20%     4320
acl password proxy_auth REQUIRED
acl all src 0.0.0.0/0.0.0.0
no_cache deny all
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443 563     # https, snews
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
acl NTauth external NT_global_group InternetHTTP
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl AuthorizedUsers proxy_auth REQUIRED
http_access allow NTauth
http_access deny all
http_reply_access allow all
cache_mgr daniel.jarboe@custserv.com
cache_effective_user squid
cache_effective_group squid
coredump_dir /var/log/squid/core/
logfile_rotate 3
Comment 5 Daniel Jarboe 2003-09-05 07:34:06 EDT
Andrew Bartlett noted it wasn't well documented yet, but that the winbindd 
priveledged pipe needed to be readable by squid.  A chgrp 
squid /var/cache/samba/winbindd_privileged solved my problem.

~ Daniel
Comment 6 Jay Fenlason 2003-09-11 11:00:07 EDT
This is half-fixed in the samba-3.0.0-6rc3.3E rpms.  The rest of the fix 
requires a new set of squid RPMs which will automatically chgrp 
/var/cache/samba/winbindd_privileged if Samba in installed. 
Comment 7 Jay Fenlason 2005-05-23 12:12:22 EDT
This was fixed in the 7:2.5.STABLE3-6.3E.4 squid RPM 

Note You need to log in before you can comment on or make changes to this bug.