[Samba] Squid/ntlm_auth issues with two user accounts (all otheraccounts on the domain work).

Hi all,

I have just installed and configured a squid setup authenticating
against Active Directory using kerberos tickets and have achieved the
holy-grail of IT - Single Sign On!

The problem is that I have two users for whom is does not work.

The ntlm_auth logs show that for users that are properly authenticated
against squid we get the following (Usernames/Domains/Hosts have been
changed for security reasons):

========================

ntlm-auth[4409](ntlm_auth.c:284): managing request
ntlm-auth[4409](ntlm_auth.c:290): ntlm authenticator. Got 'YR
TlRMTVNTUAABAAAAB7IIog0ADQAtAAAABQAFACgAAAAFASgKAA AAD1BBVFRZQ0FSSUJCRUFOLUFCUw=='
from Squid
ntlm-auth[4409](ntlm_auth.c:239): obtain_challenge: selecting DOMAIN\DC
(attempt #1)
ntlm-auth[4409](ntlm_auth.c:251): attempting challenge retrieval
ntlm-auth[4409](libntlmssp.c:119): Connecting to server DC domain
DOMAIN
ntlm-auth[4409](ntlm_auth.c:253): make_challenge retuned
0x80537e0
ntlm-auth[4409](ntlm_auth.c:255): Got it
ntlm-auth[4409](ntlm_auth.c:437): sending 'TT
TlRMTVNTUAACAAAADQANACgAAACCgkEAJqCr40UuPYsAAAAAAA AAAENBUklCQkVBTi1BQlM='
to squid
ntlm-auth[4409](ntlm_auth.c:284): managing request
ntlm-auth[4409](ntlm_auth.c:290): ntlm authenticator. Got 'KK
TlRMTVNTUAADAAAAGAAYAGYAAAAYABgAfgAAAA0ADQBIAAAADA AMAFUAAAAFAAUAYQAAAAAAAACWAAAABoIAAgUBKAoAAAAPQ0FS SUJCRUFOLUFCU0pFU1NJQ0EuS0VOVFBBVFRZM6rQG5d/Xb6Ob0rSB3mxhprnkyEaHQD02o4eEyCq9dbXApcDGuzlgfkY8L D5EHzd'
from Squid
ntlm-auth[4409](libntlmssp.c:268): Empty LM pass detection: user:
'FIRSTNAME.SURNAME',ours:'JB4<B4><95>}d|<FC>Q<C0>m <D0>^L<BA><AA><A5>^Z<B9><99>;<D1><DB><D8>^Mu
<F6>:l^B^Q�<CB>xN<86><D6>rUßN<A1><F0>d<FB>mServe r returned a non-zero
SMB Error Class and Code.',
his:'3<AA><D0>ESC<97>^?]<BE><8E>oJ<D2>^Gy<B1><86><9A><E7>
<93>!^Z^]'(length: 24)
ntlm-auth[4409](libntlmssp.c:280): Empty NT pass detection: user:
'FIRSTNAME.SURNAME',ours:'^Mu<F6>:l^B^Q�<CB>xN<86 ><D6>rUßN<A1><F0>d<FB>mServer
returned a non-zero SMB Error Class and Code.', his: 'ÚŽ^^^S
<AA><F5><D6><D7>^B<97>^C^Z<EC><E5><81><F9>^X<F0><B 0><F9>^P|<DD>'(length:
24)
ntlm-auth[4409](libntlmssp.c:294): checking domain: 'DOMAIN', user:
'FIRSTNAME.SURNAME',pass='3<AA><D0>ESC<97>^?]<BE><8E>oJ<D2>^Gy<B1><86><9A><E7><93>!^Z
^]' ntlm-auth[4409](libntlmssp.c:297): Login attempt had result 0
ntlm-auth[4409](libntlmssp.c:305): credentials:
DOMAIN\FIRSTNAME.SURNAME
ntlm-auth[4409](ntlm_auth.c:418): sending 'AF domain\firstname.surname'
to squid

=====================

The setup works for all users on our Domain apart from two. When they
try and log in, the result is as follows (again, usernames have been
changed):

====================

ntlm-auth[19104](ntlm_auth.c:284): managing request
ntlm-auth[19104](ntlm_auth.c:290): ntlm authenticator. Got 'YR
TlRMTVNTUAABAAAAB7IIog0ADQAvAAAABwAHACgAAAAFASgKAA AAD1BVUi0wMDFDQVJJQkJFQU4tQUJT'
from Squid ntlm-auth[19104](ntlm_auth.c:239): obtain_challenge:
selecting DOMAIN\DC (attempt #1) ntlm-auth[19104](ntlm_auth.c:251):
attempting challenge retrieval ntlm-auth[19104](libntlmssp.c:119):
Connecting to server DC domain DOMAIN
ntlm-auth[19104](ntlm_auth.c:253): make_challenge retuned 0x80537e0
ntlm-auth[19104](ntlm_auth.c:255): Got it
ntlm-auth[19104](ntlm_auth.c:437): sending 'TT
TlRMTVNTUAACAAAADQANACgAAACCgkEAk+cd4WiYtHsAAAAAAA AAAENBUklCQkVBTi1BQlM='
to squid ntlm-auth[19104](ntlm_auth.c:284): managing request
ntlm-auth[19104](ntlm_auth.c:290): ntlm authenticator. Got 'KK
TlRMTVNTUAADAAAAGAAYAGsAAAAYABgAgwAAAA0ADQBIAAAADw APAFUAAAAHAAcAZAAAAAAAAACbAAAABoIAAgUBKAoAAAAPQ0FS SUJCRUFOLUFCU0JFQVRSSUNFLkJVVExFUlBVUi0wMDEA2pj8Lh 8Z0ADamPwuHxnQANqY/C4fGdBmeJnHb+DBs4t00vR1y/hqokvuxtK8U8A='
from Squid ntlm-auth[19104](libntlmssp.c:268): Empty LM pass detection:
user: 'FIRSTNAME2.LASTNAME2', ours:'cx�r��Su׉Q���/٤�1', his: ''(length:
24) ntlm-auth[19104](libntlmssp.c:280): Empty NT pass detection: user:
'FIRSTNAME2.LASTNAME2', ours:'', his: 'fx�����t�u�j�K�ҼS�(length: 24)
ntlm-auth[19104](libntlmssp.c:294): checking domain: 'DOMAIN', user:
'FIRSTNAME2.LASTNAME2', pass='' ntlm-auth[19104](libntlmssp.c:297):
Login attempt had result -1 ntlm-auth[19104](ntlm_auth.c:350): No creds.
SMBlib error 1, SMB error class 1, SMB error code 5, NB error 0
ntlm-auth[19104](ntlm_auth.c:371): DOS error
ntlm-auth[19104](ntlm_auth.c:376): sending 'NA Access denied' to squid

==========================

The only difference I can see between the two users is that in the
first (successful) one, there is data in the "pass" field and in the
second account there is not.

/etc/squid.conf is as follows:

auth_param ntlm program /usr/lib/squid/ntlm_auth -d domain/dc
auth_param basic program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic
auth_param basic children 100
auth_param basic realm CARIBBEAN-ABS
auth_param basic credentialsttl 2 hours


Client PCs are running Windows XP Pro and IE7.
All PCs are configured in the same way
The two accounts that do not work fail regardless of the PC used.
Other accounts are successful on the PCs "owned" by the users whose
accounts do not work.

Can anyone shed any further light on this for me? I've been pulling my
hair out over it for the last 48 hours!

Cheers,

Matt
--
Matt Wallace
http://www.truthisfreedom.org.uk
matthew@truthisfreedom.org.uk
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

On Wed, 11 Jun 2008 13:50:45 +0100
Matthew Macdonald-Wallace <lists@truthisfreedom.org.uk> wrote:

> The only difference I can see between the two users is that in the
> first (successful) one, there is data in the "pass" field and in the
> second account there is not.

Hi all,

Mark sent me a quick note on the above (thanks Mark!) and I now get the
following error on the accounts that don't work:

==========================

ntlm-auth[8705](ntlm_auth.c:284): managing request
ntlm-auth[8705](ntlm_auth.c:290): ntlm authenticator. Got 'YR
TlRMTVNTUAABAAAAB7IIog0ADQAvAAAABwAHACgAAAAFASgKAA AAD09GRklDRTJDQVJJQkJFQU4tQUJT'
from Squid
ntlm-auth[8705](ntlm_auth.c:239): obtain_challenge: selecting
DOMAIN\DC (attempt #1)
ntlm-auth[8705](ntlm_auth.c:251): attempting challenge retrieval
ntlm-auth[8705](libntlmssp.c:119): Connecting to server DC
domain DOMAIN
ntlm-auth[8705](ntlm_auth.c:253): make_challenge retuned 0x80537e0
ntlm-auth[8705](ntlm_auth.c:255): Got it
ntlm-auth[8705](ntlm_auth.c:437): sending 'TT
TlRMTVNTUAACAAAADQANACgAAACCgkEAfnufN5M1ntEAAAAAAA AAAENBUklCQkVBTi1BQlM='
to squid
ntlm-auth[8705](ntlm_auth.c:284): managing request
ntlm-auth[8705](ntlm_auth.c:290): ntlm authenticator. Got 'KK
TlRMTVNTUAADAAAAGAAYAGsAAAAYABgAgwAAAA0ADQBIAAAADw APAFUAAAAHAAcAZAAAAAAAAACbAAAABoIAAgUBKAoAAAAPQ0FS SUJCRUFOLUFCU0JFQVRSSUNFLkJVVExFUk9GRklDRTK7ivPZ+Y V5gruK89n5hXmCu4rz2fmFeYLZDO98sQRKF2fOAo6s7/TlqolY69sHTTc='
from Squid
ntlm-auth[8705](libntlmssp.c:268): Empty LM pass detection: user:
'FIRSTNAME.LASTNAME', ours:'e�,T�i<�%�FG2$G]�I�B�����hq��Vq;=gu�Server
returned a non-zero SMB Error Class and Code.', his:
'ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï ¿½ï¿½Jg����媉X�M7'(length: 24)
ntlm-auth[8705](libntlmssp.c:280): Empty NT pass detection: user:
'FIRSTNAME.LASTNAME', ours:'B�����hq��Vq;=gu�Server returned a non-zero
SMB Error Class and Code.', his: '���Jg����媉X�M7'(length: 24)
ntlm-auth[8705](libntlmssp.c:294): checking domain: 'DOMAIN',
user: 'FIRSTNAME.LASTNAME', pass='ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿ ½'
ntlm-auth[8705](libntlmssp.c:297): Login attempt had result -1
ntlm-auth[8705](ntlm_auth.c:350): No creds. SMBlib error 1, SMB error
class 1, SMB error code 5, NB error 0
ntlm-auth[8705](ntlm_auth.c:371): DOS error
ntlm-auth[8705](ntlm_auth.c:376): sending 'NA Access denied' to squid

=======================

If people can tell me which squid/samba conf files they need to see,
let me know and I'll post them to the list as well.

Kind regards,

Matt
--
Matthew Macdonald-Wallace
matthew@truthisfreedom.org.uk
http://www.truthisfreedom.org.uk/
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba