Hi Ian,
At 14.34 08/11/2005, Ian Barnes wrote:
Hi Guido,
Thanks for the help, I feel kinda daft for not looking in the file first.
Anyway, this hasn't resolved the problem. We upgraded our squid (to
2.5Stable12), and samba to 3.0.20b. Once we upgraded squid, the ntlm_auth
program was different so we used the samba ntlm_auth instead.
You must use the ntlm_auth program provided with your running Samba.
What does the "auth_param use_ntlm_negotiate on|off" actually do?
Look here, there is detailed description of how NTLM over HTTP works:
http://davenport.sourceforge.net/ntlm.html
Using the previous page as reference, use_ntlm_negotiate does the following:
When enabled, the Type 1 message is passed to the helper for the
challenge (Type 2 message) generation, when disabled, the helper uses
a self created type 1 message for challenge generation.
What means this ?
NTLMv2 needs to be negotiated between client and server, so it cannot
be used when use_ntlm_negotiate is off.
Is it
reliant on a certain helper? Because that didn't make any difference to the
outcome. We where told to put this option into our smb.conf to enable
NTLMv2: " client ntlmv2 auth = yes", would this have any effect on whats
happening?
In the Samba configuration manual, about "client ntlmv2 auth" you can read:
"This parameter determines whether or not smbclient(8) will attempt
to authenticate itself to servers using the NTLMv2 encrypted password
response."
So, it should be not related to ntlm_auth, but only Samba guys know
exactly this.
Adding that option makes all the difference with out setup - with
it wbinfo -a works perfectly, without it we see the same error squid is
getting.
Here is a copy of the error message again:
[2005/11/08 15:16:36, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(606)
Got user=[IANB] domain=[MASTERMIND] workstation=[IANB] len1=24 len2=24
[2005/11/08 15:16:37, 3] utils/ntlm_auth.c:winbind_pw_check(427)
Login for user [MASTERMIND]\[IANB]@[IANB] failed due to [Wrong Password]
If we however turn off the option in AD (i.e let it allow all authentication
types), this doesn't happen, but I am assuming that is because it isn't
using NTLMv2 then and only NTLM?
Really I don't know if Samba works correctly in a NTLMv2 only
environment, but I'm sure that NTLMv2 works fine in the Squid Windows
port using "use_ntlm_negotiate on" , your domain settings and a
native Windows NTLM authentication helper.
So, I think that your problems should be related to Samba.
Regards
Guido
-
========================================================
Guido Serassio
Acme Consulting S.r.l. - Microsoft Certified Partner
Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY
Tel. : +39.011.9530135 Fax. : +39.011.9781115
Email: guido.serassio@xxxxxxxxxxxxxxxxx
WWW: http://www.acmeconsulting.it/
