Hi, One of my customers has had issues with authentication Vista machines when using the Samba 2.0 winbind authenticator program in Squid. The NTLM authenticator returned: Login for user [YXXXXXXX]\[YXXXXXXX]@[YXXXXXXX] failed due to [Invalid parameter] auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp The issue is that the KK string sent by the client can, if the DNS name of the AD domain is quite long, contain an NTLM response section >256 bytes, which can't be copied into the buffer space in the external program. This is only an issue if NTLMv2 authentication is the minimum negotiated with the client (i.e. Vista default). I ended up writing a hack in Squid's auth_ntlm.cc to trim the packet back as some of the fields in the packet sent by IE are optional and could be removed. (http://linux-blog.project76.co.uk/archives/2008_10_01_archive.html) This is caused by Samba - does anyone know if this will ever be fixed properly? Kind regards Jamie Stallwood -- Jamie Stallwood Security Specialist Imerja Ltd jamie.stallwood@xxxxxxxxxx Public Key: RSA/4096 31D0 4975 29BD CAB5 ABD5 5345 E8E2 7BBD 41FA DC77 Available from http://pgp.mit.edu:11371/ ;(0x41FADC77)
Attachment:
PGP.sig
Description: PGP signature
