Jamie Stallwood wrote:
Hi, One of my customers has had issues with authentication Vista machines when using the Samba 2.0 winbind authenticator program in Squid. The NTLM authenticator returned: Login for user [YXXXXXXX]\[YXXXXXXX]@[YXXXXXXX] failed due to [Invalid parameter] auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp The issue is that the KK string sent by the client can, if the DNS name of the AD domain is quite long, contain an NTLM response section >256 bytes, which can't be copied into the buffer space in the external program. This is only an issue if NTLMv2 authentication is the minimum negotiated with the client (i.e. Vista default). I ended up writing a hack in Squid's auth_ntlm.cc to trim the packet back as some of the fields in the packet sent by IE are optional and could be removed. (http://linux-blog.project76.co.uk/archives/2008_10_01_archive.html) This is caused by Samba - does anyone know if this will ever be fixed properly?
The Kerberos 'KK' buffers were expanded to 32KB in 3.0stable10 and 2.7stable5.
The squid bundled Kerberos helper was updated to version 1.0.3 starting with the squid 3.1. Not sure about its current status in 2.x.
Amos -- Please be using Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10 Current Beta Squid 3.1.0.1
