SYSTEM WARNING: 'date_default_timezone_get(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone.' in '/usr/share/mantis/www/core.php' line 264

0001611: NTLMv2 auth working - MantisBT Endian Bugtracker
Endian Issue Tracker





Please see now our new Bugtracker system: JIRA








View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0001611Endian FirewallProxy HTTPpublic2009-02-23 13:312009-10-27 11:59
Reporterbonald 
Assigned Tosimon-endian 
PrioritynormalSeveritytweakReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version2.2-rc3 
Target VersionFixed in Version2.3 
Summary0001611: NTLMv2 auth working
DescriptionI made NTLMv2 (Send NTLMv2 Response Only, Vista default) working.

I added the line "NTLMv2 auth = yes"
in smb.conf

and in "Common domain settings" in the "Proxy Authentication page",
"Domain" field, I changed my setting from "domain.local" to only "domain".

TagsNo tags attached.
Attached Files

- Relationships

-  Notes
(0001994)
bonald (reporter)
2009-02-24 14:33

I was half wrong. It's working with firefox now, but with IE same thing.
winbindd_pam_auth_crap: invalid password length 24/282 in /var/log/samba/log.wb-DOMAIN
(0002092)
ra-endian (administrator)
2009-04-01 08:06

maybe this settings are working ( not tested ):

If you'd like force NTLMv2 authentication these settings in your
smb.conf could help:
ntlm auth = Yes
client NTLMv2 auth = Yes
min protocol = LANMAN2
max protocol = NT1

I also put these:
client lanman auth = No
client plaintext auth = No
use spnego = Yes
client use spnego = Yes
(0002180)
simon-endian (developer)
2009-04-21 09:14

- samba 3.0.24 starts with this settings
- auth with firefox on mac still works
- auth on vista with ntlmv2 negotiated still works
- auth on vista with ntlmv2 forced in testing
(0002201)
simon-endian (developer)
2009-04-24 09:19

worked for me with samba 3.2.10 + vista (ntlmv2 set to required)
(0002202)
simon-endian (developer)
2009-04-24 09:20

waiting for feedback from massi
(0002210)
bonald (reporter)
2009-04-27 12:46

How can I update manually to samba 3.2.10 ?
(0002246)
simon-endian (developer)
2009-05-04 13:28

tested with
- w2k3 and vista (worked)
- w2k3 and windows xp (worked)
- w2k8 and windows xp (worked)
- w2k8 and vista (worked)

still need to test on 2.2 efw
(0002248)
bonald (reporter)
2009-05-04 16:40

simon, can you contact me? I would really like to test that.
(0002249)
simon-endian (developer)
2009-05-05 06:53
edited on: 2009-05-05 06:56

hi,

I posted samba and samba common version 3.2.10 for you to test.
To install them, you need to upload them onto your efw (for example with scp)
and excecute this command in the directory containing this files:

rpm -U samba-3.2.10-1.endian3.i586.rpm samba-common-3.2.10-1.endian3.i586.rpm

I am not shure, but i think you will also need to patch /etc/smb/smb.conf.tmpl
to test. Just add this line, if ntlmv2 does not work (like mentioned in the first post):

ntlm auth = Yes
client NTLMv2 auth = Yes
min protocol = LANMAN2
max protocol = NT1

client lanman auth = No
client plaintext auth = No
use spnego = Yes
client use spnego = Yes

(0002250)
bonald (reporter)
2009-05-05 13:46

I got an update in my email today, but there's nothing here.

the patch disappeared ...
(0002252)
simon-endian (developer)
2009-05-05 14:02

sorry for that. i had to make the post private, because i was not able to upload the files because of their size.

you can now download them by running:

curl http://bugfixes.endian.com/samba-3.2.10/install [^] | sh

on your efw. this will download and install the samba rpms.
(0002254)
bonald (reporter)
2009-05-05 14:32

I can join the domain successfully but when I go on the Group Policies tab, here's what I got.

CanĀ“t find the ldap server. Is the PDC listed in the Custom nameserver list? Is the PDC listed in the Host list? Is the Authentication realm set to the correct value?
(0002255)
simon-endian (developer)
2009-05-05 14:34

did you run

ldconfig

to fix the first problem?
(0002256)
simon-endian (developer)
2009-05-05 14:34

please give me the output of

wbinfo -t

and

wbinfo -g
(0002257)
bonald (reporter)
2009-05-05 14:37

Oh i see. It's windbind that fail to start.
invalid permissions on socket directory /var/cache/samba/winbindd_privileged
(0002258)
simon-endian (developer)
2009-05-05 14:40

there is a easy fix for this:

chgrp squid /var/cache/samba/winbindd_privileged
chmod g+rx /var/cache/samba/winbindd_privileged
(0002259)
bonald (reporter)
2009-05-05 14:45

That fixed the group thing. but now in cache.log ...
I get cache_denied.

Use of uninitialized value in concatenation (.) or string at /usr/lib/squid/wbinfo_group.pl line 96, <STDIN> line 26.
Use of uninitialized value in concatenation (.) or string at /usr/lib/squid/wbinfo_group.pl line 97, <STDIN> line 26.
(0002261)
simon-endian (developer)
2009-05-05 14:55
edited on: 2009-05-05 14:55

can you try to remove the efw from the ad domain (on the ad server) and send me the output of

net ads join -d 10 -U <adminusername>%<password>

(0002264)
bonald (reporter)
2009-05-05 14:59

Now I can't rejoin the domain...
log.smbd

[2009/05/05 11:57:11, 1] lib/util_unistr.c:load_case_tables(110)
  creating lame upcase table
[2009/05/05 11:57:11, 1] lib/util_unistr.c:load_case_tables(125)
  creating lame lowcase table
[2009/05/05 11:57:11, 0] smbd/server.c:main(1210)
  smbd version 3.2.10-1.endian3 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2009
[2009/05/05 11:57:11, 0] libads/kerberos.c:ads_kinit_password(356)
  kerberos_kinit_password ENDIAN$@CSDESILES.QC.CA failed: Preauthentication failed
[2009/05/05 11:57:11, 0] printing/nt_printing.c:nt_printing_init(664)
  nt_printing_init: error checking published printers: WERR_ACCESS_DENIED
(0002265)
simon-endian (developer)
2009-05-05 15:00

which version of windows server do you use?
(0002266)
bonald (reporter)
2009-05-05 15:01

Windows 2003 R2
(0002267)
bonald (reporter)
2009-05-05 15:06

On my domain controller, this is what i have in my security log.

Pre-authentication failed:
     User Name: ENDIAN$
     User ID: DOMAIN\ENDIAN$
     Service Name: krbtgt/DOMAIN.COM
     Pre-Authentication Type: 0x0
     Failure Code: 0x19
     Client Address: x.x.x.x

Pre-authentication failed:
     User Name: ENDIAN$
     User ID: DOMAIN\ENDIAN$
     Service Name: krbtgt/DOMAIN.COM
     Pre-Authentication Type: 0x2
     Failure Code: 0x18
     Client Address: 10.128.0.125
(0002268)
simon-endian (developer)
2009-05-05 15:09

currently i am busy with other stuff.

I will try this later or tommorow and give you feedback as soon as i know more.
(0002269)
bonald (reporter)
2009-05-05 15:15

root@endian:/var/log/samba # net ads join -U administrator
Enter administrator's password:
Failed to join domain: Invalid configuration and configuration modification was not requested
root@endian:/var/log/samba # wbinfo --verbose -t
checking the trust secret via RPC calls failed
error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
Could not check secret
(0002270)
bonald (reporter)
2009-05-05 15:16

previous error is if I manually create the computer account in AD.

This is the error i have if i try to join the domain with no computer account int AD.

checking the trust secret via RPC calls failed
error code was NT_STATUS_NO_TRUST_SAM_ACCOUNT (0xc000018b)
Could not check secret
(0002272)
bonald (reporter)
2009-05-05 17:44

ok i've made some modification on smb.conf and now wbinfo -t -u -g works fine.

but auth is not working with squid. problems seems to be with wbinfo_group.pl



root@endian:/usr/lib/squid # perl wbinfo_group.pl -d
Debugging mode ON.
domain\user
Got domain\user from squid
Use of uninitialized value in concatenation (.) or string at wbinfo_group.pl line 96, <STDIN> line 1.
Sending to squid
Use of uninitialized value in concatenation (.) or string at wbinfo_group.pl line 97, <STDIN> line 1.
(0002273)
simon-endian (developer)
2009-05-05 17:47

can you post your current smb.conf?
i will debug this issue tommorow.
(0002274)
bonald (reporter)
2009-05-05 17:55
edited on: 2009-05-05 17:56

workgroup = domain
password server = dc1 dc2
security = ADS
realm = DOMAIN.COM
netbios name = endian
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind use default domain = Yes
winbind separator = +
client use spnego = yes
use kerberos keytab = yes

(0002275)
bonald (reporter)
2009-05-05 18:04

it works if i do it like this

root@endian:/usr/lib/squid # ./wbinfo_group.pl -d
Debugging mode ON.
domain+user group
Got domain+user group from squid
User: -domain+user-
Group: -group-
SID: -S-1-5-21-1229272341-1957994488-725345543-1623-
GID: -10010-
Sending OK to squid
OK
(0002278)
bonald (reporter)
2009-05-06 01:17
edited on: 2009-05-06 01:29

ok. I found out that it was not working because i had space in my group name.
I found this website that has a wbinfo_group.pl mod. (http://blog.harlekwin.co.uk/2008/12/10/how-to-squid-ad-authentication/print/ [^])

Now wbinfo_group.pl works but ...
in cache.log I have a new bug!

Got user1 from squid
Could not convert sid S-1-5-21-1229272821-1957994488-725345543 to gid
User: -user1-
Group: --
SID: -S-1-5-21-1229272821-1957994488-725345543-
GID: --
Sending ERR to squid

squid is not sending group information to wbinfo_group.pl, it only sends username. that's why I have this error.

This is what it should send to the script. user1 group1

(0002280)
bonald (reporter)
2009-05-06 01:50
edited on: 2009-05-06 02:13

Arrgh! it was my fault from the start.
Don't know why but in Group Policies all my group were disabled !
Now i've just enabled them and it works. no need to patch wbinfo_group.pl

(0002281)
bonald (reporter)
2009-05-06 01:53
edited on: 2009-05-06 01:53

oh and the most important thing is that it fixed the ntlmv2 bug.
thanks for that :)

(0002282)
bonald (reporter)
2009-05-06 02:06

I removed from krb5.conf.tml these lines also
 default_tgs_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
 default_tkt_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
 preferred_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC

Can't remember why but i think i had an error logged on smb.log about invalid krb5.conf

- Issue History
Date Modified Username Field Change
2009-02-23 13:31 bonald New Issue
2009-02-23 13:31 bonald Assigned To => simon-endian
2009-02-24 14:33 bonald Note Added: 0001994
2009-04-01 08:06 ra-endian Note Added: 0002092
2009-04-21 09:14 simon-endian Note Added: 0002180
2009-04-24 09:19 simon-endian Note Added: 0002201
2009-04-24 09:20 simon-endian Note Added: 0002202
2009-04-27 12:46 bonald Note Added: 0002210
2009-05-04 13:28 simon-endian Note Added: 0002246
2009-05-04 13:28 simon-endian Status new => feedback
2009-05-04 16:40 bonald Note Added: 0002248
2009-05-05 06:53 simon-endian Note Added: 0002249
2009-05-05 06:56 simon-endian Note Edited: 0002249
2009-05-05 07:30 simon-endian Note View State: 2249: private
2009-05-05 13:46 bonald Note Added: 0002250
2009-05-05 13:59 simon-endian Note View State: 2249: public
2009-05-05 14:02 simon-endian Note Added: 0002252
2009-05-05 14:30 bonald Note Added: 0002253
2009-05-05 14:32 bonald Note Added: 0002254
2009-05-05 14:34 simon-endian Note Added: 0002255
2009-05-05 14:34 simon-endian Note Added: 0002256
2009-05-05 14:37 bonald Note Added: 0002257
2009-05-05 14:40 simon-endian Note Added: 0002258
2009-05-05 14:45 bonald Note Added: 0002259
2009-05-05 14:47 bonald Note Added: 0002260
2009-05-05 14:55 simon-endian Note Added: 0002261
2009-05-05 14:55 simon-endian Note Edited: 0002261
2009-05-05 14:59 bonald Note Added: 0002264
2009-05-05 15:00 simon-endian Note Added: 0002265
2009-05-05 15:01 bonald Note Added: 0002266
2009-05-05 15:06 bonald Note Added: 0002267
2009-05-05 15:09 simon-endian Note Added: 0002268
2009-05-05 15:15 bonald Note Added: 0002269
2009-05-05 15:16 bonald Note Added: 0002270
2009-05-05 17:44 bonald Note Added: 0002272
2009-05-05 17:47 simon-endian Note Added: 0002273
2009-05-05 17:55 bonald Note Added: 0002274
2009-05-05 17:56 bonald Note Edited: 0002274
2009-05-05 18:04 bonald Note Added: 0002275
2009-05-05 18:10 bonald Note Added: 0002276
2009-05-06 00:39 bonald Note Added: 0002277
2009-05-06 01:17 bonald Note Added: 0002278
2009-05-06 01:23 bonald Note Added: 0002279
2009-05-06 01:27 bonald Note Deleted: 0002279
2009-05-06 01:27 bonald Note Deleted: 0002253
2009-05-06 01:28 bonald Note Deleted: 0002260
2009-05-06 01:29 bonald Note Edited: 0002278
2009-05-06 01:30 bonald Note Deleted: 0002277
2009-05-06 01:30 bonald Note Deleted: 0002276
2009-05-06 01:50 bonald Note Added: 0002280
2009-05-06 01:53 bonald Note Added: 0002281
2009-05-06 01:53 bonald Note Edited: 0002281
2009-05-06 02:06 bonald Note Added: 0002282
2009-05-06 02:13 bonald Note Edited: 0002280
2009-09-03 17:30 peter-endian Status feedback => resolved
2009-09-03 17:30 peter-endian Fixed in Version => 2.3
2009-09-03 17:30 peter-endian Resolution open => fixed
2009-10-27 11:59 peter-endian Status resolved => closed

Copyright © 2005-2008 Endian, SRL. All rights reserved.


Copyright © 2000 - 2012 MantisBT Group
Powered by Mantis Bugtracker