Bugzilla #610 and NTLM in Squid 2.5 from Serassio Guido on 2003-05-11 (squid-dev)

From: Serassio Guido <guido.serassio@dont-contact.us>
Date: Sun, 11 May 2003 16:04:14 +0200

Hi,

I have made some testing about bug #610 and LM/NTLM support.

The test environment was:

- NT 4 SP6a DC used also as client
- Squid 2.5 on Debian 3.0 running Samba 2.2.8a with Winbindd
- Windows 95 client

I have changed the LM/NTLM/NTLMv2 working mode on DC and 95 client using
the following KB articles as reference:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;147706
http://support.microsoft.com/default.aspx?scid=kb;en-us;239869

The attached table reassume all the test.

The significative results are:

- Windows 95 clients can work only on LM or NTLMv2 mode, NTLM mode is not
supported by design. NTLMv2 must be enabled setting LMCompatibility=3 after
AD Client installation.
- Windows NT 4 SP4 clients and later can work on any mode.

- both wb_ntlmauth and ntlm_auth (SMB) works fine in LM mode
- current ntlm_auth (SMB) don't work in client NTLM mode
(LMCompatibilityLevel = 2) without #610 patches (only on NT or later)
- ntlm_auth (SMB) with patch #610 works fine with Windows 95 client (LM mode)
- current wb_ntlmauth DON'T WORK in client NTLM mode (LMCompatibilityLevel
= 2).
- current wb_ntlmauth DON'T WORK in DC NTLM mode (LMCompatibilityLevel =
4), the following is a significative log fragment:

(wb_ntlmauth)[1580](wb_ntlm_auth.c:292): Got 'KK
TlRMTVNTUAADAAAAGAAYAFMAAAA8ADwAawAAAAIAAgBAAAAADQANAEIAAAAEAAQATwAAAAAAAACnAAAAAoIBAFNHQURNSU5JU1RSQVRPUlZFR0Gg/OsOTYUep9krL44cOzXt5w2SptkhE8C9KXKOjanFDrrxBZq2KS20AQEAAAAAAAC0fr+1nxfDAecNkqbZIRPASFwUAAIABABTAEcAAAAAAAAAAAA='
from squid.
(wb_ntlmauth)[1580](wb_ntlm_auth.c:234): nthash len = 60
(wb_ntlmauth)[1580](wb_ntlm_auth.c:60): sending 'NA SG\ADMINISTRATOR auth
failure because: Broken NT hash response' to squid

- with the following patch wb_ntlmauth works in DC NTLM mode
(LMCompatibilityLevel = 4):

Index: helpers/ntlm_auth/winbind/wb_ntlm_auth.c
===================================================================
RCS file: /cvsroot/squid/squid/helpers/ntlm_auth/winbind/wb_ntlm_auth.c,v
retrieving revision 1.1.2.6
diff -u -p -r1.1.2.6 wb_ntlm_auth.c
--- helpers/ntlm_auth/winbind/wb_ntlm_auth.c 12 Feb 2003 03:21:01
-0000 1.1.2.6
+++ helpers/ntlm_auth/winbind/wb_ntlm_auth.c 11 May 2003 12:44:09 -0000
@@ -230,6 +230,10 @@ do_authenticate(ntlm_authenticate * auth
         memcpy(request.data.auth_crap.nt_resp, nthash.str, 24);
         request.data.auth_crap.nt_resp_len = 24;
         break;
+ case 60:
+ memcpy(request.data.auth_crap.nt_resp, nthash.str, 60);
+ request.data.auth_crap.nt_resp_len = 60;
+ break;
      default:
         debug("nthash len = %d\n", nthash.l);
         authfail(domain, user, "Broken NT hash response");

I don't know if the 24 value is correct or should be 60, or if both value
should be present.

So, it seems that the patch proposed in #610 is correct and that
wb_ntlmauth is affected by a similar problem plus another problem when
running with DC in NTLM mode.

Regards

Guido

-
========================================================
Guido Serassio
Acme Consulting S.r.l.
Via Gorizia, 69 10136 - Torino - ITALY
Tel. : +39.011.3249426 Fax. : +39.011.3293665
Email: guido.serassio@acmeconsulting.it
WWW: http://www.acmeconsulting.it/

application/octet-stream attachment: NTLM_test.xls

Received on Sun May 11 2003 - 08:04:54 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:19:54 MST