ntlm_auth question from Laurent DOMENECH on 2007-08-29 (squid-dev)

From: Laurent DOMENECH <ldomenech@dont-contact.us>
Date: Wed, 29 Aug 2007 12:38:07 +0200

Hello,

I have a question regarding a section of the ntlm_auth.c file.
The problem I have happens using the ntlm_auth utility with the
squid-2.5-ntlmssp helper. After reading and searching I thought this was
the best place to get an informed response. If not, please forgive me and
discard this message.

Background:
- Apache 2 server running on Fedora 4, samba version 3.0.14a-2
- Computer is a member of the domain (security = ADS)
- The authentication seems to work fine, I can access shares, wbinfo -u/-g

returns a valid output, etc.

The authentication is enabled in Apache using: NTLMAuthHelper
"/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp".

What happens is the page fails to load in IE with a 401 error.

In the log, this is what I have:
[Tue Aug 28 11:40:50 2007] [debug] mod_auth_ntlm_winbind.c(1018): [client
192.168.20.92] doing ntlm auth dance
[Tue Aug 28 11:40:50 2007] [debug] mod_auth_ntlm_winbind.c(482): [client
192.168.20.92] Launched ntlm_helper, pid 25990
[Tue Aug 28 11:40:50 2007] [debug] mod_auth_ntlm_winbind.c(652): [client
192.168.20.92] creating auth user
[Tue Aug 28 11:40:50 2007] [debug] mod_auth_ntlm_winbind.c(703): [client
192.168.20.92] parsing reply from helper to YR TlRMT (reply shortened)
URPUkU=\n
[2007/08/28 11:40:51, 10] utils/ntlm_auth.c:manage_squid_request(1610)
  Got 'YR (request shortened) PUkU=' from squid (length: 83).
[2007/08/28 11:40:51, 10]
utils/ntlm_auth.c:manage_squid_ntlmssp_request(588)
  got NTLMSSP packet:
[2007/08/28 11:40:51, 10] lib/util.c:dump_data(2017)
        (dump removed)
[2007/08/28 11:40:51, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
  Got NTLMSSP neg_flags=0xa208b207
    NTLMSSP_NEGOTIATE_UNICODE
    NTLMSSP_NEGOTIATE_OEM
    NTLMSSP_REQUEST_TARGET
    NTLMSSP_NEGOTIATE_NTLM
    NTLMSSP_NEGOTIATE_DOMAIN_SUPPLIED
    NTLMSSP_NEGOTIATE_WORKSTATION_SUPPLIED
    NTLMSSP_NEGOTIATE_ALWAYS_SIGN
    NTLMSSP_NEGOTIATE_NTLM2
    NTLMSSP_NEGOTIATE_128
[Tue Aug 28 11:40:51 2007] [debug] mod_auth_ntlm_winbind.c(741): [client
192.168.20.92] got response: TT TlRMTV (response shortened) QBuAAAAAAA=
[Tue Aug 28 11:40:51 2007] [debug] mod_auth_ntlm_winbind.c(411): [client
192.168.20.92] sending back TlRM (response shortened) AAAAA=
[2007/08/28 11:40:51, 10]
utils/ntlm_auth.c:manage_squid_ntlmssp_request(598)
  NTLMSSP challenge

I have started looking at the code and the last line of the log suggests
that the ntlmssp_update() call inside manage_squid_ntlmssp_request() of
utils/ntlm_auth.c is returning nt_status =
NT_STATUS_MORE_PROCESSING_REQUIRED. From there, the authentication seems
to stop.

Is it normal for the process to stop when this status is returned?
Shouldn't there be an additional processing?
Is there a way to alter the helper so that it uses a "simpler" version of
the ntlm authentication? (I have tried the basic helper with no luck).

Any help will be greatly appreciated. Thanks in advance.

---
Laurent

Received on Wed Aug 29 2007 - 17:01:25 MDT

This archive was generated by hypermail pre-2.1.9 : Fri Aug 31 2007 - 12:00:05 MDT