On Wed, 2013-08-07 at 15:57 +0600, Eugene M. Zheganin wrote: > Hi. > > Samba-4.0.7 > FreeBSD 10.0-CURRENT > > Besides serving files I'm using Samba to authenticate users in the > Windows AD with squid. > After having issues with samba 3.6.16 I decided to see if samba4 will > fit me more. I was surprised, but I found that Samba 4 is fully > functional in my environment and is nearly production-ready. > > After that I tried to setup squid to use samba for NTLM authentication. > I found something that may be a bug, but may be also a misconfiguration > of some sort. In short words - it doesn't work. > To describe what's not working, I should say that in my configuration > squid is authorizing user in two stages: > - ntlm_auth is authenticating user > - external squid helper is authorizing user's access to an URL using a > supplied by ntlm_auth name and the group membership information from the AD. > > It turns out that for some reason ntlm_auth authenticates user just > fine, but then it is supplying squid with some sort of corrupted username: > > squid access log: > > 1375868558.129 1957 192.168.7.71 TCP_DENIED/403 2338 GET > http://www.ru/rus/index.php ZZZZZZZZZZZZZZZZ%a0%92%03\r%08 HI > ER_NONE/- text/html > > This ZZZZ[...] is actually my username - 'emz', but looks it's > authenticated by ntlm_auth. Squid also thinks that this username has > been just authenticated, and tries to look it's group membership > information. > > Squid cache log: > > support_member.cc(124): pid=12390 :2013/08/07 15:42:38| > kerberos_ldap_group: INFO: User ZZZZZZZZZZZZZZZZâ.. > . is not member of group@domain Internet Users - Crystal@NULL > > Considering that everything is fine when using samba 3.5.x, I suppose > the answer is is samba software. > Is this some bug or a misconfiguration ?
Certainly this looks like an missing NULL terminator, if if it as you describe. Can you operate ntlm_auth manually (operate one ntlm_auth in client mode, another in squid-2.5-ntlmssp mode and copy the blobs back and forth), and demonstrate it? This will avoid all the complexity of squid, and help isolate the issue. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
