Re: ntlm_auth Negotiate support

From: Guido Serassio <guido.serassio@dont-contact.us>
Date: Mon, 31 Jul 2006 19:22:17 +0200

Hi Andrew,

At 00.25 31/07/2006, Andrew Bartlett wrote:

>On Sun, 2006-07-30 at 21:03 +0200, Guido Serassio wrote:
> > Hi Andrew,
> >
> > I have a question for the Samba team.
> >
> > The current STABLE Squid version (2.6) supports the Negotiate
> > authentication schema, but for now it can be used only when running
> > on native Windows, because Samba 3 ntlm_auth doesn't provide such support.
> >
> > There is any expectation about adding this support to Samba 3, or we
> > need to long wait for Samba 4 ?
> >
> > They are already many requests about from Squid users.
>
>Actually, the Samba3 code may well work, if it can read the keytab or
>secrets.tdb.

It fails with this log:

[2006/07/31 19:14:09, 10] utils/ntlm_auth.c:manage_squid_request(1616)
   Got 'YR
YIIFtgYGKwYBBQUCoIIFqjCCBaagMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKoZIhvcSAQICAwYKKwYBBAGCNwICCqKCBXAEggVsYIIFaAYJKoZIhvcSAQICAQBuggVXMIIFU6ADAgEFoQMCAQ6iBwMFACAAAACjggRxYYIEbTCCBGmgAwIBBaEUGxJBQ01FQ09OU1VMVElORy5MT0OiKTAnoAMCAQKhIDAeGwRIVFRQGxZyZWEuYWNtZWNvbnN1bHRpbmcubG9jo4IEHzCCBBugAwIBF6EDAgECooIEDQSCBAnWjXpe7Vts/ydqmaCAhFyYJwdGgbrChac+iiH2qNH6Gcv1L+qUbp8/+Y0+LYE0qrhLDsPIom6wQglgWLiH5JOMB4g739Q9ZV+xXhVdAn4e0OBjO+yRNKTxdv0lJH6SNIPQhkoOdkRQL2q6yt+RUenjtFL+JAI26J5kMnD1phvIRv6ufcrL/YWPojEYzBEs1Y0uImm8JNHOU3zQ7zoPtO0vCMXmCz3/84viaatGygy5OVPWppPq5AJ2GSfdleprDc3L4SWMEQZCAxCl+eQgSaIZW25NhzpxT4JyrneClMs9clYfBtUPki5GBiW5ew/B++N5XJEiOi1o+LdRrnJSfbOEhFJ+Pzh2TVI7jGJTY8OnPDWbV9yoKAJUcHw0Fsq7sudPI3aCbVidH7A3Dvvm3HapuYW33ExS1FEs2+dRhEZtFA4k0HkGzg29OoqCF6kiUbcHlMZH1mio1cw2Z7IiVlQ+2t21/8XWOTB3QKpVIlvjjZf027aKmiPWoiO9LkdkjLjf9L6U39zk6/O37Dyzeb65gj+pR3C2xoxubC77Sj1inA/hRxS4PYd+3eejigPShkJx071g5YVUcGbnqJMGnSRfdsEckGH2KZfuNeDStDkPLQ7VwxvOqH8ITmUHDqY4Kp4WRovT+UxARrs4c2iCcrgDDlavEMpEh1QRoXZtilz9TgAT2LB
y
CkGNfj9I9cdcFRx2x +>
   Bsecrets_named_mutex: got mutex for replay cache mutex
[2006/07/31 19:14:09, 10] utils/ntlm_auth.c:manage_squid_request(1616)
   Got 'YR
YIIFtgYGKwYBBQUCoIIFqjCCBaagMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKoZIhvcSAQICAwYKKwYBBAGCNwICCqKCBXAEggVsYIIFaAYJKoZIhvcSAQICAQBuggVXMIIFU6ADAgEFoQMCAQ6iBwMFACAAAACjggRxYYIEbTCCBGmgAwIBBaEUGxJBQ01FQ09OU1VMVElORy5MT0OiKTAnoAMCAQKhIDAeGwRIVFRQGxZyZWEuYWNtZWNvbnN1bHRpbmcubG9jo4IEHzCCBBugAwIBF6EDAgECooIEDQSCBAnWjXpe7Vts/ydqmaCAhFyYJwdGgbrChac+iiH2qNH6Gcv1L+qUbp8/+Y0+LYE0qrhLDsPIom6wQglgWLiH5JOMB4g739Q9ZV+xXhVdAn4e0OBjO+yRNKTxdv0lJH6SNIPQhkoOdkRQL2q6yt+RUenjtFL+JAI26J5kMnD1phvIRv6ufcrL/YWPojEYzBEs1Y0uImm8JNHOU3zQ7zoPtO0vCMXmCz3/84viaatGygy5OVPWppPq5AJ2GSfdleprDc3L4SWMEQZCAxCl+eQgSaIZW25NhzpxT4JyrneClMs9clYfBtUPki5GBiW5ew/B++N5XJEiOi1o+LdRrnJSfbOEhFJ+Pzh2TVI7jGJTY8OnPDWbV9yoKAJUcHw0Fsq7sudPI3aCbVidH7A3Dvvm3HapuYW33ExS1FEs2+dRhEZtFA4k0HkGzg29OoqCF6kiUbcHlMZH1mio1cw2Z7IiVlQ+2t21/8XWOTB3QKpVIlvjjZf027aKmiPWoiO9LkdkjLjf9L6U39zk6/O37Dyzeb65gj+pR3C2xoxubC77Sj1inA/hRxS4PYd+3eejigPShkJx071g5YVUcGbnqJMGnSRfdsEckGH2KZfuNeDStDkPLQ7VwxvOqH8ITmUHDqY4Kp4WRovT+UxARrs4c2iCcrgDDlavEMpEh1QRoXZtilz9TgAT2LB
y
CkGNfj9I9cdcFRx2x +>
[2006/07/31 19:14:09, 3]
libads/kerberos_verify.c:ads_secrets_verify_ticket(263)
   ads_secrets_verify_ticket: enc type [18] failed to decrypt with
error Invalid message type
[2006/07/31 19:14:09, 3]
libads/kerberos_verify.c:ads_secrets_verify_ticket(263)
   ads_secrets_verify_ticket: enc type [17] failed to decrypt with
error Invalid message type
[2006/07/31 19:14:09, 3]
libads/kerberos_verify.c:ads_secrets_verify_ticket(263)
   ads_secrets_verify_ticket: enc type [16] failed to decrypt with
error Invalid message type
[2006/07/31 19:14:09, 3]
libads/kerberos_verify.c:ads_secrets_verify_ticket(263)
   ads_secrets_verify_ticket: enc type [23] failed to decrypt with
error Invalid message type
[2006/07/31 19:14:09, 3]
libads/kerberos_verify.c:ads_secrets_verify_ticket(263)
   ads_secrets_verify_ticket: enc type [1] failed to decrypt with
error Invalid message type
[2006/07/31 19:14:09, 3]
libads/kerberos_verify.c:ads_secrets_verify_ticket(263)
   ads_secrets_verify_ticket: enc type [3] failed to decrypt with
error Invalid message type
[2006/07/31 19:14:09, 3]
libads/kerberos_verify.c:ads_secrets_verify_ticket(263)
   ads_secrets_verify_ticket: enc type [2] failed to decrypt with
error Invalid message type
   Bsecrets_named_mutex: got mutex for replay cache mutex
[2006/07/31 19:14:09, 10] passdb/secrets.c:secrets_named_mutex_release(790)
   secrets_named_mutex: released mutex for replay cache mutex
[2006/07/31 19:14:09, 3] libads/kerberos_verify.c:ads_verify_ticket(403)
   ads_verify_ticket: krb5_rd_req with auth failed (Success)
[2006/07/31 19:14:09, 3]
libads/kerberos_verify.c:ads_secrets_verify_ticket(263)
   ads_secrets_verify_ticket: enc type [18] failed to decrypt with
error Invalid message type
[2006/07/31 19:14:09, 10] utils/ntlm_auth.c:manage_squid_request(1616)
   Got 'YR
YIIFtgYGKwYBBQUCoIIFqjCCBaagMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKoZIhvcSAQICAwYKKwYBBAGCNwICCqKCBXAEggVsYIIFaAYJKoZIhvcSAQICAQBuggVXMIIFU6ADAgEFoQMCAQ6iBwMFACAAAACjggRxYYIEbTCCBGmgAwIBBaEUGxJBQ01FQ09OU1VMVElORy5MT0OiKTAnoAMCAQKhIDAeGwRIVFRQGxZyZWEuYWNtZWNvbnN1bHRpbmcubG9jo4IEHzCCBBugAwIBF6EDAgECooIEDQSCBAnWjXpe7Vts/ydqmaCAhFyYJwdGgbrChac+iiH2qNH6Gcv1L+qUbp8/+Y0+LYE0qrhLDsPIom6wQglgWLiH5JOMB4g739Q9ZV+xXhVdAn4e0OBjO+yRNKTxdv0lJH6SNIPQhkoOdkRQL2q6yt+RUenjtFL+JAI26J5kMnD1phvIRv6ufcrL/YWPojEYzBEs1Y0uImm8JNHOU3zQ7zoPtO0vCMXmCz3/84viaatGygy5OVPWppPq5AJ2GSfdleprDc3L4SWMEQZCAxCl+eQgSaIZW25NhzpxT4JyrneClMs9clYfBtUPki5GBiW5ew/B++N5XJEiOi1o+LdRrnJSfbOEhFJ+Pzh2TVI7jGJTY8OnPDWbV9yoKAJUcHw0Fsq7sudPI3aCbVidH7A3Dvvm3HapuYW33ExS1FEs2+dRhEZtFA4k0HkGzg29OoqCF6kiUbcHlMZH1mio1cw2Z7IiVlQ+2t21/8XWOTB3QKpVIlvjjZf027aKmiPWoiO9LkdkjLjf9L6U39zk6/O37Dyzeb65gj+pR3C2xoxubC77Sj1inA/hRxS4PYd+3eejigPShkJx071g5YVUcGbnqJMGnSRfdsEckGH2KZfuNeDStDkPLQ7VwxvOqH8ITmUHDqY4Kp4WRovT+UxARrs4c2iCcrgDDlavEMpEh1QRoXZtilz9TgAT2LB
y
CkGNfj9I9cdcFRx2x +>
[2006/07/31 19:14:10, 3]
libads/kerberos_verify.c:ads_secrets_verify_ticket(263)
   ads_secrets_verify_ticket: enc type [17] failed to decrypt with
error Invalid message type
[2006/07/31 19:14:10, 3]
libads/kerberos_verify.c:ads_secrets_verify_ticket(263)
   ads_secrets_verify_ticket: enc type [16] failed to decrypt with
error Invalid message type
[2006/07/31 19:14:10, 3]
libads/kerberos_verify.c:ads_secrets_verify_ticket(263)
   ads_secrets_verify_ticket: enc type [23] failed to decrypt with
error Invalid message type
[2006/07/31 19:14:10, 3]
libads/kerberos_verify.c:ads_secrets_verify_ticket(263)
   ads_secrets_verify_ticket: enc type [1] failed to decrypt with
error Invalid message type
[2006/07/31 19:14:10, 3]
libads/kerberos_verify.c:ads_secrets_verify_ticket(263)
   ads_secrets_verify_ticket: enc type [3] failed to decrypt with
error Invalid message type
[2006/07/31 19:14:10, 3]
libads/kerberos_verify.c:ads_secrets_verify_ticket(263)
   ads_secrets_verify_ticket: enc type [2] failed to decrypt with
error Invalid message type
   Bsecrets_named_mutex: got mutex for replay cache mutex
[2006/07/31 19:14:10, 10] passdb/secrets.c:secrets_named_mutex_release(790)
   secrets_named_mutex: released mutex for replay cache mutex
[2006/07/31 19:14:10, 3] libads/kerberos_verify.c:ads_verify_ticket(403)
   ads_verify_ticket: krb5_rd_req with auth failed (Success)
[2006/07/31 19:14:10, 3]
libads/kerberos_verify.c:ads_secrets_verify_ticket(263)
   ads_secrets_verify_ticket: enc type [18] failed to decrypt with
error Invalid message type
[2006/07/31 19:14:10, 3]
libads/kerberos_verify.c:ads_secrets_verify_ticket(263)
   ads_secrets_verify_ticket: enc type [17] failed to decrypt with
error Invalid message type
[2006/07/31 19:14:10, 3]
libads/kerberos_verify.c:ads_secrets_verify_ticket(263)
   ads_secrets_verify_ticket: enc type [16] failed to decrypt with
error Invalid message type
[2006/07/31 19:14:10, 3]
libads/kerberos_verify.c:ads_secrets_verify_ticket(263)
   ads_secrets_verify_ticket: enc type [23] failed to decrypt with
error Invalid message type
[2006/07/31 19:14:10, 3]
libads/kerberos_verify.c:ads_secrets_verify_ticket(263)
   ads_secrets_verify_ticket: enc type [1] failed to decrypt with
error Invalid message type
[2006/07/31 19:14:10, 3]
libads/kerberos_verify.c:ads_secrets_verify_ticket(263)
   ads_secrets_verify_ticket: enc type [3] failed to decrypt with
error Invalid message type
[2006/07/31 19:14:10, 3]
libads/kerberos_verify.c:ads_secrets_verify_ticket(263)
   ads_secrets_verify_ticket: enc type [2] failed to decrypt with
error Invalid message type
[2006/07/31 19:14:10, 10] passdb/secrets.c:secrets_named_mutex_release(790)
   secrets_named_mutex: released mutex for replay cache mutex
[2006/07/31 19:14:10, 3] libads/kerberos_verify.c:ads_verify_ticket(403)
   ads_verify_ticket: krb5_rd_req with auth failed (Success)

Samba was Debian package 3.0.23 from samba.org.

The machine is ADS member of a 2003 AD domain, and with ntlm it works fine.
secrets.tdb is rw for squid group (whitout this I can see errors
about the file access).

Let me to know if need more info.

Regards

Guido

-
========================================================
Guido Serassio
Acme Consulting S.r.l. - Microsoft Certified Partner
Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY
Tel. : +39.011.9530135 Fax. : +39.011.9781115
Email: guido.serassio@acmeconsulting.it
WWW: http://www.acmeconsulting.it/
Received on Mon Jul 31 2006 - 11:22:36 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Aug 01 2006 - 12:00:02 MDT