From: Frank Matthieß on
Hi all,

please cc me, i'm not on the list.

Second: All google findable information about problems setting up
ntlm_auth for squid with winbind are read and checked more than
three times.

After breaking a running setup under debian squeeze, i go back to debian
lenny to circumvent the actual MIT kerberos problem[1].

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=566977#57

Now i face the problem, that no ntlm_auth version[2] authenticate against
the running w2k3 ad. The winbind runs correct. wbinfo -g|-u|-t runs quite
well.

[2] samba-* 2:3.4.3-1~bpo50+2
sernet-* 3.4.5-27

To get the most stable samba version, i get them from www.backports.org
including the 2.6.30 kernel package.

The used configuration is copied from the formerly running machine.

Doing this on the shell will get this result:
~# /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of='SWB+Internetbenutzer'
SWB\user mypassword
[2010/02/11 08:51:14, 1] utils/ntlm_auth.c:802(manage_squid_ntlmssp_request)
BH NTLMSSP query invalid

Here a list of information about the system with the problem:

debian_version 5.0.4
with linux-image form backpots.org
with sernet-samba packages from http://ftp.sernet.de/pub/samba/experimental/debian

ii sernet-libwbclient0 3.4.5-27 client library for interfacing with winbind service
ii sernet-samba 3.4.5-27 a LanManager-like file and printer server for Unix
ii sernet-samba-common 3.4.5-27 Samba common files used by both the server and the
ii sernet-samba-keyring 1.1 GnuPG archive keys of the SerNet Samba archive
ii sernet-winbind 3.4.5-27 service to resolve user and group information from


ii squid 2.7.STABLE7-1~bpo50+1 Internet object cache (WWW proxy cache)
ii squid-common 2.7.STABLE7-1~bpo50+1 Internet object cache (WWW proxy cache) - co
ii squid-langpack 20090921-2~bpo50+1 Localized error pages for Squid

ii linux-image-2.6.30-bpo.2-686 2.6.30-8~bpo50+2 Linux 2.6.30 image on PPro/Celeron/PII/PIII/



getent passwd:
proxy:x:13:13:proxy:/bin:/bin/sh

getent group:
proxy:x:13:
winbindd_priv:x:104:proxy

ls -ld /var/lib/samba/winbindd_privileged
drwxr-x--- 2 root winbindd_priv 4096 10. Feb 14:55 /var/lib/samba/winbindd_privileged
ls -ld /var/lib/samba/winbindd_privileged/*
srwxrwxrwx 1 root root 0 10. Feb 14:55 /var/lib/samba/winbindd_privileged/pipe

squid.conf:
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of='SWB+Internetbenutzer'
auth_param ntlm children 5
auth_param ntlm keep_alive on
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of='SWB+Internetbenutzer'
auth_param basic children 5
auth_param basic realm "SWB Internetfreigabe-Anmeldung"
auth_param basic credentialsttl 4 hours
auth_param basic casesensitive off

wbinfo --seperator:
+

net ads testjoin:
Join is OK
[global]
workgroup = SWB
netbiosname = PROXY-TEST
server string = Proxyserver Test
realm = SWB.LAN
encrypt passwords = true
security = ADS
password server = hauptserver.swb.lan
log level = 3
log file = /var/log/samba/%m.log
max log size = 50
syslog = yes
prefered master = no
dns proxy = no
ldap ssl = no
idmap uid = 10000 - 20000
idmap gid = 10000 - 20000
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind expand groups = 3
;template homedir = /home/%D/%U
;template shell = /bin/bash
;
;
;
winbind separator = +


; name resolve order = lmhosts host wins bcast
interfaces = 127.0.0.0/8 eth0
bind interfaces only = yes
panic action = /usr/share/samba/panic-action %d
passdb backend = tdbsam
obey pam restrictions = yes

[hier-gibt-es-nix-zu-sehen]
path = /tmp
comment = Hier gibt es nix zu sehen
guest ok = no
read only = yes

wbinfo -n 'SWB+Internetbenutzer'
S-1-5-21-1063980897-116165429-615769971-1201 Domain Group (2)

wbinfo -s S-1-5-21-1063980897-116165429-615769971-1201
SWB+internetbenutzer 2


/var/log/squid&/cache.log:
[2010/02/10 14:37:18, 3] libsmb/ntlmssp.c:62(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0xa2088207
[2010/02/10 14:37:18, 3] libsmb/ntlmssp.c:745(ntlmssp_server_auth)
Got user=[fmat] domain=[SWB] workstation=[TS1] len1=24 len2=24
[2010/02/10 14:37:18, 0] utils/ntlm_auth.c:271(get_require_membership_sid)
Winbindd lookupname failed to resolve 'SWB+Internetbenutzer' into a SID!
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Failed lookup at the first access to ntlm_auth


[2010/02/10 14:37:18, 3] utils/ntlm_auth.c:558(winbind_pw_check)
Login for user [SWB]\[fmat]@[TS1] failed due to [unknown error (NULL)]
[2010/02/10 14:37:22, 3] libsmb/ntlmssp.c:62(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x00088207
[2010/02/10 14:37:22, 3] libsmb/ntlmssp.c:745(ntlmssp_server_auth)
Got user=[fmat] domain=[] workstation=[ts1] len1=24 len2=24
[2010/02/10 14:37:22, 0] utils/ntlm_auth.c:271(get_require_membership_sid)
Winbindd lookupname failed to resolve 'SWB+Internetbenutzer' into a SID!
[2010/02/10 14:37:22, 3] utils/ntlm_auth.c:558(winbind_pw_check)
Login for user []\[fmat]@[ts1] failed due to [unknown error (NULL)]