[squid-users] NTLMv2 issue caused by Samba's Winbind helper

From: Jamie Stallwood <jamie.stallwood_at_imerja.com>
Date: Wed, 29 Oct 2008 17:23:02 -0000

Hi,

One of my customers has had issues with authentication Vista machines when
using the Samba 2.0 winbind authenticator program in Squid. The NTLM
authenticator returned:
Login for user [YXXXXXXX]\[YXXXXXXX]@[YXXXXXXX] failed due to [Invalid
parameter]

auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp

The issue is that the KK string sent by the client can, if the DNS name of
the AD domain is quite long, contain an NTLM response section >256 bytes,
which can't be copied into the buffer space in the external program. This is
only an issue if NTLMv2 authentication is the minimum negotiated with the
client (i.e. Vista default).

I ended up writing a hack in Squid's auth_ntlm.cc to trim the packet back as
some of the fields in the packet sent by IE are optional and could be
removed.
(http://linux-blog.project76.co.uk/archives/2008_10_01_archive.html)

This is caused by Samba - does anyone know if this will ever be fixed
properly?

Kind regards
Jamie Stallwood
 

--
Jamie Stallwood
Security Specialist
Imerja Ltd
 
jamie.stallwood_at_imerja.com
Public Key: RSA/4096  31D0 4975 29BD CAB5 ABD5 5345 E8E2 7BBD 41FA DC77
Available from http://pgp.mit.edu:11371/%a0(0x41FADC77)
 

--
Imerja Limited
Tel: 0870 8611488 | Fax: 0870 8611489 | Web: www.imerja.com

Registered Office: Paragon House, Paragon Business Park, Chorley New Road, Horwich, Bolton BL6 6HG

Registered in England and Wales No. 5180119
VAT Registered No. 845 0647 22
ISO Registered Firm No. GB2001527

This email is confidential and intended solely for the person or
organisation to which it is addressed. It may contain privileged and
confidential information. If you are not the intended recipient(s) you
should not use, copy, distribute or take any action or reliance on it,
since to do so is strictly prohibited and may be unlawful. If you have
received this transmission in error please notify the sender
immediately by email reply and delete it from your system. E-mail
messages are not secure and attachments could contain software viruses
which may damage your system. Whilst every reasonable precaution has
been taken to minimise this risk, Imerja Limited cannot accept any
liability for any damage sustained as a result of these factors. You
are advised to carry out your own virus checks before opening any
attachment. Any views or opinions expressed in this e-mail are solely
those of the author and do not represent those of Imerja Limited
unless otherwise stated.

Received on Wed Oct 29 2008 - 17:24:53 MDT

This archive was generated by hypermail 2.2.0 : Thu Oct 30 2008 - 12:00:04 MDT