Jamie Stallwood wrote:
> Hi,
>
> One of my customers has had issues with authentication Vista machines when
> using the Samba 2.0 winbind authenticator program in Squid. The NTLM
> authenticator returned:
> Login for user [YXXXXXXX]\[YXXXXXXX]@[YXXXXXXX] failed due to [Invalid
> parameter]
>
> auth_param ntlm program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp
>
> The issue is that the KK string sent by the client can, if the DNS name of
> the AD domain is quite long, contain an NTLM response section >256 bytes,
> which can't be copied into the buffer space in the external program. This is
> only an issue if NTLMv2 authentication is the minimum negotiated with the
> client (i.e. Vista default).
>
> I ended up writing a hack in Squid's auth_ntlm.cc to trim the packet back as
> some of the fields in the packet sent by IE are optional and could be
> removed.
> (http://linux-blog.project76.co.uk/archives/2008_10_01_archive.html)
>
> This is caused by Samba - does anyone know if this will ever be fixed
> properly?
The Kerberos 'KK' buffers were expanded to 32KB in 3.0stable10 and
2.7stable5.
The squid bundled Kerberos helper was updated to version 1.0.3 starting
with the squid 3.1. Not sure about its current status in 2.x.
Amos
-- Please be using Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10 Current Beta Squid 3.1.0.1Received on Wed Oct 29 2008 - 23:36:17 MDT
This archive was generated by hypermail 2.2.0 : Thu Oct 30 2008 - 12:00:04 MDT