Re: [squid-users] NTLMv2 issue caused by Samba's Winbind helper

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 30 Oct 2008 12:36:14 +1300

Jamie Stallwood wrote:
> Hi,
>
> One of my customers has had issues with authentication Vista machines when
> using the Samba 2.0 winbind authenticator program in Squid. The NTLM
> authenticator returned:
> Login for user [YXXXXXXX]\[YXXXXXXX]@[YXXXXXXX] failed due to [Invalid
> parameter]
>
> auth_param ntlm program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp
>
> The issue is that the KK string sent by the client can, if the DNS name of
> the AD domain is quite long, contain an NTLM response section >256 bytes,
> which can't be copied into the buffer space in the external program. This is
> only an issue if NTLMv2 authentication is the minimum negotiated with the
> client (i.e. Vista default).
>
> I ended up writing a hack in Squid's auth_ntlm.cc to trim the packet back as
> some of the fields in the packet sent by IE are optional and could be
> removed.
> (http://linux-blog.project76.co.uk/archives/2008_10_01_archive.html)
>
> This is caused by Samba - does anyone know if this will ever be fixed
> properly?

The Kerberos 'KK' buffers were expanded to 32KB in 3.0stable10 and
2.7stable5.

The squid bundled Kerberos helper was updated to version 1.0.3 starting
with the squid 3.1. Not sure about its current status in 2.x.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10
   Current Beta Squid 3.1.0.1
Received on Wed Oct 29 2008 - 23:36:17 MDT

This archive was generated by hypermail 2.2.0 : Thu Oct 30 2008 - 12:00:04 MDT