[Samba] NTLMv2, Samba, and Squid - Samba

This is a discussion on [Samba] NTLMv2, Samba, and Squid - Samba ; Here is the problem: I'm setting up a new squid proxy server with authentication via Samba and NTLM because the old one died suddenly. The new one is up and running and i have it working; mostly. The kicker is ...

+ Reply to Thread
Results 1 to 9 of 9

Thread: [Samba] NTLMv2, Samba, and Squid

  1. [Samba] NTLMv2, Samba, and Squid

    Here is the problem: I'm setting up a new squid proxy server with
    authentication via Samba and NTLM because the old one died suddenly.
    The new one is up and running and i have it working; mostly. The
    kicker is the 2 employees testing Vista (myself and my supervisor)
    could not authenticate against the server. I say could because through
    a variety of testing and some lucky reading I found the cause of the
    problem to be that by default Windows Vista uses NTLMv2 only, and when
    I change the setting to LM & NTLM using NTLMv2 for negotiation it all
    works. The old proxy server allowed us ot authenticate using NTLMv2,
    and that is the goal of this question: what am I missing in my
    configuration? Here's a dump of smb.conf taken via a testparm:

    [global]
    workgroup = EDMCOMPUTRONIX
    realm = COMPUTRONIX.COM
    server string = CX Canada's SQUID Web Proxy
    security = ADS
    password server = 206.75.5.19
    log file = /var/log/samba/%m.log
    max log size = 500
    socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
    preferred master = No
    domain master = No
    dns proxy = No
    idmap uid = 16777216-33554431
    idmap gid = 16777216-33554431
    winbind separator = +
    winbind enum users = Yes
    winbind enum groups = Yes
    winbind use default domain = Yes

    [test]
    path = /testshare
    guest ok = Yes
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  2. Re: [Samba] NTLMv2, Samba, and Squid

    If you'd like force NTLMv2 authentication these settings in your
    smb.conf could help:
    ntlm auth = Yes
    client NTLMv2 auth = Yes
    min protocol = LANMAN2
    max protocol = NT1

    I also put these:
    client lanman auth = No
    client plaintext auth = No
    use spnego = Yes
    client use spnego = Yes

    For the client part if you want there are these Microsoft articles for
    Windows 95/98/NT that works in XP too, so I think that also works for
    Winows Vista:
    http://support.microsoft.com/?scid=k...9869&x=14&y=10
    http://support.microsoft.com/?scid=k...7706&x=15&y=10

    Even on XP clients I prefer strictly force NTLMv2.


    On 9/7/07, Darren Maskowitz wrote:
    > Here is the problem: I'm setting up a new squid proxy server with
    > authentication via Samba and NTLM because the old one died suddenly.
    > The new one is up and running and i have it working; mostly. The
    > kicker is the 2 employees testing Vista (myself and my supervisor)
    > could not authenticate against the server. I say could because through
    > a variety of testing and some lucky reading I found the cause of the
    > problem to be that by default Windows Vista uses NTLMv2 only, and when
    > I change the setting to LM & NTLM using NTLMv2 for negotiation it all
    > works. The old proxy server allowed us ot authenticate using NTLMv2,
    > and that is the goal of this question: what am I missing in my
    > configuration? Here's a dump of smb.conf taken via a testparm:
    >
    > [global]
    > workgroup = EDMCOMPUTRONIX
    > realm = COMPUTRONIX.COM
    > server string = CX Canada's SQUID Web Proxy
    > security = ADS
    > password server = 206.75.5.19
    > log file = /var/log/samba/%m.log
    > max log size = 500
    > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
    > preferred master = No
    > domain master = No
    > dns proxy = No
    > idmap uid = 16777216-33554431
    > idmap gid = 16777216-33554431
    > winbind separator = +
    > winbind enum users = Yes
    > winbind enum groups = Yes
    > winbind use default domain = Yes
    >
    > [test]
    > path = /testshare
    > guest ok = Yes
    > --
    > To unsubscribe from this list go to the following URL and read the
    > instructions: https://lists.samba.org/mailman/listinfo/samba
    >

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  3. Re: [Samba] NTLMv2, Samba, and Squid

    On Fri, 2007-09-07 at 15:51 -0600, Darren Maskowitz wrote:
    > Here is the problem: I'm setting up a new squid proxy server with
    > authentication via Samba and NTLM because the old one died suddenly.
    > The new one is up and running and i have it working; mostly. The
    > kicker is the 2 employees testing Vista (myself and my supervisor)
    > could not authenticate against the server. I say could because through
    > a variety of testing and some lucky reading I found the cause of the
    > problem to be that by default Windows Vista uses NTLMv2 only, and when
    > I change the setting to LM & NTLM using NTLMv2 for negotiation it all
    > works. The old proxy server allowed us ot authenticate using NTLMv2,
    > and that is the goal of this question: what am I missing in my
    > configuration? Here's a dump of smb.conf taken via a testparm:


    Make sure the netbios name (implictly set as the hostname, which becomes
    the machine join account) matches name you access the server as.

    Andrew Bartlett

    --
    Andrew Bartlett
    http://samba.org/~abartlet/
    Authentication Developer, Samba Team http://samba.org
    Samba Developer, Red Hat Inc.

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.7 (GNU/Linux)

    iD8DBQBG5Ioez4A8Wyi0NrsRAvbqAJ4zsEaL8JuoZUCJBIn/tpJFkLVjVACdETt9
    fIJ3hwWP/2LRo4/pHQFM7fU=
    =Bl/l
    -----END PGP SIGNATURE-----


  4. Re: [Samba] NTLMv2, Samba, and Squid

    On Sat, 2007-09-08 at 12:35 -0300, mups.cp wrote:
    > If you'd like force NTLMv2 authentication these settings in your
    > smb.conf could help:
    > ntlm auth = Yes


    This is the default.

    > client NTLMv2 auth = Yes


    This is the only one that changes

    > min protocol = LANMAN2
    > max protocol = NT1


    Why are you setting this?

    > I also put these:
    > client lanman auth = No
    > client plaintext auth = No


    These are about to (3.2.0) become the defaults, and are set implicitly
    by setting 'client ntlmv2 auth = yes'.

    > use spnego = Yes
    > client use spnego = Yes


    These are both defaults.

    The reason I'm replying to this is that I hate the way that Samba
    folklore builds up.

    You don't need a magic combination of smb.conf variables for Samba to
    accept NTLMv2 authentication, we do that already. You can turn of
    accepting NT and LM of you are paranoid.

    The only setting you have actually changed with all this is to only send
    NTLMv2 challenge-response authentication, when we are a client.

    Andrew Bartlett

    --
    Andrew Bartlett
    http://samba.org/~abartlet/
    Authentication Developer, Samba Team http://samba.org
    Samba Developer, Red Hat Inc.

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.7 (GNU/Linux)

    iD8DBQBG5Iwnz4A8Wyi0NrsRAk6LAJ9pSgVvtnx7QCdPnFN8xB HQ33UlcACgjs8N
    /VZRcCnJW4LgmoNkWvalqdU=
    =PCMM
    -----END PGP SIGNATURE-----


  5. Re: [Samba] NTLMv2, Samba, and Squid

    > > min protocol = LANMAN2
    > > max protocol = NT1

    >
    > Why are you setting this?


    I prefer set this values because I force the server to accept only
    secure protocol. Windows protocols earlier than LANMAN2 could be
    easily eavesdropped from the network. LANMAN2 and higher are stronger.
    I remember from L0pht Crack that attacked this.
    The default 'min protocol' could allows some kind of attack in the network.

    The links I sent from Microsoft helps improve client security
    improving connection security. This are really for security paranoid
    professionals.

    I didn't know these values were the default. Maybe I used this long
    time ago when it weren't.
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  6. Re: [Samba] NTLMv2, Samba, and Squid

    On Mon, 2007-09-10 at 11:36 -0300, mups.cp wrote:
    > > > min protocol = LANMAN2
    > > > max protocol = NT1

    > >
    > > Why are you setting this?

    >
    > I prefer set this values because I force the server to accept only
    > secure protocol. Windows protocols earlier than LANMAN2 could be
    > easily eavesdropped from the network. LANMAN2 and higher are stronger.


    Not really. Aside from a new experiment with the CIFS posix extensions,
    all carry the data in cleartext. In terms of passwords,

    > I remember from L0pht Crack that attacked this.
    > The default 'min protocol' could allows some kind of attack in the network.


    If the attacker is 'active', then they could spoof this anyway. If the
    attacker is passive, the clients negotiate the strongest security
    anyway.

    For a long time windows clients have refused to send cleartext
    passwords. Samba 3.2.0 will likewise refuse by default.

    The message I'm trying to put out is that with Samba 3.0, if you don't
    want to sent a password l0phtcrack will enjoy, set either:

    client lanman auth = no

    (this will be the default in Samba 3.2)
    or if you want NTLMv2, set

    client ntlmv2 auth = yes

    It is that simple to have Samba more secure, and messing with other
    protocol options etc will just bite you later, if we have good reason to
    change the defaults.

    Andrew Bartlett

    --
    Andrew Bartlett
    http://samba.org/~abartlet/
    Authentication Developer, Samba Team http://samba.org
    Samba Developer, Red Hat Inc.

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.7 (GNU/Linux)

    iD8DBQBG5iE7z4A8Wyi0NrsRAnGiAJ94thMFrxkEAoSdPhdo1x H6Vv8SFgCfTvpa
    5WU/oPlbbztTTFkM2a0BolY=
    =ErRO
    -----END PGP SIGNATURE-----


  7. Samba 3.2.0 (was Re: [Samba] NTLMv2, Samba, and Squid)

    Quoting Andrew Bartlett :

    [...]
    > For a long time windows clients have refused to send cleartext
    > passwords. Samba 3.2.0 will likewise refuse by default.

    [...]

    Is there a release date for 3.2.0?

    --
    Pau Garcia i Quiles
    http://www.elpauer.org
    (Due to my workload, I may need 10 days to answer)

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  8. Re: Samba 3.2.0 (was Re: [Samba] NTLMv2, Samba, and Squid)

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Pau Garcia i Quiles wrote:
    > Quoting Andrew Bartlett :
    >
    > [...]
    >> For a long time windows clients have refused to send cleartext
    >> passwords. Samba 3.2.0 will likewise refuse by default.

    > [...]
    >
    > Is there a release date for 3.2.0?
    >


    3.2.0pre1 is due out early next week.




    cheers, jerry
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.2.2 (Darwin)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

    iD8DBQFG5njFIR7qMdg1EfYRAveGAJ9KeafGf7n+Kf2L7YGK4s RWVMK06QCeP9i3
    0gcLZk+bUt7jFQ73gw2q6fE=
    =LTum
    -----END PGP SIGNATURE-----
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  9. Re: [Samba] NTLMv2, Samba, and Squid

    Thanks by the points.

    On 9/11/07, Andrew Bartlett wrote:
    > On Mon, 2007-09-10 at 11:36 -0300, mups.cp wrote:
    > > > > min protocol = LANMAN2
    > > > > max protocol = NT1
    > > >
    > > > Why are you setting this?

    > >
    > > I prefer set this values because I force the server to accept only
    > > secure protocol. Windows protocols earlier than LANMAN2 could be
    > > easily eavesdropped from the network. LANMAN2 and higher are stronger.

    >
    > Not really. Aside from a new experiment with the CIFS posix extensions,
    > all carry the data in cleartext. In terms of passwords,
    >
    > > I remember from L0pht Crack that attacked this.
    > > The default 'min protocol' could allows some kind of attack in the network.

    >
    > If the attacker is 'active', then they could spoof this anyway. If the
    > attacker is passive, the clients negotiate the strongest security
    > anyway.
    >
    > For a long time windows clients have refused to send cleartext
    > passwords. Samba 3.2.0 will likewise refuse by default.
    >
    > The message I'm trying to put out is that with Samba 3.0, if you don't
    > want to sent a password l0phtcrack will enjoy, set either:
    >
    > client lanman auth = no
    >
    > (this will be the default in Samba 3.2)
    > or if you want NTLMv2, set
    >
    > client ntlmv2 auth = yes
    >
    > It is that simple to have Samba more secure, and messing with other
    > protocol options etc will just bite you later, if we have good reason to
    > change the defaults.
    >
    > Andrew Bartlett
    >
    > --
    > Andrew Bartlett
    > http://samba.org/~abartlet/
    > Authentication Developer, Samba Team http://samba.org
    > Samba Developer, Red Hat Inc.
    >
    >

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

+ Reply to Thread