http://niki.hammler.net/w/index.php?action=history&feed=atom&title=Zarafa_ntlm_auth_problemsZarafa ntlm auth problems - Versionsgeschichte2026-05-12T16:56:34ZVersionsgeschichte dieser Seite in NOBAQMediaWiki 1.35.13http://niki.hammler.net/w/index.php?title=Zarafa_ntlm_auth_problems&diff=1375&oldid=prevNiki: Die Seite wurde neu angelegt: „One time, the SSO (Single Sign On) on my Zarafa server stopped working. The one thing I could find in the logs was: Sam 24 Mär 2012 16:49:19 CET: Received erro…“2012-03-30T17:33:14Z<p>Die Seite wurde neu angelegt: „One time, the SSO (Single Sign On) on my Zarafa server stopped working. The one thing I could find in the logs was: Sam 24 Mär 2012 16:49:19 CET: Received erro…“</p>
<p><b>Neue Seite</b></p><div>One time, the SSO (Single Sign On) on my Zarafa server stopped working. The one thing I could find in the logs was:<br />
<br />
Sam 24 Mär 2012 16:49:19 CET: Received error from ntlm_auth:<br />
[2012/03/24 16:49:19.094636, 3] libsmb/ntlmssp.c:65(debug_ntlmssp_flags)<br />
Got NTLMSSP neg_flags=0xe20882b7<br />
<br />
Sam 24 Mär 2012 16:49:19 CET: Authentication by plugin failed for user niki: Trying to authenticate failed: Disallowing NULL password for user uid=niki,ou=int,ou=users,dc=intra,dc=nobaq,dc=net; username = niki<br />
Sam 24 Mär 2012 16:49:19 CET: Failed to authenticate user niki from 93.83.102.173 using program rundll32.exe<br />
<br />
NTLM itself is working:<br />
<br />
ntlm_auth --username=niki<br />
password:<br />
NT_STATUS_OK: Success (0x0)<br />
<br />
Also, the permissions to winbindd_privileged, as required for the ntlmssp helper protocol are fine:<br />
<br />
stat /var/run/samba/winbindd_privileged<br />
File: „/var/run/samba/winbindd_privileged“<br />
Size: 4096 Blocks: 8 IO Block: 4096 Verzeichnis<br />
Device: 12h/18d Inode: 3040278 Links: 2<br />
Access: (0750/drwxr-x---) Uid: ( 0/ root) Gid: ( 109/winbindd_priv)<br />
Access: 2012-03-29 20:18:43.000000000 +0200<br />
Modify: 2012-03-29 20:19:02.000000000 +0200<br />
Change: 2012-03-29 20:19:02.000000000 +0200<br />
<br />
The sources show that Zarafa calls the following command:<br />
<br />
ntlm_auth -d0 --helper-protocol=squid-2.5-ntlmssp<br />
<br />
Using squid-2.5-ntlmssp requires a special protocol:<br />
<br />
YR ...<br />
<br />
then the binary should respond:<br />
<br />
TT ....<br />
<br />
However, with a higher log level in smb.conf, debug messages could be printed to stdout:<br />
<br />
[2012/03/24 16:49:19.094636, 3] libsmb/ntlmssp.c:65(debug_ntlmssp_flags)<br />
Got NTLMSSP neg_flags=0xe20882b7<br />
TT ....<br />
<br />
Zarafa is does not expect this and terminates the session. As a conclusion,<br />
<br />
log level = 2<br />
<br />
in /etc/smb.conf solves the issue whereas "log level = 3" is too much.</div>Niki