Zarafa ntlm auth problems
Aus NOBAQ
Version vom 30. März 2012, 18:33 Uhr von Niki (Diskussion | Beiträge) (Die Seite wurde neu angelegt: „One time, the SSO (Single Sign On) on my Zarafa server stopped working. The one thing I could find in the logs was: Sam 24 Mär 2012 16:49:19 CET: Received erro…“)
One time, the SSO (Single Sign On) on my Zarafa server stopped working. The one thing I could find in the logs was:
Sam 24 Mär 2012 16:49:19 CET: Received error from ntlm_auth: [2012/03/24 16:49:19.094636, 3] libsmb/ntlmssp.c:65(debug_ntlmssp_flags) Got NTLMSSP neg_flags=0xe20882b7
Sam 24 Mär 2012 16:49:19 CET: Authentication by plugin failed for user niki: Trying to authenticate failed: Disallowing NULL password for user uid=niki,ou=int,ou=users,dc=intra,dc=nobaq,dc=net; username = niki Sam 24 Mär 2012 16:49:19 CET: Failed to authenticate user niki from 93.83.102.173 using program rundll32.exe
NTLM itself is working:
ntlm_auth --username=niki password: NT_STATUS_OK: Success (0x0)
Also, the permissions to winbindd_privileged, as required for the ntlmssp helper protocol are fine:
stat /var/run/samba/winbindd_privileged File: „/var/run/samba/winbindd_privileged“ Size: 4096 Blocks: 8 IO Block: 4096 Verzeichnis Device: 12h/18d Inode: 3040278 Links: 2 Access: (0750/drwxr-x---) Uid: ( 0/ root) Gid: ( 109/winbindd_priv) Access: 2012-03-29 20:18:43.000000000 +0200 Modify: 2012-03-29 20:19:02.000000000 +0200 Change: 2012-03-29 20:19:02.000000000 +0200
The sources show that Zarafa calls the following command:
ntlm_auth -d0 --helper-protocol=squid-2.5-ntlmssp
Using squid-2.5-ntlmssp requires a special protocol:
YR ...
then the binary should respond:
TT ....
However, with a higher log level in smb.conf, debug messages could be printed to stdout:
[2012/03/24 16:49:19.094636, 3] libsmb/ntlmssp.c:65(debug_ntlmssp_flags) Got NTLMSSP neg_flags=0xe20882b7 TT ....
Zarafa is does not expect this and terminates the session. As a conclusion,
log level = 2
in /etc/smb.conf solves the issue whereas "log level = 3" is too much.