Zarafa ntlm auth problems

Aus NOBAQ
Zur Navigation springenZur Suche springen

One time, the SSO (Single Sign On) on my Zarafa server stopped working. The one thing I could find in the logs was:

Sam 24 Mär 2012 16:49:19 CET: Received error from ntlm_auth:
[2012/03/24 16:49:19.094636,  3] libsmb/ntlmssp.c:65(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0xe20882b7
Sam 24 Mär 2012 16:49:19 CET: Authentication by plugin failed for user niki: Trying to authenticate failed: Disallowing NULL password for user   uid=niki,ou=int,ou=users,dc=intra,dc=nobaq,dc=net; username = niki
Sam 24 Mär 2012 16:49:19 CET: Failed to authenticate user niki from 93.83.102.173 using program rundll32.exe

NTLM itself is working:

ntlm_auth --username=niki
password:
NT_STATUS_OK: Success (0x0)

Also, the permissions to winbindd_privileged, as required for the ntlmssp helper protocol are fine:

stat /var/run/samba/winbindd_privileged
  File: „/var/run/samba/winbindd_privileged“
  Size: 4096            Blocks: 8          IO Block: 4096   Verzeichnis
Device: 12h/18d Inode: 3040278     Links: 2
Access: (0750/drwxr-x---)  Uid: (    0/    root)   Gid: (  109/winbindd_priv)
Access: 2012-03-29 20:18:43.000000000 +0200
Modify: 2012-03-29 20:19:02.000000000 +0200
Change: 2012-03-29 20:19:02.000000000 +0200

The sources show that Zarafa calls the following command:

ntlm_auth -d0 --helper-protocol=squid-2.5-ntlmssp

Using squid-2.5-ntlmssp requires a special protocol:

YR ...

then the binary should respond:

TT ....

However, with a higher log level in smb.conf, debug messages could be printed to stdout:

[2012/03/24 16:49:19.094636,  3] libsmb/ntlmssp.c:65(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0xe20882b7
TT ....

Zarafa is does not expect this and terminates the session. As a conclusion,

log level = 2

in /etc/smb.conf solves the issue whereas "log level = 3" is too much.