[Samba] winbindd/mod_auth_ntlm_winbind.so fail to use workstation
credentials (NTLM+SPNEGO)
Serguei
public at wolke7.net
Thu Apr 19 08:22:34 GMT 2007
Stefan Gohmann schrieb:
> Hello,
>
> there was a patch on samba-technical "[PATCH] mod_auth_ntlm_winbind - new
> feature to omit domain name from username". Maybe this patch helps for your
> problem?
>
> Cheers
> Stefan
>
> Am Mittwoch, 18. April 2007 15:52 schrieb Serguei:
>
>> Hallo,
>>
>> We protect linux/apache server with mod_auth_ntlm_winbind.so to
>> authenticate users with their domain accounts. The server is joined into
>> windows domain (Windows 2003 Server). Apache/mod_auth_ntlm_winbind.so is
>> configured for NTLM+SPNEGO authentication. So far users can login when
>> providing valid credentials.
>>
>> Users login into their windows workstation (Windows XP SP2 IE/Firefox)
>> with local accounts (not domain accounts) and access applications from
>> Internet, because they normally work outside the office. Local account
>> name/password matches domain account name/password. Thus we supposed to
>> provide a Single Signon between workstation and web applications.
>> Browsers when properly configured (IE -> [x] Integrated Windows
>> Authentication+site in the Intranet Zone, Firefox ->
>> network.automatic-ntlm-auth.trusted-uris,
>> network.negotiate-auth.trusted-uris settings) can forward users local
>> account credentials to the web server. This seamless authentication
>> works fine with IIS but fails with winbindd/mod_auth_ntlm_winbind.so
>> with error 500 (both IE and Firefox)
>>
>> Apache log:
>> [Wed Apr 18 15:20:02 2007] [info] Initial (No.1) HTTPS request received
>> for child 3 (server intradev.haching.lan:443)
>> [Wed Apr 18 15:20:02 2007] [debug] mod_auth_ntlm_winbind.c(482): [client
>> 192.168.31.39] Launched ntlm_helper, pid 3745
>> [Wed Apr 18 15:20:02 2007] [debug] mod_auth_ntlm_winbind.c(652): [client
>> 192.168.31.39] creating auth user
>> [Wed Apr 18 15:20:02 2007] [debug] mod_auth_ntlm_winbind.c(703): [client
>> 192.168.31.39] parsing reply from helper to YR
>> TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==\n
>> [2007/04/18 15:20:02, 1] utils/ntlm_auth.c:manage_gss_spnego_request(1110)
>> [Wed Apr 18 15:20:02 2007] [debug] mod_auth_ntlm_winbind.c(741): [client
>> 192.168.31.39] got response: BH
>> [Wed Apr 18 15:20:02 2007] [error] [client 192.168.31.39] (2)No such
>> file or directory: failed to parse response from helper
>> [Wed Apr 18 15:20:02 2007] [info] Connection to child 3 closed with
>> unclean shutdown(server intradev.haching.lan:443, client 192.168.31.39)
>>
>> Winbindd log.
>> [2007/04/18 15:20:01, 4] nsswitch/winbindd_dual.c:fork_domain_child(943)
>> child daemon request 19
>> [2007/04/18 15:20:01, 3]
>> nsswitch/winbindd_misc.c:winbindd_dual_list_trusted_domains(121)
>> [ 3698]: list trusted domains
>> [2007/04/18 15:20:01, 3]
>> nsswitch/winbindd_misc.c:winbindd_interface_version(491)
>> [ 0]: request interface version
>> [2007/04/18 15:20:01, 3]
>> nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(524)
>> [ 0]: request location of privileged pipe
>> [2007/04/18 15:20:01, 3] nsswitch/winbindd_group.c:winbindd_getgroups(1134)
>> [ 0]: getgroups root
>> [2007/04/18 15:20:01, 4] nsswitch/winbindd_dual.c:fork_domain_child(943)
>> child daemon request 21
>> [2007/04/18 15:20:01, 3]
>> nsswitch/winbindd_async.c:winbindd_dual_lookupname(721)
>> [ 3698]: lookupname HACHING\root
>> [2007/04/18 15:20:01, 4] nsswitch/winbindd_dual.c:fork_domain_child(943)
>> child daemon request 42
>> [2007/04/18 15:20:01, 4] nsswitch/winbindd_dual.c:fork_domain_child(943)
>> child daemon request 54
>> [2007/04/18 15:20:01, 3]
>> nsswitch/winbindd_async.c:winbindd_dual_getsidaliases(950)
>> [ 3698]: getsidaliases
>> ...
>>
>> "getgroups root" is already strange here. And there is no HACHING\root
>> user. where does it come from? Of course winbind cannot lookup this
>> name. Once again, authentication fail only when URL set as the browser's
>> trusted site. When I take the site out of browser's trusted site list
>> and login explicitly with the same account, everything is fine:
>>
>> Apache
>> [Wed Apr 18 15:40:15 2007] [info] Initial (No.1) HTTPS request received
>> for child 0 (server intradev.haching.lan:443)
>> [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(1018):
>> [client 192.168.31.39] doing ntlm auth dance
>> [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(482): [client
>> 192.168.31.39] Launched ntlm_helper, pid 3823
>> [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(652): [client
>> 192.168.31.39] creating auth user
>> [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(703): [client
>> 192.168.31.39] parsing reply from helper to YR
>> TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=\n
>> [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(741): [client
>> 192.168.31.39] got response: TT
>> TlRMTVNTUAACAAAADgAOADAAAAAFgokAugsuTuGQirUAAAAAAAAAAHAAcAA+AAAASABBAEMASAB
>> JAE4ARwACAA4ASABBAEMASABJAE4ARwABABAASQBOAFQAUgBBAEQARQBWAAQAFgBoAGEAYwBoAGk
>> AbgBnAC4AbABhAG4AAwAoAGkAbgB0AHIAYQBkAGUAdgAuAGgAYQBjAGgAaQBuAGcALgBsAGEAbgA
>> AAAAA [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(411):
>> [client 192.168.31.39] sending back
>> TlRMTVNTUAACAAAADgAOADAAAAAFgokAugsuTuGQirUAAAAAAAAAAHAAcAA+AAAASABBAEMASAB
>> JAE4ARwACAA4ASABBAEMASABJAE4ARwABABAASQBOAFQAUgBBAEQARQBWAAQAFgBoAGEAYwBoAGk
>> AbgBnAC4AbABhAG4AAwAoAGkAbgB0AHIAYQBkAGUAdgAuAGgAYQBjAGgAaQBuAGcALgBsAGEAbgA
>> AAAAA [Wed Apr 18 15:40:15 2007] [info] Subsequent (No.2) HTTPS request
>> received for child 0 (server intradev.haching.lan:443)
>> [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(1018):
>> [client 192.168.31.39] doing ntlm auth dance
>> [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(484): [client
>> 192.168.31.39] Using existing auth helper 3823
>> [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(703): [client
>> 192.168.31.39] parsing reply from helper to KK
>> TlRMTVNTUAADAAAAGAAYAFYAAAAYABgAbgAAAAAAAABAAAAADAAMAEAAAAAKAAoATAAAAAAAAAA
>> AAAAABYIIAHMAdAByAGkAZwBvAE0ASQBOAFMASwD+aA0tazQbRgAAAAAAAAAAAAAAAAAAAAD0zO3
>> 8BWoCtpXTgGPJMKm63kcbe4fTWd4=\n [Wed Apr 18 15:40:15 2007] [debug]
>> mod_auth_ntlm_winbind.c(741): [client 192.168.31.39] got response: AF
>> testuser
>> [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(787): [client
>> 192.168.31.39] authenticated testuser
>> [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(961): [client
>> 192.168.31.39] retaining user testuser
>> [Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(962): [client
>> 192.168.31.39] keepalives: 1
>>
>> Winbind:
>> [2007/04/18 15:40:15, 5] rpc_parse/parse_prs.c:prs_uint8(615)
>> 0132 id_auth[4] : 00
>> [2007/04/18 15:40:15, 5] rpc_parse/parse_prs.c:prs_uint8(615)
>> 0133 id_auth[5] : 05
>> [2007/04/18 15:40:15, 5] rpc_parse/parse_prs.c:prs_uint32s(991)
>> 0134 sub_auths : 00000015 e39fded7 4e0574bc 369b5347
>> [2007/04/18 15:40:15, 5]
>> nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1800)
>> Setting unix username to [testuser]
>> [2007/04/18 15:40:15, 5]
>> nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1848)
>> NTLM CRAP authentication for user [HACHING]\[testuser] returned
>> NT_STATUS_OK (PAM: 0)
>>
>> Below is some configuration info
>>
>> Web Server: Suse 10, Apache 2.0.58, winbindd 3.0.24
>>
>> smb.conf
>> [global]
>> usershare allow guests = No
>> workgroup = HACHING
>> realm = HACHING.LAN
>> idmap uid = 10000-20000
>> idmap gid = 10000-20000
>> security = domain
>> #password server = sun.haching.lan
>> winbind use default domain = yes
>>
>> mod_auth_ntlm_winbind.so configuration
>> AuthName "NTLM Authentication thingy"
>> NTLMAuth on
>> NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"
>> NegotiateAuth on
>> NegotiateAuthHelper "/usr/bin/ntlm_auth --helper-protocol=gss-spnego"
>> NTLMBasicAuthoritative on
>> AuthType Negotiate
>> AuthType NTLM
>> require valid-user
>>
>> Tests like net rpc testjoin, wbinfo -u, wbinfo -g, ntlm_auth
>> --username=testuser
>> are ok.
>>
>> Any ideas are welcome,
>>
>> regards,
>> Serguei
>>
>
>
Thanks for the hint, Stefan.
Unfortunately the patch didn't help. The problem occurs early with the
first SPNEGO message (YR)
That's what both IE and Firefox send to a "trusted" site as the first
negotiation message, winbind fails with empty BH message
TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==
And this message is sent to the same site in "untrusted" mode, which
ends with successful interactive authentication:
TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=
regards,
Serguei
More information about the samba
mailing list