[Samba] Re: mod_ntlm_winbind authentication issues

Andrew Bartlett abartlet at samba.org
Wed Mar 23 21:21:09 GMT 2005


On Wed, 2005-03-23 at 10:40 -0500, Nathan J. Mehl wrote:
> Attempting to use mod_ntlm_winbind to provide passthrough
> authentication to an apache vhost, I'm running into a problem that I
> hope is merely me misunderstanding the proper setup...
> 
> The details: 
> 
> 	serverside:
> 	freebsd 4.10-p3
> 	mod_ntlm_winbind.c rev 117 from svn
> 	samba 3.0.11 from freebsd ports
> 	apache 1.3.33+mod_ssl from freebsd ports
> 	Windows 2000 Server SP4
> 
> 	clientside:
> 	Windows XP SP2
> 	IE 6.0.2900.2180.xpsp_sp2_rtm.040803-2158
> 
> The apache virtual host definition:
> 
> 	<VirtualHost 10.1.1.249:80>
> 	   ServerName rt-test.elided.com
> 	   DocumentRoot /usr/local/rt3/share/html
> 	   AddDefaultCharset UTF-8
> 	   PerlModule Apache::DBI
> 	   PerlRequire /usr/local/rt3/bin/webmux.pl
> 	   <Location />
> 	     SetHandler perl-script
> 	     PerlHandler RT::Mason
> 	     AuthName "NTLM Authentication test"
> 	     NTLMAuth on
> 	     NTLMAuthHelper "/usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"
> 	     NTLMBasicAuthoritative on
> 	     AuthType NTLM
> 	     require valid-user
> 	   </Location>
> 	</VirtualHost>
> 
> With this in place, a logged-in user attempting to connect to that
> vhost via IE is immediately prompted for a password, with the username
> portion of the dialog box filled in as "rt-test.elided.com\username".
> This itself is confusing, since presumably IE is supposed to attempt
> the initial auth on its own without any user interaction.  

This happens because the hostname has a '.' in it, and so it is no
longer in the trusted zone.  Therefore, no credentials are supplied
automatically.   Then, because the hostname is not a valid domain name
on the target domain controller, the authentication fails.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20050324/0df77033/attachment.bin


More information about the samba mailing list