[Samba] mod_ntlm_winbind / Apache2

Kevin Shanahan kmshanah at ucwb.org.au
Tue Aug 29 13:47:48 GMT 2006 

On Tue, 2006-08-29 at 09:16 -0300, Felipe Augusto van de Wiel wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 08/29/2006 08:03 AM, Kevin Shanahan escreveu:
> > Hi,
> > 
> > I'm trying to set up Apache2 with mod_ntlm_winbind so our Windows users
> > can log onto our Intranet automatically without having to type in their
> > username / password.
> 
> 	Just a suggestion, kerberos could be a good way to achieve
> Single Sign On. Do you need mod_ntlm_winbind?

Not necessarily, it just looked to be preferred option from what I've
been reading. It sounded like mod_ntlm is not maintained anymore...

> 	And there is a nice document about NTLM Authentication that
> just happen to be updated these days.
> 
> http://davenport.sourceforge.net/ntlm.html

This is interesting. Since the clients are all Win2000 or WinXP, perhaps
I should be using the Negotiate mechanism. I changed the apache config
to the following:

<Directory /var/www/auth-test>
    AuthName "NTLM SPNEGO Authentication Test"
    NTLMAuth on
    NegotiateAuth on
    NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"
    NegotiateAuthHelper "/usr/bin/ntlm_auth --helper-protocol=gss-spnego"
    NTLMBasicAuthoritative on
    AuthType NTLM
    AuthType Negotiate
    require valid-user
</Directory>

Internet Explorer still fails, but I see something in the logs now
(upped the LogLevel to debug, was at info before):

[Tue Aug 29 23:02:37 2006] [debug] mod_ntlm_winbind.c(529): [client 192.168.0.53] Launched ntlm_helper, pid 1849
[Tue Aug 29 23:02:37 2006] [debug] mod_ntlm_winbind.c(699): [client 192.168.0.53] creating auth user
[Tue Aug 29 23:02:37 2006] [debug] mod_ntlm_winbind.c(750): [client 192.168.0.53] parsing reply from helper to YR TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==\n
[2006/08/29 23:02:37, 1] utils/ntlm_auth.c:manage_gss_spnego_request(859)
[Tue Aug 29 23:02:37 2006] [debug] mod_ntlm_winbind.c(788): [client 192.168.0.53] got response: BH
[Tue Aug 29 23:02:37 2006] [error] [client 192.168.0.53] (2)No such file or directory: failed to parse response from helper

Where is the "No such file" error coming from?

Firefox still behaves the same (need to specify DOMAIN\username), but
here's the log:

[Tue Aug 29 23:13:06 2006] [debug] mod_ntlm_winbind.c(1065): [client 192.168.0.53] doing ntlm auth dance
[Tue Aug 29 23:13:06 2006] [debug] mod_ntlm_winbind.c(531): [client 192.168.0.53] Using existing auth helper 1882
[Tue Aug 29 23:13:06 2006] [debug] mod_ntlm_winbind.c(750): [client 192.168.0.53] parsing reply from helper to KK TlRMTVNTUAADAAAAGAAYAGIAAAAYABgAegAAAAgACABAAAAAEAAQAEgAAAAKAAoAWAAAAAAAAAAAAAAABYIIAFcAVQBNADMAawBtAHMAaABhAG4AYQBoAGkAdAAtADAAMADpnn4qP2ZWmgAAAAAAAAAAAAAAAAAAAADKLcOjZ3fA8rytTY1MLpDw3MCBkqgnBos=\n
[2006/08/29 23:13:06, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(662)
  Got user=[kmshanah] domain=[WUM3] workstation=[it-00] len1=24 len2=24
[2006/08/29 23:13:06, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(338)
  NTLMSSP Sign/Seal - Initialising with flags:
[2006/08/29 23:13:06, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
  Got NTLMSSP neg_flags=0x00088235
[Tue Aug 29 23:13:06 2006] [debug] mod_ntlm_winbind.c(788): [client 192.168.0.53] got response: AF WUM3\\kmshanah
[Tue Aug 29 23:13:06 2006] [debug] mod_ntlm_winbind.c(834): [client 192.168.0.53] authenticated WUM3\\kmshanah

Not sure if that tells me anything new...

Regards,
Kevin.

More information about the samba mailing list