[Samba] Combining mod_auth_winbind with other authorization modules

Dave davep at hmgcc.gsi.gov.uk
Tue Oct 10 10:32:23 GMT 2006


I'm trying to use the mod_auth_winbind module from lorikeet SVN to 
control access to an Apache 2.2.3 server. Samba is 3.0.23b supplied with 
Mandriva 2007 and is configured is a member of a w2k3 AD domain. The 
Apache users are using IE on W2k or XP domain member clients.

Samba and winbind are working as expected, and if I just use the 
mod_auth_winbind module to authenticate the users Apache seems to be OK. 
However I also need to use an authorization module to control access to 
user groups via the '.htaccess' files. I've tried both 
mod_authz_groupfile and mod_authz_dbm; in each case authentication 
occasionally falls apart as the following (redacted) Apache error log 
segment shows:

  mod_ntlm_winbind.c(1065): doing ntlm auth dance, referer: 
http://myserver/homepage/left.html
  mod_ntlm_winbind.c(529): Launched ntlm_helper, pid 28125, referer: 
http://myserver/homepage/left.html
  mod_ntlm_winbind.c(699): creating auth user, referer: 
http://myserver/homepage/left.html
  mod_ntlm_winbind.c(750): parsing reply from helper to YR Tl...ND\n, 
referer: http://myserver/homepage/left.html
  mod_ntlm_winbind.c(788): got response: TT Tl...AA, referer: 
http://myserver/homepage/left.html
  mod_ntlm_winbind.c(455): sending back Tl...AA, referer: 
http://myserver/homepage/left.html
  mod_ntlm_winbind.c(472): Decrement the connection request count to 
keep it alive, referer: http://myserver/homepage/left.html
  mod_ntlm_winbind.c(1065): doing ntlm auth dance, referer: 
http://myserver/homepage/left.html
  mod_ntlm_winbind.c(531): Using existing auth helper 28125, referer: 
http://myserver/homepage/left.html
  mod_ntlm_winbind.c(750): parsing reply from helper to KK Tl...ND\n, 
referer: http://myserver/homepage/left.html
  libsmb/ntlmssp.c:ntlmssp_update(252) got NTLMSSP command 1, expected 3
  mod_ntlm_winbind.c(788): got response: NA NT_STATUS_INVALID_PARAMETER, 
referer: http://myserver/homepage/left.html
  mod_ntlm_winbind.c(812): user not authenticated: 
NT_STATUS_INVALID_PARAMETER, referer: http://myserver/homepage/left.html
  mod_ntlm_winbind.c(1019): reauth, referer: 
http://myserver/homepage/left.html
  mod_ntlm_winbind.c(1065): doing ntlm auth dance, referer: 
http://myserver/homepage/left.html
  mod_ntlm_winbind.c(529): Launched ntlm_helper, pid 28126, referer: 
http://myserver/homepage/left.html
  mod_ntlm_winbind.c(699): creating auth user, referer: 
http://myserver/homepage/left.html
  mod_ntlm_winbind.c(750): parsing reply from helper to YR Tl...9=\n, 
referer: http://myserver/homepage/left.html
  libsmb/ntlmssp.c:ntlmssp_update(252) got NTLMSSP command 3, expected 1
  mod_ntlm_winbind.c(788): got response: NA NT_STATUS_INVALID_PARAMETER, 
referer: http://myserver/homepage/left.html
  mod_ntlm_winbind.c(812): user not authenticated: 
NT_STATUS_INVALID_PARAMETER, referer: http://myserver/homepage/left.html
  mod_ntlm_winbind.c(1065): doing ntlm auth dance, referer: 
http://myserver/homepage/left.html
  mod_ntlm_winbind.c(531): Using existing auth helper 28126, referer: 
http://myserver/homepage/left.html
  mod_ntlm_winbind.c(750): parsing reply from helper to KK Tl...9=\n, 
referer: http://myserver/homepage/left.html
  libsmb/ntlmssp.c:ntlmssp_update(252) got NTLMSSP command 3, expected 1
  mod_ntlm_winbind.c(788): got response: NA NT_STATUS_INVALID_PARAMETER, 
referer: http://myserver/homepage/left.html
  mod_ntlm_winbind.c(812): user not authenticated: 
NT_STATUS_INVALID_PARAMETER, referer: http://myserver/homepage/left.html
  [notice] child pid 28108 exit signal Segmentation fault (11)

It seems that the browser opens two sessions with the server and the 
auth mechanism gets mixed up between the two. The browser displays a 
mixture of HTTP headers and the usual Apache 401 message.

Does mod_auth_winbind have any known problems combining in this way?
-- 
Dave

The information contained in this message (and any attachments) may
be confidential and is intended for the sole use of the named addressee.
Access, copying, alteration or re-use of the e-mail by anyone other
than the intended recipient is unauthorised. If you are not the intended
recipient please advise the sender immediately by returning the e-mail
and deleting it from your system.

This information may be exempt from disclosure under Freedom Of Information 
Act 2000 and may be subject to exemption under other UK information 
legislation. Refer disclosure requests to the Information Officer.


The original of this email was scanned for viruses by Government Secure Intranet (GSi)  virus scanning service supplied exclusively by Cable & Wireless in partnership with MessageLabs.
On leaving the GSI this email was certified virus free.
The MessageLabs Anti Virus Service is the first managed service to achieve the CSIA Claims Tested Mark (CCTM Certificate Number 2006/04/0007), the UK Government quality mark initiative for information security products and services.  For more information about this please visit www.cctmark.gov.uk


More information about the samba mailing list