[Samba] winbindd/mod_auth_ntlm_winbind.so fail to use workstation credentials (NTLM+SPNEGO)

Serguei public at wolke7.net
Wed Apr 18 13:52:15 GMT 2007


Hallo,

We protect linux/apache server with mod_auth_ntlm_winbind.so to 
authenticate users with their domain accounts. The server is joined into 
windows domain (Windows 2003 Server). Apache/mod_auth_ntlm_winbind.so is 
configured for NTLM+SPNEGO authentication. So far users can login when 
providing valid credentials.

Users login into their windows workstation (Windows XP SP2 IE/Firefox) 
with local accounts (not domain accounts) and access applications from 
Internet, because they normally work outside the office. Local account 
name/password matches domain account name/password. Thus we supposed to 
provide a Single Signon between workstation and web applications. 
Browsers when properly configured (IE -> [x] Integrated Windows 
Authentication+site in the Intranet Zone, Firefox -> 
network.automatic-ntlm-auth.trusted-uris, 
network.negotiate-auth.trusted-uris settings) can forward users local 
account credentials to the web server. This seamless authentication 
works fine with IIS but fails with winbindd/mod_auth_ntlm_winbind.so 
with error 500 (both IE and Firefox)

Apache log:
[Wed Apr 18 15:20:02 2007] [info] Initial (No.1) HTTPS request received 
for child 3 (server intradev.haching.lan:443)
[Wed Apr 18 15:20:02 2007] [debug] mod_auth_ntlm_winbind.c(482): [client 
192.168.31.39] Launched ntlm_helper, pid 3745
[Wed Apr 18 15:20:02 2007] [debug] mod_auth_ntlm_winbind.c(652): [client 
192.168.31.39] creating auth user
[Wed Apr 18 15:20:02 2007] [debug] mod_auth_ntlm_winbind.c(703): [client 
192.168.31.39] parsing reply from helper to YR 
TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==\n
[2007/04/18 15:20:02, 1] utils/ntlm_auth.c:manage_gss_spnego_request(1110)
[Wed Apr 18 15:20:02 2007] [debug] mod_auth_ntlm_winbind.c(741): [client 
192.168.31.39] got response: BH
[Wed Apr 18 15:20:02 2007] [error] [client 192.168.31.39] (2)No such 
file or directory: failed to parse response from helper
[Wed Apr 18 15:20:02 2007] [info] Connection to child 3 closed with 
unclean shutdown(server intradev.haching.lan:443, client 192.168.31.39)

Winbindd log.
[2007/04/18 15:20:01, 4] nsswitch/winbindd_dual.c:fork_domain_child(943)
  child daemon request 19
[2007/04/18 15:20:01, 3] 
nsswitch/winbindd_misc.c:winbindd_dual_list_trusted_domains(121)
  [ 3698]: list trusted domains
[2007/04/18 15:20:01, 3] 
nsswitch/winbindd_misc.c:winbindd_interface_version(491)
  [    0]: request interface version
[2007/04/18 15:20:01, 3] 
nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(524)
  [    0]: request location of privileged pipe
[2007/04/18 15:20:01, 3] nsswitch/winbindd_group.c:winbindd_getgroups(1134)
  [    0]: getgroups root
[2007/04/18 15:20:01, 4] nsswitch/winbindd_dual.c:fork_domain_child(943)
  child daemon request 21
[2007/04/18 15:20:01, 3] 
nsswitch/winbindd_async.c:winbindd_dual_lookupname(721)
  [ 3698]: lookupname HACHING\root
[2007/04/18 15:20:01, 4] nsswitch/winbindd_dual.c:fork_domain_child(943)
  child daemon request 42
[2007/04/18 15:20:01, 4] nsswitch/winbindd_dual.c:fork_domain_child(943)
  child daemon request 54
[2007/04/18 15:20:01, 3] 
nsswitch/winbindd_async.c:winbindd_dual_getsidaliases(950)
  [ 3698]: getsidaliases
...

"getgroups root" is already strange here. And there is no HACHING\root 
user. where does it come from? Of course winbind cannot lookup this 
name. Once again, authentication fail only when URL set as the browser's 
trusted site. When I take the site out of browser's trusted site list 
and login explicitly with the same account, everything is fine:

Apache
[Wed Apr 18 15:40:15 2007] [info] Initial (No.1) HTTPS request received 
for child 0 (server intradev.haching.lan:443)
[Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(1018): 
[client 192.168.31.39] doing ntlm auth dance
[Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(482): [client 
192.168.31.39] Launched ntlm_helper, pid 3823
[Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(652): [client 
192.168.31.39] creating auth user
[Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(703): [client 
192.168.31.39] parsing reply from helper to YR 
TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=\n
[Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(741): [client 
192.168.31.39] got response: TT 
TlRMTVNTUAACAAAADgAOADAAAAAFgokAugsuTuGQirUAAAAAAAAAAHAAcAA+AAAASABBAEMASABJAE4ARwACAA4ASABBAEMASABJAE4ARwABABAASQBOAFQAUgBBAEQARQBWAAQAFgBoAGEAYwBoAGkAbgBnAC4AbABhAG4AAwAoAGkAbgB0AHIAYQBkAGUAdgAuAGgAYQBjAGgAaQBuAGcALgBsAGEAbgAAAAAA
[Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(411): [client 
192.168.31.39] sending back 
TlRMTVNTUAACAAAADgAOADAAAAAFgokAugsuTuGQirUAAAAAAAAAAHAAcAA+AAAASABBAEMASABJAE4ARwACAA4ASABBAEMASABJAE4ARwABABAASQBOAFQAUgBBAEQARQBWAAQAFgBoAGEAYwBoAGkAbgBnAC4AbABhAG4AAwAoAGkAbgB0AHIAYQBkAGUAdgAuAGgAYQBjAGgAaQBuAGcALgBsAGEAbgAAAAAA
[Wed Apr 18 15:40:15 2007] [info] Subsequent (No.2) HTTPS request 
received for child 0 (server intradev.haching.lan:443)
[Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(1018): 
[client 192.168.31.39] doing ntlm auth dance
[Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(484): [client 
192.168.31.39] Using existing auth helper 3823
[Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(703): [client 
192.168.31.39] parsing reply from helper to KK 
TlRMTVNTUAADAAAAGAAYAFYAAAAYABgAbgAAAAAAAABAAAAADAAMAEAAAAAKAAoATAAAAAAAAAAAAAAABYIIAHMAdAByAGkAZwBvAE0ASQBOAFMASwD+aA0tazQbRgAAAAAAAAAAAAAAAAAAAAD0zO38BWoCtpXTgGPJMKm63kcbe4fTWd4=\n
[Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(741): [client 
192.168.31.39] got response: AF testuser
[Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(787): [client 
192.168.31.39] authenticated testuser
[Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(961): [client 
192.168.31.39] retaining user testuser
[Wed Apr 18 15:40:15 2007] [debug] mod_auth_ntlm_winbind.c(962): [client 
192.168.31.39] keepalives: 1

Winbind:
[2007/04/18 15:40:15, 5] rpc_parse/parse_prs.c:prs_uint8(615)
              0132 id_auth[4] : 00
[2007/04/18 15:40:15, 5] rpc_parse/parse_prs.c:prs_uint8(615)
              0133 id_auth[5] : 05
[2007/04/18 15:40:15, 5] rpc_parse/parse_prs.c:prs_uint32s(991)
              0134 sub_auths : 00000015 e39fded7 4e0574bc 369b5347
[2007/04/18 15:40:15, 5] 
nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1800)
  Setting unix username to [testuser]
[2007/04/18 15:40:15, 5] 
nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1848)
  NTLM CRAP authentication for user [HACHING]\[testuser] returned 
NT_STATUS_OK (PAM: 0)

Below is some configuration info

Web Server: Suse 10, Apache 2.0.58, winbindd 3.0.24

smb.conf
[global]
        usershare allow guests = No
        workgroup = HACHING
        realm = HACHING.LAN
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        security = domain
        #password server = sun.haching.lan
        winbind use default domain = yes

mod_auth_ntlm_winbind.so configuration
  AuthName "NTLM Authentication thingy"
  NTLMAuth on
  NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"
  NegotiateAuth on
  NegotiateAuthHelper "/usr/bin/ntlm_auth --helper-protocol=gss-spnego"
  NTLMBasicAuthoritative on
  AuthType Negotiate
  AuthType NTLM
  require valid-user

Tests like net rpc testjoin, wbinfo -u, wbinfo -g, ntlm_auth 
--username=testuser
are ok.

Any ideas are welcome,

regards,
Serguei


More information about the samba mailing list